Microsoft: Why are UK Workers Embracing Risky ‘Shadow AI’?

As employees and organisations race to embrace large language models and AI assistants to boost productivity, major security threats loom large. 

New Microsoft research reveals that 71% of UK employees have used unauthorised AI tools to complete official tasks. 

More than half of the workforce (51%) now use AI on a weekly basis to enhance productivity at work.

From drafting reports and making presentations, to managing sensitive financial data, the use of these tools have now become the new normal, much to the fear of cybersecurity experts.

The research also found that the use of AI tools saves an average of 7.75 hours per week. 

According to Dr Chris Brauer, Director of Innovation at Goldsmiths, University of London, the time saved by the use of AI is 12.1 billion hours, which adds up to £207bn in productivity gains across the entire economy. 

Darren Hardman, CEO of Microsoft UK & Ireland says that “enthusiasm alone isn’t enough”.

“Businesses must ensure the AI tools in use are built for the workplace, not just the living room.”

What is Shadow AI?

Unauthorised use of AI tools and systems by employees of an institution without approval by the company’s IT department is referred to as shadow AI.  

This unauthorized use is a massive security threat to organisations as they could be the source of data and security breaches. 

Improving work-life balance, developing new skills at work and focusing time on meaningful work, were the top three reasons employees gave for using AI at work.  

What are the dangers of Shadow AI?

According to a recent RiverSafe survey of CISOs, one in five UK companies experienced data leakage as a result of employees using generative AI. 

By sharing proprietary code, financial data, and other vital information, employees are basically handing over enterprise trade secrets to Large Language Models.

Revealing secure or sensitive data with AI can lead to non-compliance with GDPR, HIPPA and other data privacy regulations which could lead to huge fines.

Fines for not complying with GDPR could come up to EUR 20,000,000 or 4% of the organisation’s revenue making it a costly mistake to say the least. 

Generative AI has its own flaws such as hallucinations and algorithmic bias, which can result in low quality or outright inaccurate outcomes.

The use of certain third party APIs could also serve as a potential entry point for cyber attacks. 

The growth in the popularity of AI agents raises severe concerns as these are autonomous tools that can work without oversight and independently make decisions.

Hans Petter Dalen, IBM’s AI for Business Leader for EMEA, says that: “If AI agents aren’t centrally registered, inventoried and monitored, they become ‘shadow agents’: operating out of scope, out of oversight and potentially out of alignment with enterprise policy.” 

While AI has the potential to ease workflows and speed up production, centralised, enterprise grade AI tools are needed to walk over the security flaws of shadow generative AI tools. 

How to safeguard against Shadow AI?

Hans suggests that developing visibility is the first step to bringing down the risk associated with shadow AI.

“Enterprises need tooling that can automatically discover AI applications and agents operating in the environment – even those deployed by business users without formal approval,” he explains. “After all, you can’t govern what you can’t see.”

The deployment of enterprise AI tools, and governance frameworks is essential for organisations to take advantage of AI while maintaining security measures. 

Implementation of guardrails around AI use to help employees understand approved uses of AI within the organisation is paramount. 

Darren Hardman says: “The message is clear: only enterprise-grade AI delivers the functionality that employees want, wrapped in the privacy and security every organisation demands.”