Your Boss Is the Biggest Shadow AI Risk in the Building
New survey data shows senior executives are far more likely than ordinary staff to use unapproved AI tools, and that gap is quietly undermining every security policy their IT teams try to enforce.

Key points
- Nearly two-thirds of senior decision-makers admitted to using unapproved AI tools, compared to 31% of lower-level employees, according to a 2024 survey by Microsoft solutions partner TrustedTech.
- Three in four employees said they recognise security or data-privacy risks from using unsanctioned AI, yet senior leaders use those tools anyway.
- A separate June 2024 report by employee-monitoring vendor Teramind found more than two-thirds of C-level executives prioritise speed over security when choosing AI tools.
- Two-thirds of enterprise AI activity runs through personal accounts on platforms the company already pays for, the Teramind report found.
- Security leaders are held accountable for the resulting risk but have no visibility into what their executives are doing or why.
Most people assume the biggest security headaches come from junior staff clicking the wrong link. The data suggests the problem starts much higher up.
A survey by TrustedTech, a company that helps businesses deploy Microsoft technology, found that 64% of senior decision-makers admit to using AI tools their employer has not approved. Among ordinary employees, that figure sits at 31%. The gap is striking, and the consequences are serious.
Why does it matter who uses the unapproved tool?
It matters because executives handle the most sensitive information in any organisation. Think financial forecasts, contract drafts, strategic plans, and customer data. When a CEO or finance director pastes any of that into an unsanctioned AI tool, there is no company oversight, no record of what was shared, and no way to find out later if something went wrong.
Amit Maloo, chief information security officer at procurement software company Ivalua, puts it plainly. When senior leaders use ungoverned AI for business decisions, those decisions still carry real consequences, he says. "But there is no audit trail, no permissions model, or no way to reconstruct what happened or why."
The second problem is cultural. When the people at the top visibly ignore the rules, every employee below them notices. Andy Nolan, VP of technology at TrustedTech, says governance only works when leaders model it. If the CEO bypasses the approved tools, the implied message is that speed matters more than security. Asking everyone else to follow policies leadership ignores becomes nearly impossible.
Crucially, TrustedTech's white paper argues this is not a knowledge problem. "Most shadow AI users are not ignorant of the risk. They are deliberately choosing to use these tools anyway. This is not a training issue. It is a culture, incentives, and alternatives issue."
The Teramind data, first reported by CSO Online, adds another wrinkle. Two-thirds of enterprise AI activity goes through personal accounts on platforms companies already own licences for. People are paying for the governed version and using the ungoverned version of the same product.
Nik Kale, a principal engineer at Cisco, describes it simply. "People aren't going around the front door because the room is locked. They're going around it because the front door is slower."
The practical fix, security leaders agree, is not more policy. It is making the approved path genuinely easier and more capable than the alternatives. If the sanctioned tools are slow, buried in procurement processes, or simply worse than what someone can get for free, people at every level will find their own solution.
If you work in an organisation where executives set technology policy, consider asking whether your company's approved AI tools are actually fit for purpose. If they are not, that conversation is worth having before a data incident forces it.



