Many of today’s employers are eager to reap the benefits of emerging artificial intelligence-powered tools and are pressing their teams to identify and implement ways in which AI can improve their work. Some of these employers are approaching the AI revolution with business risks in mind, carefully vetting technologies, developing AI governance policies, and approving only those that meet their operational and security needs.
Nevertheless, employees may decide to use unsanctioned AI platforms and software in their work, often referred to as “Shadow AI.” This emerging form of insider threat does not require employees to act with malice: They may have nothing but good intentions when they evade a company’s AI policies or use AI tools when their company has no policy at all. These unapproved uses often involve publicly available AI tools that do not meet applicable privacy and security requirements—including employees using confidential company or customer information in personal accounts on one of the many AI platforms that can be used with free accounts, like ChatGPT, Claude, and Gemini. Even at businesses reluctant to embrace AI, employees may decide on their own to make unauthorized use of Shadow AI, creating significant compliance and litigation risks.
Community Bank’s recent report to the US Securities and Exchange Commission (SEC) demonstrates how Shadow AI can lead to significant regulatory and mitigation consequences. On May 7, 2026, the bank reported a material cybersecurity incident to the SEC under Item 1.05 of Form 8-K. The bank stated that nonpublic customer information was processed internally using an unauthorized AI-based software application. The customer information at issue included customer names, Social Security numbers, and dates of birth. According to the bank, the incident did not involve a disruption to the bank’s operations, payment systems, or core information technology infrastructure or to customer access to accounts or services.
Despite the lack of business disruption, due to the volume and sensitivity of the nonpublic information at issue, the bank determined two days after the incident was discovered that it should be reported to the SEC. In addition to making a publicly available report to the SEC, the bank took additional actions to contain and remediate the incident:
These measures almost certainly came at significant cost, required diversion of resources from core business functions, and resulted in negative publicity.
Businesses must face today’s world as it is: Love it or hate it, your employees are considering using AI at work to get ahead or avoid falling behind. The question is not whether some employees will experiment with AI tools but rather what tools employees will use and how they will use them. The answers to these questions could have profound enforcement and litigation implications—and the actions of a single employee may have significant enterprise-wide consequences.
The SEC’s requirement to report material cybersecurity incidents is just one of many potential reporting and notification requirements that can be triggered by the unauthorized use of nonpublic data on AI platforms that lack appropriate privacy and security guardrails. Depending on the data and tools involved, Shadow AI usage may violate security or privacy requirements under the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and the other 22-and-counting comprehensive state data privacy laws, among many other federal and state requirements. Shadow AI incidents involving overseas-based platforms or foreign data may trigger requirements under the US Department of Justice’s Data Security Program, the EU’s General Data Protection Regulation (GDPR), or the UK’s GDPR. Violations of these and other government requirements may require reporting and notification and carry significant risks of fines, penalties, and/or required remedial actions.
In addition to government reporting and enforcement risks, a company’s insurance policies or agreements with customers may also require notification, especially for companies doing business with the federal government, which has its own restrictions and rules. There are also risks from private individuals and plaintiffs’ lawyers. Consumers and employees whose data was potentially compromised through Shadow AI may file lawsuits under state privacy laws, bring tort claims, or even seek to bring class actions against businesses alleged to have violated their rights or compromised the confidentiality or security of their data.
These legal and compliance risks reflect the serious data privacy and security risks that the use of Shadow AI can create. There have been several high-profile examples of the privacy and security vulnerabilities of widely used AI platforms.
On multiple occasions, ChatGPT conversations have been found to be publicly accessible through Google. In the summer of 2025, it was revealed that Google was indexing conversations sent by ChatGPT users, making any conversation sent with the “share” feature visible to the entire world with a basic Google search. Later in 2025, it was reported that ChatGPT chat logs were available to users of a common Google analytics tool. Users likely had no idea that these conversations, some involving sensitive information and personally identifying details, would become public.
In addition to risking public exposure of data, use of the wrong AI tools could have consequences in the courtroom. In February 2025, a federal judge ruled that a criminal defendant’s communications with the Claude AI platform about his case were not protected by the attorney-client or work product privileges. Therefore, the government was permitted to access the Claude logs it located on a computer seized pursuant to a search warrant and use them against the defendant at trial. The logs included reports outlining legal defense strategy the defendant prepared after learning he was the target of the grand jury’s investigation. While other courts have suggested that communications with AI platforms may not lose all legal protections, it is clear that a fact-intensive analysis is needed to determine whether privilege is preserved when a particular AI tool is used.
The use of Shadow AI can even have national security implications. In early 2025, DeepSeek, a Chinese AI company, released a large language model that soon became one of the most popular AI platforms. US government and private-sector entities have raised concerns that the platform siphons user data to the Chinese government and manipulates results to align with Chinese government policy positions.
Individual users lacking corporate guardrails are less likely to carefully consider the privacy and security of AI platforms they use at work. Companies must take action to embrace AI responsibly—in keeping with their organizational strategies and legal obligations—or risk employees taking matters into their own hands. Whether or not you choose to adopt AI into your business, setting up policies and guardrails is a must.
Whether or not your business has approved the use of AI-enabled tools, your employees are likely using them or considering using them soon. A secure and controlled AI governance framework is a must. This will require collaboration between your IT, legal, and compliance teams. This may involve data mapping and classification, AI-focused risk analysis, the creation or adoption of enterprise tools, AI-focused policies and procedures, and workforce training and oversight. It should also include vendor and client collaboration, as clients should never be surprised by the use of AI with their data and may also have their own vendor guidelines prohibiting or restricting certain uses.
Simply having a policy is not enough. Your workforce must be informed about your policies and trained on the appropriate use of your approved AI tools. Your policies and procedures must prohibit the use of Shadow AI and impose consequences for employees who violate them. Companies should consider technical barriers to prevent the use of Shadow AI, protecting sensitive data to ensure that it is not compromised or put at risk.
Companies should review vendor policies associated with each approved AI tool for issues, including confidentiality, data retention, and unauthorized access. You should also talk to vendors about how they use AI with their clients’ data. Companies should monitor whether outputs can be shared with third parties or used to train AI tools. Businesses that handle sensitive information should also be aware of the different data privacy requirements that may be involved in order to ensure regulatory compliance. Improperly disclosed information may also be subject to individual state data breach reporting requirements.
Businesses should review and update their incident response plans to address AI-related data exposure as well as strengthen existing controls and monitoring measures for unauthorized AI use. Publicly regulated companies should evaluate whether incidents are material cybersecurity incidents requiring disclosure to the SEC and consider other regulatory guidance.
[View source.]
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.
© McCarter & English, LLP
Refine your interests »
Join more than 70,000 authors publishing their insights on JD Supra
Back to Top
Explore 2026 Readers’ Choice Awards
Copyright © JD Supra, LLC
