Artificial intelligence (AI) is reshaping how work gets done. From research to client communication, AI tools are accelerating productivity across industries. But not every tool in use is sanctioned. Increasingly, employees are bringing in their own “shadow AI” apps: tools adopted outside of IT or compliance oversight.

This creates hidden liabilities that can surface at the worst possible moment. IBM reports that 41% of employees already use unsanctioned AI tools at work, a number projected to rise to 75% within three years. For small and mid-sized businesses, which often lack large compliance teams, this shift introduces urgent questions: what risks do shadow AI tools create, what’s at stake for leaders, and how can businesses safeguard growth while embracing innovation?

What Is Shadow AI ?

Shadow AI refers to employees using unapproved AI tools without oversight from IT, security, or compliance. It often appears in everyday scenarios: a marketer pasting drafts into a chatbot, an engineer uploading code for debugging, or a sales rep generating client summaries.

As Monika Malik, Lead AI Engineer at AT&T, explains, shadow AI typically grows in the gaps between policy and practice. Companies may move slowly on approvals, lack clear rules, or fail to provide sanctioned alternatives, and “single sign-on risks making it easier to run rogue than to do it the right way.”

Data Privacy & Confidentiality Risks

The most immediate risk of shadow AI is data leakage. Employees may feed sensitive information—such as customer records, proprietary code, or financial data—into public AI platforms. Many generative AI services retain this information to improve their models, meaning confidential data can end up stored on third-party servers beyond your control.

Consider a sales manager pasting a prospect list into a free AI chatbot to generate outreach emails. If that platform logs and later exposes those records, your company—not the chatbot provider—could be liable under privacy regulations like GDPR or state laws.

The costs are significant. The average global data breach cost in 2024 was $4.9 million, with U.S. breaches averaging $9.36 million. Even smaller incidents can trigger lawsuits, regulatory fines, and reputational damage that hits SMBs hardest.

As Malik warns, “sensitive data is being flushed out of the organizational boundary from your prompts,” often without companies realizing it. Because shadow AI bypasses monitoring and compliance controls, risks may stay hidden until raised by an auditor, regulator, or client.

Intellectual Property & Infringement Exposure

Shadow AI can also create intellectual property (IP) risks. Generative AI tools are trained on vast datasets, some of which may include copyrighted or trademarked material. When employees use these tools to generate code, designs, or content, there is no guarantee the outputs are free from infringement.

For example, a marketing team might use an AI image generator for a campaign, only to face claims that the visuals replicate a photographer’s copyrighted work. Even without intent, the business could be liable.

These disputes are no longer hypothetical. By late 2024, George Washington University’s Database of AI Litigation had tracked 212 lawsuits involving AI, with 64 tied directly to generative AI. Increasingly, plaintiffs are targeting not only the AI developers but also the companies using these tools in their operations.

The consequences go beyond legal bills. IP disputes can undermine trust with customers, investors, and partners, raising questions about a company’s governance and professionalism at pivotal moments of growth.

Regulatory & Compliance Liability

AI regulation is evolving quickly, and shadow AI can put businesses out of step with emerging rules. Frameworks like the EU AI Act and U.S. proposals emphasize transparency, documentation, and accountability in AI use. Unsanctioned tools, by nature, bypass these safeguards.

IBM’s 2025 X-Force research found that only 24% of generative AI projects include built-in security measures. That means most AI activity, and especially shadow AI, likely operates without adequate protections against misuse or disclosure.

For business leaders, ignorance won’t shield the company from liability. If employees are using AI to make hiring decisions, evaluate loan applications, or draft investor communications without oversight, regulators could allege bias, misrepresentation, or privacy violations. These claims carry financial penalties as well as reputational risks, from media scrutiny to shareholder concerns.

Complicating matters, compliance obligations vary by geography and industry. A digital health company experimenting with unsanctioned AI faces very different rules than a software firm. What they share is vulnerability if AI adoption happens outside official channels.

Contractual & Client Disputes

Shadow AI doesn’t just create regulatory exposure, it can also trigger disputes with clients and partners. Many SMBs operate under contracts that include strict confidentiality, data handling, or quality assurance requirements. When employees use unapproved AI tools, those obligations can be compromised.

Imagine a developer who relies on a free AI platform to generate code for a client project. If that code incorporates copyrighted material without attribution, the client could allege breach of contract or negligence. Or consider a consulting firm that uploads confidential client files into an AI service, only to find the platform’s terms of service allow data retention. That would violate most confidentiality agreements.

These risks are already materializing. A McKinsey survey found that 47% of organizations experienced at least one negative consequence from generative AI use, ranging from inaccuracies to data security issues. When these missteps undermine contractual commitments, disputes can escalate into arbitration or litigation.

For SMBs, the fallout can be severe: eroding customer trust, slowing revenue, and even jeopardizing growth milestones like fundraising or expansion.

Protecting Against AI-Driven Liability with Insurance

Governance and training are critical first steps, but insurance provides an essential safeguard when AI-driven risks surface. The right coverage ensures that innovation doesn’t expose your balance sheet or your leadership team to avoidable financial loss.

Several policies play a role:

• Cyber Insurance covers breach response costs such as forensics, notifications, and credit monitoring, while also defending against regulatory actions after a data exposure.
• Errors & Omissions (E&O) Insurance protects against client claims that your services caused financial loss due to negligence, misrepresentation, or misuse of tools.
• Directors & Officers (D&O) Insurance shields company leaders from personal liability if they are accused of failing to implement proper AI governance or disclosures.
• Media Liability Insurance addresses claims of copyright infringement, libel, or defamation tied to AI-generated outputs.

Together, these coverages help leaders embrace AI’s potential without fear that a misstep will derail growth, strain customer relationships, or put personal assets at risk.

Building a Responsible AI Culture

Insurance is a vital safeguard, but prevention is equally important. “Shadow AI is a convenience issue, not a tech issue,” says Malik. Leaders can reduce liability by setting clear expectations for how AI is used across the business.

• Approving secure AI tools and making them easily accessible to employees.
• Training staff on responsible AI use, especially around data sharing, IP risks, and confidentiality.
• Updating governance policies to explicitly address AI usage.
• Monitoring for shadow AI activity through IT controls and audits.
• Collaborating with legal and compliance teams to stay ahead of evolving regulations.

Shadow AI may feel like a harmless shortcut, but it can create serious liabilities if left unchecked. From privacy violations to contract disputes, the risks often surface only after real damage is done.

By combining proactive governance with the right insurance strategy, ambitious companies can harness AI with confidence, unlocking its productivity benefits without exposing their business, their customers, or their leadership to unnecessary risk.

Vouch Specialty Insurance Services, LLC (CA License #6004944) is a licensed insurance producer in states where it conducts business. A complete list of state licenses is available at vouch.us/legal/licenses. Insurance products are underwritten by various insurance carriers, not by Vouch. This material is for informational purposes only and does not create a binding contract or alter policy terms. Coverage availability, terms, and conditions vary by state and are subject to underwriting review and approval.