As organizations increasingly adopt AI tools, a troubling dichotomy is emerging: while executives express confidence in their ability to manage AI-related risks, the reality on the ground tells a different story. A recent study commissioned by Okta highlights that over half of businesses have faced an AI-related security incident or scare within the past year, raising critical questions about governance and compliance in a rapidly evolving technological landscape. The core issue? Shadow AI — unapproved tools and applications in widespread use by employees, often unbeknownst to management.
The Disconnect Between Perception and Reality
The findings from Okta's AI Agents at Work 2026 report, conducted by Apprize360, illustrate a disconnect that could have serious implications for organizational cybersecurity. Among the executives surveyed, a staggering 90% expressed confidence in their visibility into AI tools being used in their organizations. Yet, corresponding responses from knowledge workers paint a starkly different picture: 58% acknowledged having experienced an AI-related security problem in the prior twelve months, with a significant portion of these incidents involving unauthorized AI tool usage.
Defining the Threat Landscape
According to Harish Peri, SVP and GM for AI Security at Okta, 52% of knowledge workers admitted to utilizing AI tools without prior approval, with 31.2% reporting near-miss incidents and 26.7% encountering actual security breaches. The types of risky behaviors observed are alarming — from sharing sensitive company documents to providing personal login credentials for AI-driven functionalities. Peri encapsulates this precarious situation: “These risky behaviors — whether intentional or not — increase the attack surface across an organization.” This is a stark reminder that while AI can enhance productivity, it also introduces new vulnerabilities.
Geographic Variations in Unapproved AI Usage
Notably, the study reveals pronounced geographic discrepancies in the rate of unsanctioned AI tool usage. Workers in the United States lead the pack, with about 67% admitting to using unapproved tools, while Australia and the UK follow closely behind at 60% and 55%, respectively. Conversely, European countries like France and Germany report lower rates, with only around 30% of workers engaging in unauthorized usage. Such variations indicate that regional culture, compliance norms, or regulatory frameworks may influence the degree of shadow AI adoption.
Challenges Surrounding Governance
The crux of the issue lies in the inadequate governance frameworks currently in place. Peri asserts that without effective oversight, organizations cannot protect their digital assets. The visibility problem stems from shadow AI emerging largely unintentionally. “For most organizations, shadow AI emerges unintentionally and isn’t intended to be malicious,” he explains, underscoring the need for a nuanced approach to governance. Rigidly banning AI tools may only drive these practices underground, worsening the potential for real breaches. Instead, organizations should engage with their employees to understand their needs and implement governance frameworks that simplify the compliant use of AI tools.
Actionable Insights for Organizations
To proactively address the shadow AI dilemma, Okta recommends that organizations prioritize the discovery of unauthorized tools and establish a robust AI governance strategy. Leaders should strive to make compliance the easier option compared to unauthorized usage, facilitating ease of access to approved tools while ensuring security measures are in place for the wider adoption of AI. In the face of these findings, executives need to recalibrate their confidence in AI usage and mitigation strategies, recognizing that a more informed and engaged workforce can ultimately contribute to a more secure digital environment.
As we navigate this complex landscape, the challenge is more than merely about controlling AI usage; it requires a fundamental culture shift within organizations. The takeaway is clear: embracing transparency and fostering a collaborative dialogue around AI use can pave the way for safer practices. Organizations that fail to recognize or act upon the realities of shadow AI do so at their peril, as risks compound when visibility is obscured.
