| Shadow AI Data Leak Risk or “From the Desk of I saw that Coming” CSO recently published an article based on a report from Harmonic about generative AI data leaks, and the findings were eye-opening. According to the report, over 8% of employee prompts to public large language models (LLMs) contained sensitive data, ranging from security and compliance issues to privacy and legal vulnerabilities. This wasn’t just a handful of slip-ups. We’re talking about more than 40,000 prompts to popular Gen AI tools like ChatGPT, Copilot, Gemini, and Claude, just in the fourth quarter of 2024 alone. While most of these leaks were unintentional, employees simply trying to save time, was a staggering 46% of the leaked data included billing and authentication details. The average user doesn’t fully understand how AI or LLMs work. Rarely do they comprehend the difference between public generative AI tools or the data they retain once its imputed into the large language models used by them. The article also refers to the concept of shadow AI or semi-shadow AI - AI tools that employees use, either paid or free, without formal approval from their organization. Sometimes, this is done for experimentation, other times to bypass perceived roadblocks to innovation. Either way, these unapproved tools pose a serious data security risk and are quickly becoming a leading cause of AI-related vulnerabilities. For those of us who’ve been in tech long enough, this feels like déjà vu. Shadow IT has existed for years-back when developers or users needed a tool IT wouldn’t officially support, they’d find a way to implement it under the radar. I can’t count how many times I became a multi-platform DBA because a department set up an unsupported database under someone’s desk, only for it to eventually become business critical. IT would then have no choice but to step in and take ownership to mitigate risks. We see the same tension in cloud environments today - a constant battle between rapid innovation and ensuring security through policies and procedures. AI, however, introduces an even greater risk. Unlike past technologies, there’s little precedent for handling AI data leaks in the legal system, and bad actors are quick to exploit vulnerabilities. Interestingly, the article suggests that employees turn to shadow AI tools because IT isn’t providing them with the AI solutions they need. While there’s truth to this, as we’ve seen it before with software and hardware acquisitions, it doesn’t absolve employees of responsibility. There’s a big difference between giving people what they want and giving them what they need. The article quotes a “distinguished VP and analyst at Gartner,” who seems to overlook a crucial reality: employees will do what they want, regardless of policy, if they believe it benefits them. That said, he has a point about the state of AI in enterprise products today. Just look at Apple’s iPhone settings, where an intrusive "Image Creation Tools" AI app hijacks the screen whenever you try to adjust basic settings. It’s a perfect example of how pushing AI into every product has, in many cases, made technology less usable, not more. While the article claims IT can’t keep up with employees' AI demands, my experience tells a different story. Many AI projects fail not because IT is lagging but because AI solutions are rushed to market without proper requirements gathering. In the race to innovate, companies often skip crucial planning steps, leading to poorly implemented AI that nobody finds useful. This is why there’s an AI graveyard - a growing collection of failed AI projects that serve as cautionary tales about what happens when innovation isn’t balanced with clear objectives. The takeaway? Be careful what you wish for. AI may give you exactly what you ask for, but in the process, it might also leak your most critical data to AI. Kellyn Gorman, aka DBAKevlar Join the debate, and respond to the editorial on the forums | 