TL;DR: A survey of 500 Australian technology decision makers found that 36% of employees upload sensitive company information to AI tools, while 70% of organisations have little to no visibility into what tools are being used and 63% of users lack confidence in secure use, according to Josys. The governance failure is not AI adoption itself, but the absence of visibility, policy enforcement, and audit-ready controls.
NHIMG editorial — based on content published by Josys: New Report Reveals That Over 1/3 of Australian Professionals Expose Sensitive Company Data to AI Platforms
By the numbers:
- 36% of employees upload sensitive company information to AI tools.
- 70% of organisations have moderate to no visibility into what AI tools are being used.
- 63% of professionals lack confidence in using AI securely.
Questions worth separating out
Q: How should security teams govern employee use of external AI tools?
A: Security teams should treat external AI usage as a governance and data-control problem, not just an awareness issue.
Q: Why does shadow AI create risk even when users have valid corporate access?
A: Valid corporate access does not control where a user sends data after login.
Q: What do organisations get wrong about AI governance policy?
A: Many organisations confuse written policy with effective control.
Practitioner guidance
- Audit unsanctioned AI usage across the organisation Discover which AI tools are being used by department, identity type, and device class.
- Enforce data sensitivity rules at the point of use Tie policy enforcement to data classification so that sensitive content is blocked or warned on before it reaches external AI services.
- Replace manual review with measurable AI governance Track approvals, exceptions, blocked events, and policy violations as operational metrics.
What's in the full report
Josys's full report covers the operational detail this post intentionally leaves for the source:
- The survey design and sector breakdown for the 500 Australian technology decision makers.
- The full set of AI usage and preparedness percentages by function, including finance, IT, healthcare, sales, and marketing.
- The compliance context behind privacy reform and AI model transparency requirements.
- Josys's recommended governance actions for visibility, policy enforcement, and AI-specific reporting.
👉 Read Josys's report on shadow AI data exposure in Australia →
Shadow AI and data exposure: what IAM teams need to know?
Explore further
Shadow AI is a governance failure before it is a technology problem. The Josys findings show that the primary breakdown is not user curiosity, but the absence of controlled visibility and enforceable policy around where sensitive information can go. When 70% of organisations lack clear sight of the tools in use, the programme cannot govern what it cannot enumerate. Practitioners should treat shadow AI as an access and data-control boundary issue, not a training-only issue.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own shadow AI risk in an organisation?
A: Shadow AI risk should be owned jointly by IAM, security operations, privacy, and compliance teams because the issue spans identity, data handling, and regulatory exposure. If ownership sits in only one function, the organisation usually gets either weak enforcement or weak accountability, but not both.
👉 Read our full editorial: Shadow AI governance gaps expose sensitive data at scale in Australia