Shadow AI and data exposure: what IAM teams need to know

TL;DR: A survey of 500 Australian technology decision makers found that 36% of employees upload sensitive company information to AI tools, while 70% of organisations have little to no visibility into what tools are being used and 63% of users lack confidence in secure use, according to Josys. The governance failure is not AI adoption itself, but the absence of visibility, policy enforcement, and audit-ready controls.

NHIMG editorial — based on content published by Josys: New Report Reveals That Over 1/3 of Australian Professionals Expose Sensitive Company Data to AI Platforms

By the numbers:

• 36% of employees upload sensitive company information to AI tools.
• 70% of organisations have moderate to no visibility into what AI tools are being used.
• 63% of professionals lack confidence in using AI securely.

Questions worth separating out

Q: How should security teams govern employee use of external AI tools?

A: Security teams should treat external AI usage as a governance and data-control problem, not just an awareness issue.

Q: Why does shadow AI create risk even when users have valid corporate access?

A: Valid corporate access does not control where a user sends data after login.

Q: What do organisations get wrong about AI governance policy?

A: Many organisations confuse written policy with effective control.

Practitioner guidance

• Audit unsanctioned AI usage across the organisation Discover which AI tools are being used by department, identity type, and device class.
• Enforce data sensitivity rules at the point of use Tie policy enforcement to data classification so that sensitive content is blocked or warned on before it reaches external AI services.
• Replace manual review with measurable AI governance Track approvals, exceptions, blocked events, and policy violations as operational metrics.

What's in the full report

Josys's full report covers the operational detail this post intentionally leaves for the source:

• The survey design and sector breakdown for the 500 Australian technology decision makers.
• The full set of AI usage and preparedness percentages by function, including finance, IT, healthcare, sales, and marketing.
• The compliance context behind privacy reform and AI model transparency requirements.
• Josys's recommended governance actions for visibility, policy enforcement, and AI-specific reporting.

👉 Read Josys's report on shadow AI data exposure in Australia →

Shadow AI and data exposure: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →