Last week’s Bitdefender numbers said 47.4% of IT teams have only partial or no visibility into the AI tools their employees are using. That is the polite version of the problem.
A sales rep pastes a contract into ChatGPT to “summarize the legalese.” An engineer feeds a production stack trace into a chatbot to debug faster. A marketing manager uploads an entire customer persona deck to an image generator for a slide. None of these people think they are doing anything risky. The data is already gone, and your DLP never saw it leave.
That is Shadow AI. The operating environment of 2026, and the single biggest hole in most SMB security programs right now.
The Visibility Gap Is Worse Than the Stat Says
Bitdefender’s 2026 Cybersecurity Assessment put a number on it: 51.8% of IT and security pros said they have full visibility into how AI is used in their company. 47.4% said they have only partial or no visibility. That sounds like a coin flip, but the sub-bullets are worse.
58% of managers said they have complete AI visibility. Among frontline practitioners, the number drops to 45.9%. The strategic layer of the business is making decisions based on a picture that does not exist. The people doing the actual work know they are flying blind. The two groups are not talking about it, or the managers are not listening.
For an SMB with 50 to 500 employees and no dedicated AI governance lead, this gap collapses fast. The first time you find out an employee fed customer PII into a free chatbot is when your general counsel gets the call from your insurance carrier. By then, “shadow” is the wrong word.
What Is Actually Leaking
It is tempting to treat Shadow AI as a single problem. It is at least four, and they have different fixes.
Public LLM paste-and-go. Employees copy text, code, customer data, or contracts into ChatGPT, Claude, Gemini, DeepSeek, or one of the dozen Chinese-origin models employees install on personal phones to bypass corporate restrictions. Prompts are stored on vendor servers. Some are used for training by default. Opt-out exists but the toggle is buried in settings most users have never opened. Samsung learned this in 2023 when engineers pasted source code into ChatGPT and the company banned generative AI company-wide within a month. Three years later, the same mistake is happening in companies that were not paying attention.
Unauthorized copilots and agents. Microsoft 365 Copilot, Google Workspace Gemini, Slack AI, Notion AI, and Zoom AI Companion have shipped into the SaaS tools you already pay for. Most are enabled by default at the tenant level. Most can be configured to respect your existing data boundaries. Most have not been. When Copilot launches in your M365 tenant and starts surfacing summaries of HR investigations, M&A drafts, or terminated employee folders to anyone who asks in Teams, that is not a Copilot bug. That is your tenant configuration.
Browser extensions and meeting summarizers. Read.ai, Otter, Fireflies, Tactiq, Fathom, and a dozen look-alikes join your Zoom and Teams calls automatically and write transcripts to their own cloud. They often capture audio, video, screen shares, and chat. Some pipe everything to a third-party LLM for the “smart summary” feature. Sales calls, customer calls, board calls — all in scope. Most IT teams have no inventory of these extensions.
Local AI tooling and shadow agents. Engineers running Ollama, LM Studio, or llamafile on a laptop to “keep our data local” sounds good in theory. In practice, those models often pull pre-trained weights from unverified Hugging Face mirrors, ship with no SBOM, and run with no sandbox. SMBs that adopted local AI for “security reasons” are often running unsigned binaries from strangers — the opposite of the security reason they thought they had.

Three Incidents Worth Naming
I am going to name specific examples because hand-waving about “AI risks” does not move anyone to action.
EchoLeak (Microsoft 365 Copilot, 2025). Researchers at Aim Labs disclosed a prompt injection vulnerability in Copilot that allowed an attacker to exfiltrate data from a user’s mailbox and OneDrive through a single crafted email. No user interaction beyond receiving the email was required. Microsoft patched it. The class of bug did not go away — every LLM-integrated product has the same shape of problem, and the research community finds new variants every month.
DeepSeek exposure (January 2025). The Chinese AI lab DeepSeek exposed more than a million rows of internal logs, API keys, and user prompts via an unauthenticated ClickHouse database. Any company that had employees using DeepSeek for work had sensitive prompts sitting on an exposed server. No public count of affected corporate users exists, which is itself the story.
Slack AI data leakage pattern. Multiple 2025 disclosures showed Slack AI susceptible to prompt injection through shared files and channels, where hidden text in a document could hijack the AI’s response and exfiltrate data the user had access to. Slack patched. The lesson did not stick — every AI-augmented SaaS tool is in the same boat and the disclosure cadence is a metronome.
What Actually Moves the Needle
The temptation is to write an AI policy and call it done. That does not work. People will use AI tools regardless. The job is to make the safe path the easy path and to know what is happening when it is not. Five moves for a small IT team this quarter.
-
Turn off generative AI features in your SaaS tenants by default. M365 Copilot, Gemini in Workspace, Slack AI, Notion AI — set them to opt-in per user group, not enabled tenant-wide. The defaults shipped in late 2025 and early 2026 are permissive. Override them.
-
Publish an approved AI tools list. Three to five tools you have vetted, with the data classification each one is approved to handle. “Approved for public and internal data. Not approved for customer PII, financial records, or PHI.” That single paragraph gives your help desk something to point to when an employee asks “can I use this?”
-
Make sure tenant-bound AI features are configured correctly. Copilot honors M365 permissions when set up right. The config lives in the Copilot admin center, the audit logs in Purview, and the gaps are the difference between “summarize a public Teams channel” and “summarize every HR investigation in the last five years.”
-
Block the unsanctioned tools at the network layer. DNS filtering, egress proxy, and CASB products can each take a bite. None of them catch everything. The goal is not perfection; the goal is to make approved tools fast and unapproved ones annoying enough that employees come to IT instead of going around.
-
Add one line to your incident response plan. “Employee pastes sensitive data into an unauthorized AI tool.” Run the tabletop. You will discover who needs to be on the call, what your regulatory disclosure clock looks like, and which contracts have notification clauses. That tabletop is worth more than another policy doc.
The Honest Take
The companies handling Shadow AI well in 2026 are not the ones with the best AI policy. They are the ones that accepted two things early: employees will use AI whether you sanction it or not, and you cannot govern what you cannot see. Everything else — the tool list, the tenant config, the network controls, the runbook — follows from those two facts.
The Bitdefender stat said 47.4% have partial or no visibility. The fix is the unglamorous work of getting your SaaS tenant in order, talking to your teams, and writing down what “approved” means. The work fits in a quarter. The cost of skipping it does not.
