Keeping AI secure in the workplace

Andy Ward at Absolute Security explains the cyber-security risks of shadow AI in the workplace 

 

Following the UK and US AI agreement and the reintroduction of the Artificial Intelligence Regulation Bill HL (2025), which highlights the ongoing business and public concerns around AI governance, cyber-resilience is under the spotlight as businesses face new challenges of security and risk from the unsanctioned use of AI tools in the workplace.   

 

To address this, companies need to adopt AI cyber-resilience governance frameworks that embed oversight, accountability and adaptive security protocols into their operations. Regaining control over shadow AI is now essential to protecting sensitive data, maintaining operational integrity and building public trust in AI systems. 

 

Rising risks of shadow AI  

Shadow AI’s unpredictable nature and lack of oversight can expose organisations to numerous critical risks such as data privacy concerns, regulatory compliance challenges, security vulnerabilities and intellectual property problems. Without the proper governance, these tools can undermine operational integrity and leave businesses vulnerable to legal, financial and reputational damage.  

 

As new UK government legislation confirms that hybrid work is a fundamental right for UK workers, the rising risks of shadow AI in the workplace, such as potential leaks of sensitive or proprietary data, have become increasingly urgent for security leaders to address. Research from Forrester, revealed that close to two-thirds of employees are using AI to perform tasks, with a number of these willing to sidestep organisational security policies to access AI platforms.  

 

For security professionals, the risks of shadow AI introduce a complex and widespread cyber-security risk, where visibility, control and governance are difficult to maintain. According to Absolute Security’s recent survey of security leaders, 72 per cent of CISOs stated that remote work has complicated their cyber-resilience posture, while 84 per cent of security leaders reported an increased focus on network security due to remote work.  

 

As remote and hybrid work is here to stay, CISOs must evolve their cyber-resilience to prioritise not just prevention, but also recovery.  

 

How security teams can control shadow AI  

Senior management and security teams are pivotal in governing the rise of shadow AI within the workplace. As employees increasingly turn to AI tools to boost productivity, leadership must proactively embed a comprehensive approach by establishing robust governance frameworks, regularly assessing risks and educating employees about the potential risks.   

 

A key starting point in controlling shadow AI is strengthening endpoint security. With 73 per cent of organisations identifying remote devices as their greatest weakness in cyber-resilience, unsecured endpoints have become prime targets for exploitation. These devices often serve as entry points for unauthorised AI tools, increasing the risk of data leakage and compliance breaches. 

 

To address this, organisations must shift toward comprehensive resilience strategies that not only prevent attacks but also enable recovery. Security teams need to implement strict access controls, continuous monitoring, and advanced threat detection to safeguard endpoints and limit exposure to shadow AI. 

 

Effective control also requires integrating secure access solutions, automated repair tools, and risk-based vulnerability management. But to truly stay ahead, security teams must expand visibility across networks and build agile incident response plans tailored for distributed workforces. These measures are no longer optional but essential pillars of a proactive defence strategy that empowers organisations to detect, contain, and neutralise shadow AI before it escalates.  

 

The importance of AI governance frameworks  

To effectively manage the emerging risks of shadow AI, organisations must begin by establishing clear policies that define acceptable use, data handling, privacy, and security standards for AI tools. These policies lay the foundation for responsible AI adoption. Once in place, the next step is to build comprehensive governance models, ensure active leadership involvement, and enable regular risk evaluations to stay ahead of evolving threats. 

 

AI governance must be integrated across people, processes, and platforms to ensure tools are used responsibly and in alignment with business goals. These frameworks should be responsive and define acceptable use, while adapting to the rapid evolution of AI capabilities. 

 

By fostering collaboration between IT and business units, and embedding continuous monitoring and risk assessment, organisations can harness the benefits of AI while safeguarding operational integrity and trust. 

 

Ultimately, integrating governance into the core of cyber-strategy empowers CISOs to ensure AI is deployed securely and ethically. In an era where shadow AI introduces significant vulnerabilities, robust governance is no longer optional; instead, it is a strategic imperative that protects trust, enables innovation, and prepares organisations for the future of work. 

 

AI governance is emerging as a central concern for organisations navigating hybrid work, rising security threats, and the growing use of unsanctioned AI tools. From endpoint security and network visibility to policy enforcement and cross-functional collaboration, security teams and CISOs are being called to rethink resilience.

 

As shadow AI continues to challenge traditional controls, embedding adaptive governance frameworks across the whole organisation is a key part of staying secure, compliant, and future ready. 

 

---

 

Andy Ward is SVP International at Absolute Security 

 

Main image courtesy of iStockPhoto.com and tadamichi