Skip to content
Get Started. Free Consult
The State of Shadow AI in Australia

Your team already uses AI. You just cannot see it.

Shadow AI is staff using AI tools outside any oversight, usually on free or personal accounts, often with company data. It is not a fringe habit. Microsoft and LinkedIn found 78% of people who use AI at work bring their own tools, and that climbs to 80% at small and medium businesses. In Australia, a Josys survey of 500 technology decision makers found 36% of employees upload sensitive company information to AI tools, while most organisations admit they cannot see what is being used. This brief collects the verified, citable numbers so you can see the real size of the risk before it turns into a breach.

Review your AI useTake the free check
Key findings, at a glance
78%
of workplace AI users bring their own tools, rising to 80% at SMBs
Microsoft & LinkedIn, 2024
36%
of Australian employees upload sensitive company data to AI tools
Josys, 2025
27.4%
of all data pasted into AI tools is sensitive, up from 10.7% a year earlier
Cyberhaven, 2024
$670k
added to the average breach cost when shadow AI is involved
IBM, 2025
01How widespread it is

Almost everyone, almost everywhere.

Three in four knowledge workers use AI on the job, and most of them are doing it on tools nobody signed off.

The starting point is sheer scale. The Microsoft and LinkedIn 2024 Work Trend Index found 75% of knowledge workers now use AI at work, and 78% of those users bring their own AI tools rather than waiting for an approved option. At small and medium businesses that figure rises to 80%.

Australia is no exception, and a fair bit of it happens quietly. The federal Jobs and Skills Australia research found 21% to 27% of workers, mostly in white-collar roles, use AI without telling their manager. The public sector is in the same boat: a 2025 survey reported around a quarter of public servants using unauthorised AI tools, often on personal devices alongside work systems.

None of this is staff being reckless. It is staff being resourceful with tools that genuinely help. The gap is oversight, not intent.

How common workplace AI use is
Microsoft & LinkedIn 2024; Jobs and Skills Australia
Use their own AI tools at work (BYOAI)78%
BYOAI at small and medium businesses80%
Knowledge workers using AI at work75%
AU workers using AI behind their manager~27%
Workplace AI adoption and unsanctioned use.

The verified numbers

Sourced
  • 75% use AI at work. Three in four knowledge workers (Microsoft & LinkedIn, 2024).
  • 78% bring their own tools. Rising to 80% at small and medium businesses (Microsoft & LinkedIn, 2024).
  • 21% to 27% go around their manager. Australian workers using AI without telling their boss (Jobs and Skills Australia).
  • About a quarter of public servants. Using unauthorised AI tools, often on personal devices (2025 survey).
02What gets fed into it

And it is the sensitive stuff.

More than a quarter of everything pasted into AI tools is now sensitive, and the trend is going the wrong way fast.

Adoption alone is not the problem. What people put in is. Cyberhaven Labs tracked actual data flows and found that by March 2024, 27.4% of the corporate data employees put into AI tools was sensitive, up from 10.7% a year earlier. Over the same year, the volume of corporate data going into AI tools grew 485%.

The sensitive material is exactly what you would not want leaving the building: source code made up 18.7% of it, research and development material 17.1%, and sales and marketing data 10.7%. In Australia specifically, the Josys Shadow AI Report 2025 found 36% of employees upload sensitive company information to AI tools, and 70% of organisations have moderate to no visibility into which AI tools their people are using.

On a free or personal account there is usually no data processing agreement and no guarantee about where that information goes. Once it is pasted in, it has left your control.

Sensitive share of data put into AI tools
Cyberhaven, March 2023 to March 2024
27.4%sensitive
27.4% of data into AI is sensitive
up from 10.7% a year earlier
volume of corporate data into AI tools grew 485% in a year
Share of data entered into AI tools that is sensitive.
What kind of sensitive data goes in
Cyberhaven, 2024, share of sensitive data put into AI tools
Source code18.7%
Research and development material17.1%
Sales and marketing data10.7%

The verified numbers

Sourced
  • 27.4% of data into AI is sensitive. Up from 10.7% a year earlier (Cyberhaven).
  • 485% growth. In the volume of corporate data put into AI tools over a year (Cyberhaven).
  • 36% of Australian employees. Upload sensitive company data to AI tools (Josys, 2025).
  • 70% of organisations are flying blind. Moderate to no visibility into the AI tools in use (Josys, 2025).
03What it costs when it goes wrong

The bill for no oversight.

Shadow AI is now one of the three costliest factors in a data breach.

The cost has moved from theory to a line item. The IBM Cost of a Data Breach 2025 report found that one in five organisations (20%) had a breach linked to shadow AI. Those incidents added as much as USD 670,000 to the average breach cost, and disproportionately exposed customer records and intellectual property.

The reason is a governance gap, not bad luck. IBM found 63% of organisations lack a formal AI governance policy, and among those that did suffer an AI-related breach, 97% had no proper AI access controls in place. The tools arrived faster than the rules, and the gap is where the cost lives.

The shadow AI breach picture
IBM Cost of a Data Breach, 2025
+$670k
added to the average breach cost when shadow AI is involved
20%
of organisations had a breach linked to shadow AI
63% have no AI governance policy, and 97% of AI-breached orgs had no access controls
The price of letting AI use run ahead of oversight.

The verified numbers

Sourced
  • 20% breached via shadow AI. One in five organisations (IBM, 2025).
  • $670,000 added. To the average breach cost when shadow AI is involved (IBM, 2025).
  • 63% have no AI governance policy. A formal policy is still the exception, not the rule (IBM, 2025).
  • 97% had no access controls. Among organisations that suffered an AI-related breach (IBM, 2025).
04What to do about it

Make the safe path the easy path.

Banning AI does not remove shadow AI. It just removes your view of it.

This is VibeZero's read, not a statement of law. The instinct is to send an email saying do not use AI tools. People who were getting real value simply move to their phones, and now the use is somewhere you definitely cannot see. The businesses that handle this well do the opposite: they give staff a sanctioned option and put light guardrails around it.

For Australian businesses there is a compliance edge to this too. Staff pasting customer data into consumer chatbots is the same human-error pathway behind a large share of notifiable breaches, and offshore AI processing engages cross-border disclosure duties under the Privacy Act. We cover that in detail in our AI governance field note.

The fix is a governance baseline, in roughly this order: see what is actually being used, give people an approved tool, write the rules down, tighten the data controls, and train the team. We walk through that playbook step by step in our guide to managing shadow AI without banning it. None of it slows people down. Done right it lets them use AI more, with far less chance a mistake becomes an incident.

The shadow AI playbook

Action
05FAQ

Frequently asked questions.

Shadow AI is the use of AI tools inside a business that sits outside its knowledge or control. In practice it usually means staff using free or personal accounts, on their own logins, to get work done, without the tools being approved, governed or visible to IT. It is the AI version of shadow IT.

Very. Microsoft and LinkedIn found 78% of workplace AI users bring their own tools, rising to 80% at small and medium businesses. In Australia, Jobs and Skills Australia found 21% to 27% of workers use AI without telling their manager, and a 2025 Josys survey found 36% of employees upload sensitive company data to AI tools while 70% of organisations have little visibility into what is being used.

Two reasons. First, data exposure: Cyberhaven found 27.4% of the data employees put into AI tools is sensitive, and on free accounts there is usually no agreement governing where it goes. Second, cost: IBM's 2025 report found one in five organisations had a breach linked to shadow AI, adding around USD 670,000 to the average breach cost, with 97% of AI-breached organisations lacking proper access controls.

It can be. If staff paste personal information into AI tools that process data overseas, that can engage cross-border disclosure obligations under the Privacy Act, and uncontrolled AI use is the same human-error pathway behind a large share of notifiable data breaches. From 10 December 2026, new automated-decision transparency obligations also apply. Our AI governance field note covers the detail.

Banning AI tends to push the behaviour onto personal phones where you cannot see it. The practical approach is to make the safe path the easy one: find out what is actually being used, give staff an approved business-grade tool, put a short written policy in place, tighten the data controls, and train people. VibeZero offers an AI usage review to map it, a free AI policy template, AI data loss prevention, and a free AI Risk and Readiness Check to start.

06Sources

Every number, cited.

[1]
Microsoft & LinkedIn, 2024 Work Trend Index
75% of knowledge workers use AI at work; 78% of AI users bring their own tools (BYOAI), rising to 80% at small and medium businesses.
microsoft.com
[2]
Cyberhaven Labs, AI Adoption and Risk Report, 2024
27.4% of corporate data put into AI tools was sensitive by March 2024, up from 10.7% a year earlier; volume of corporate data into AI tools grew 485%; source code 18.7%, R&D 17.1%, sales and marketing 10.7%.
cyberhaven.com
[3]
IBM, Cost of a Data Breach 2025
20% of organisations had a breach linked to shadow AI, adding up to USD 670,000 to the average cost; 63% lack a formal AI governance policy; 97% of AI-breached organisations lacked proper AI access controls.
ibm.com
[4]
Jobs and Skills Australia, via The Conversation
21% to 27% of Australian workers, mostly white-collar, use AI without telling their manager; a 2025 survey found around a quarter of public servants using unauthorised AI tools.
theconversation.com
[5]
Josys, Shadow AI Report 2025 (Australia)
Survey of 500 Australian technology decision makers (with Censuswide): 36% of employees upload sensitive company data to AI tools; 70% of organisations have moderate to no visibility into the AI tools in use.
josys.com
Methodology and honesty note. Every figure is quoted from the primary sources above and linked so you can verify each one. Some studies are global and some are Australia-specific, and we have labelled which is which. This brief is general information, not legal advice. The only way to know what shadow AI looks like in your business is to look, so a review of your own AI use is the place to start.

Related Field Note

Read next
Shadow AI is half the picture. The rules catching up to it are the other half. Read The State of AI Governance in Australia.

You cannot govern what you cannot see. Start by looking.

Get an AI usage reviewTake the free AI Risk Check

honest answers, no pitch deck, no commitment.