Report Published: Jun 24, 2026

Shadow AI and Enterprise Data Governance: What 22.4M Prompts Reveal

Harmonic's analysis of 22,458,240 enterprise GenAI prompts and file uploads shows that Shadow AI risk is concentrated but not simple: six apps produced 92.6% of detected sensitive exposure, and ChatGPT alone accounted for 71.2%. Cyberhaven, Verizon DBIR 2026, and IBM's 2025 breach-cost data point to the same control lesson: govern the data flow before source code, legal documents, financial forecasts, or regulated data leave through personal or unmanaged AI accounts.

Data LossData GovernanceIdentity & AccessEnterprise AIShadow AI
8 applicable AIDEFEND defenses

Threat Analysis

  • The flow is ordinary work, not a hack. An employee uses a personal or unmanaged AI account to summarize, debug, translate, draft, or analyze work data. The prompt or upload leaves enterprise SSO, logging, retention, and data-use controls.
  • Harmonic makes the exposure measurable. In 22,458,240 prompts and uploads across 665 tools, it found 579,113 sensitive exposures. Six apps caused 92.6%; ChatGPT alone caused 71.2%. Code, legal documents, and financial data made up 74.5% of exposed sensitive content.
  • Personal accounts break governance. Cyberhaven found 32.3% of ChatGPT usage happened through personal accounts; Verizon found 67% used non-corporate AI accounts on corporate devices. Verizon also found source code was the most common data type submitted to external GenAI models in 858,440 DLP events.
  • The cost is real. IBM reports one in five organizations had a breach due to shadow AI, and high shadow AI usage added an average $670,000 to breach costs. The defense is approved AI routes, data tags, pre-submit controls, and sanitized telemetry.

Applicable AIDEFEND Defenses (8)

AID-M-001.004
AI Service & Embedded SaaS AI Discovery
High
This fills the discovery layer the brief is about: teams need to discover which externally hosted AI services, embedded SaaS AI features, browser GenAI apps, model-provider APIs, accounts, devices, teams, and data categories are actually in use before gateways, DLP, account controls, or alerts can govern them.
AID-I-002.002
Secure External AI Service Connectivity
High
This is the closest AIDEFEND match when user devices and AI connections are inside a governable and monitorable enterprise path, such as company phones or laptops managed with EDR or MDM, an AI gateway, proxy, secure web gateway, enterprise connector, or managed browser path. The control can restrict external AI destinations, mediate transport and egress policy, and monitor anomalies.
AID-H-030.001
Data-Use Policy Schema, Tagging & Classification
High
Shadow AI cannot be governed if the organization cannot tell whether a prompt or upload contains source code, legal material, financial forecasts, regulated records, or low-risk text. Machine-readable data-use tags give gateways, browsers, endpoints, and AI routers the policy input needed before data is copied into an AI prompt or attached as a file.
AID-H-030.002
Lifecycle-Stage Authorization Gate
High
This applies only when the AI use passes through a controlled enterprise path. Before tagged data enters an inference context, log, memory, RAG index, or external provider processing stage, a fail-closed gate can block data that is untagged, unauthorized, or being sent to the wrong account or destination. It is not a complete answer for employees who fully bypass managed routes.
AID-D-005.001
AI System Log Generation & Collection
Medium
For governed AI paths, teams need structured and sanitized logs that capture tool, account type, user, data category, policy decision, prompt or file event metadata, destination, and correlation IDs. The logs should prove what happened without preserving raw source code, legal text, or secrets in clear text.
AID-D-005.002
Security Monitoring & Alerting for AI
Medium
Monitoring turns visible AI usage into a detectable security surface. Useful rules include personal-account AI use on managed devices, first-seen AI domains, high-volume copy or file upload events, source-code patterns in prompts, legal or finance document uploads, and repeated user warnings before submission.
AID-H-014.001
Digital Content & Data Watermarking
Medium
Watermarking does not stop an employee from pasting company content into a personal AI account, but it can make later investigation much stronger. Robust markers in documents, code snippets, images, synthetic records, or other high-risk content can help prove where leaked material came from, which copy or user cohort saw it, and whether it later appears outside approved paths.
AID-DV-002
Honey Data, Decoy Artifacts & Canary Tokens for AI
Medium
Canary data and decoy artifacts are not a primary Shadow AI prevention control, but they are valuable for accountability. Unique honey records, fake API keys, decoy documents, or embedded canary URLs can reveal that sensitive-looking data was accessed, copied, uploaded, or reused outside approved AI paths, giving responders stronger evidence for attribution and follow-up.

What Defenders Should Do Now

  • Inventory AI use by tool, account type, device, team, and data category. Start with the highest-volume tools, especially ChatGPT, Gemini, Claude, Microsoft Copilot, Perplexity, and specialized legal or coding assistants.
  • Separate corporate AI accounts from personal accounts in telemetry. SSO coverage alone is not enough if employees can open the same AI service with a private login on a managed device.
  • Define data categories that should not leave unmanaged paths: source code, secrets, legal documents, financial forecasts, M&A material, regulated data, customer PII, health data, and internal project records.
  • Put a policy check before prompt or file submission. For low-risk content, allow or warn; for high-risk content going to a personal or unapproved AI account, block, redact, or redirect to an approved enterprise AI route.
  • Log decisions with redaction. Capture the tool, account type, user, data category, destination, policy result, and event IDs, but avoid storing raw prompts or files in clear text.
  • Treat enforcement as enablement. Give teams approved tools that fit real workflows, then reserve hard blocking for high-risk data and repeated policy bypass.

1 additional consideration

Browser and endpoint prompt-upload controls

Beyond the techniques mapped above, teams should also control the browser and endpoint layer where employees paste prompts, attach files, and switch between corporate and personal AI accounts.
Recommendation: Deploy browser, endpoint, CASB, or secure web gateway controls that can identify AI sites, distinguish personal from enterprise accounts, inspect prompt and upload events for high-risk data, and warn, block, redact, or route the user to an approved AI path.

Conclusion

Shadow AI is a data-flow governance problem: work data moves into AI faster than enterprise identity, DLP, logging, and data-use policy can follow. AIDEFEND  controls are strongest on observable, governable AI paths: managed devices, corporate accounts, managed browsers, AI gateways, DLP, and enterprise AI services.

AIDEFEND  cannot solve every data-loss path by itself. If an employee photographs a company screen with a personal phone and uploads it to a personal ChatGPT account, AI-input checks usually cannot see it. The practical goal is to govern controllable routes, reduce what unmanaged routes can expose, and add least privilege, screen watermarking, access monitoring, canary data, physical controls, and employee policy.