Tor and the Tor Network: Hidden evil or privacy protector?
Following our recent article series about VPNs, a reader asked about Tor, saying, “Can you give us a balanced view so we can figure it out for ourselves?”
The answer is: Yes!
It’s no secret that AI, and generative AI in particular, is on the rise, with many companies investing in this technology to increase productivity and cut costs. A 2025 report from Microsoft found that 75% of global knowledge workers are now using generative AI in their work. While these tools can result in productivity gains, they come at a hidden cost — your data.
As employees feed company and customer information into AI tools, that data is stored on third-party servers — ones that might not be protected in accordance with a company’s security standards. Data that includes intellectual property, protected customer data, company finances or strategies, and sensitive HR information is then available to bad actors. Even something as simple as role- or employee-specific information can be accessed and used by hackers to run convincing social engineering scams.
Because AI is a relatively new technology, many companies don’t have policies in place dictating how to use it safely. Employees are experimenting with new AI tools every day, regardless of whether or not they are vetted and approved by IT teams. This shadow AI is a huge threat to enterprises, and it doesn’t have an easy fix.
So how did we get here, what does this mean for security teams, and how can organizations stop the flow of sensitive information into AI tools? Let’s dig in.
Employees are usually well-intentioned in their use of AI. They are taking advantage of emerging technology to perform their jobs more effectively. But due to a lack of education around AI-driven threats, employees likely don’t realize the harm they may be causing by using this new technology.
For instance, when an employee copies and pastes a client contract, financial documents, or product roadmap into an AI tool to summarize, edit, or analyze it, the AI tool stores that data on a third-party server, BUT there is no record of that information leaving the organization’s security perimeter. The same is true for AI software that summarizes video calls or team meetings wherein employees are openly discussing a client project.
These activities happen more often than security leaders would like. LayerX found that 77% of users are copying and pasting information into AI tools. Even when employees aren’t summarizing meetings or copying and pasting files into generative AI tools, they may be oversharing through simple prompts. A Harmonic study found that 8.5% of generative AI prompts contained sensitive information. While this may be a fairly low percentage of the total prompts entered into generative AI tools, keep in mind that ChatGPT is fielding 2.5 billion prompts per day.
Generative AI is widely recognized as the fastest-growing enterprise technology category in history. ChatGPT, which dominates the market, launched in November of 2022. As of June 2025, 34% of all U.S. adults and 58% of adults under 30 have used ChatGPT. As a comparison, SaaS categories like file sharing or video conferencing took more than a decade to reach similar market penetration.
Unsurprisingly, governance has not kept up with AI’s meteoric rise. A 2025 KnowBe4 survey found that 60.2% of employees are using AI tools in the workplace, but only 18.5% are aware of their company’s AI policy. And LayerX found that 82% of activity on generative AI tools happens in unmanaged personal accounts, which don’t fall under IT’s oversight.
Generally speaking, employees aren’t knowingly misusing AI — they simply aren’t aware of the security threats that accompany the technology and haven’t gotten any corporate guidance on how to use it safely.
Even when companies develop and share policies around appropriate AI use, they are challenging to enforce because traditional security tools can’t protect against the type of data loss that occurs when employees use generative AI.
Existing data loss prevention tools monitor email, applications, and other endpoints for the unauthorized transfer of sensitive information. They look for file transfers via cloud applications, email servers, and even USBs to ensure sensitive files don’t leave the network. These tools check screengrabs, uploads and downloads, printed and scanned documents, and block unauthorized actions. What these tools don’t look for is copying and pasting text.
This becomes problematic given that 77% of employees copy and paste data from company documents directly into AI interfaces. This means sensitive information is being uploaded to an unsecured third-party server without a company ever knowing because there was no email to intercept or file transfer to stop.
Until these tools evolve, it will be challenging for companies to enforce AI policies and stop the exfiltration of private data.
Organizations need to find a solution to shadow AI fast because these threats are happening, and they are expensive. IBM’s Cost of a Data Breach Report 2025 claimed that 20% of organizations surveyed had already suffered a breach due to shadow AI, and those breaches were more costly than the average breach. Organizations with high levels of shadow AI are paying $670K more for breaches than those at organizations with no or low levels of shadow AI. Further, Gartner predicts that by 2030, more than 40% of enterprises will experience security or compliance incidents linked to the use of unauthorized AI.
In addition to avoiding the expense of a shadow AI breach, companies are also scrambling to maintain compliance with regulations, even though shadow AI makes that nearly impossible. GDPR Article 30 requires companies to maintain up-to-date, written records of all data-processing activities — quite the effort when there’s no record of employees copying and pasting data into unsanctioned generative AI tools.
Shadow AI also makes it impossible for companies to fully comply with CCPA, which grants California residents the right to request the disclosure of how and where their personal information is being used and request that it be deleted. If a company doesn’t know an employee has uploaded client information to ChatGPT, it can’t report that, and it certainly can’t delete the information from ChatGPT’s server.
Not only can companies face fines for failing to comply with these regulations, but they may also encounter public backlash and lost business after reporting a breach as is required by GDPR, HIPAA, and SEC regulations. This puts businesses at a serious disadvantage because they’ll need to disclose a breach they didn’t know occurred through a channel they weren’t monitoring, involving data they can’t fully account for.
There is no band-aid solution to shadow AI. The technology itself is new, it’s being rapidly adopted, and used for personal productivity, so tools and usage vary by person. There is also a strong desire by employees to take advantage of this emerging technology to streamline undesirable tasks.
Employee use of AI also extends beyond generative AI tools, making it challenging to track. AI features are increasingly embedded into company tools like Zoom, Salesforce, and the Google and Microsoft suites of tools. In fact, studies have shown that 90% of organizations have sensitive files exposed through Microsoft 365 Copilot, including 25,000+ sensitive folders accessible to anyone who enters the right prompt. Beyond the employee risks, many organizations are themselves exploring ways in which AI can increase productivity and cut costs.
For all these reasons — and more — banning AI or even banning generative AI tools would be ineffective. Overly restrictive controls will only drive employees to find loopholes or other less visible tools, continuing shadow AI threats.
Instead, AI governance should include employee education on how to use AI safely and policies that protect against unwanted or illegal sharing. Companies should offer sanctioned AI tools and alternatives so employees can increase productivity without using banned tools. By encouraging an open dialogue and allowing employees to submit AI tools for consideration, IT teams can get ahead of the game and proactively recommend the safest, most secure tools to solve business challenges.
The best AI security programs will include the use of AI discovery tools that can continuously scan environments to identify AI tools, who’s using them, and what sensitive data they have access to. They’ll also include browser-level visibility into copy-paste and upload activity, given that most data is leaving organizations that way. If not already part of their regular activities, security teams should review privileged accounts and establish access controls to ensure sensitive data is only available to those who need it to perform their roles.
Finally, there needs to be a shift in the way companies approach AI security. AI isn’t black and white; it is complex, and any options being considered should reflect that. Leaders need to think about the real business risks and benefits of AI rather than simply checking boxes to be compliant with regulations or establishing a blanket ban on all AI. Employee training needs to cover the risks of AI, and should also include practical guidelines that demonstrate how to use it safely. Additionally, security teams should develop context-aware, data-centric controls that permit AI usage while preventing sensitive data from leaving the perimeter.
Minimizing or eliminating shadow AI and stopping the loss of sensitive data through AI tools requires significant thought and effort. There is no single tool that companies can use to eliminate the problem — it requires continuous effort on the part of company leaders, security teams, and employees. As new AI tools and features continue to emerge and advance, it will only increase the efforts required by security teams — the same teams that are already stretched thin by detection and response efforts.
SolCyber is a fully managed, human-led MSSP that can take on your threat detection and response efforts, freeing up your internal security team to build and enforce an AI security program. We establish and manage the foundation of your security program, so your teams can focus on growing and evolving your AI policies as the technology grows and evolves. Should a shadow AI incident result in credential exposure, identity compromise, or anomalous access, our team can help you quickly find the breach, assess the damage, and remediate the issue.
To learn more about how our teams can support your security teams as they shift to protecting against AI threats, contact the experts at SolCyber.
Photo by Stefano Pollio on Unsplash
Following our recent article series about VPNs, a reader asked about Tor, saying, “Can you give us a balanced view so we can figure it out for ourselves?”
The answer is: Yes!
AI has exploded in the last two years, both in public adoption and in company valuations. So far in 2024, the AI sector has the highest valuations of any sector, even beating fintech, one of the most innovative and investment-heavy sectors around. The first six months of 2024 saw 13 new unicorns—a company valued at $1 billion or more—in the AI sector. New generative AI (gen AI) tools have improved the mainstream visibility of AI. Tools such as ChatGPT and […]
What if you tap the payment terminal on the card, not the other way around?
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
