AI is everywhere. It’s in homes, schools, businesses, public services, headlines, films and music. Research from McKinsey reveals that 79% of organisations worldwide were using generative AI as of November 2025, while Stanford University’s AI Index Report 2026 finds that AI adoption has outpaced uptake of the PC and the Internet, reaching 53% saturation globally within three years of ChatGPT’s general release. But while there’s little question AI is now more or less ubiquitous, data also indicates big variations in the extent to which AI is being used, and also in how well it’s being used.
Case in point is Okta’s AI Agents at Work 2026 report, which has found that 52% of knowledge workers worldwide are using unapproved AI tools. This is despite the fact that 90% of executives are “confident” in their organisation’s oversight of AI usage, while 95% are similarly confident workers are using AI “responsibly.” Even more worryingly, 58% of organisations have experienced an AI-related cybersecurity incident within the past 12 months, underlying how risky it could be not to monitor the AI platforms and tools employees are utilising.
According to Okta, such percentages are an indicator of how AI adoption is accelerating beyond organisational oversight and management. And with the advent of autonomous agents, the threat to sensitive personal or proprietary data could become acute. As such, organisations need to start playing catch up very quickly, deploying the governance frameworks and security measures to ensure that AI usage remains deliberate, limited and secure.
Defining ‘unapproved’ AI
“As policies, account types, sensitivities and retention policies differ, ‘unapproved AI’ will look different for each organisation, department and even team,” says Richard Wainwright, a Strategic Advisor at Okta, which is based in San Francisco and specialises in cloud-based ID management software and platforms.
There is no one-size-fits- all solution and security teams must shift from blocking to managing
For example, ChatGPT or Gemini could be unapproved tools at a firm that has a Claude subscription (or vice versa). In another scenario, unapproved AI usage could result from an employee who, without IT or security authorisation, uses an autonomous agent to complete their work.
“This means there is no one-size-fits- all solution and security teams must shift from “blocking” to “managing” by implementing identity-centric controls, automated discovery and secure sandboxes,” he tells Raconteur.
Why unapproved AI carries organisational risks
Given that AI is now so widely used, the uninitiated may wonder whether it’s really a serious problem if employees use tools not officially mandated by their employers. Yet according to Okta’s research, knowledge workers who use unapproved tools are more likely to share sensitive info. For instance, 54% have inadvertently shared internal messages and emails, 45% have shared HR-related material, and 39% have shared confidential company data (such as contract and financial info). Even worse, just over 20% of individuals using unapproved tools have shared login credentials, something which entails considerable cybersecurity risks and is likely in violation of applicable regulations like GDPR.
Such dangers amplify in situations where employees are using agents, which can function as active participants in an organisation’s operating environment. “When employees deploy unauthorised AI agents, they’re granting these systems access to sensitive and proprietary data before IT and security teams even know they exist,” explains Wainwright. “Permissions accumulate invisibly.”
Permissions accumulate invisibly
Agents confer sizeable risks in proportion to the size of the organisations in which they’re deployed, with Wainwright suggesting that scale can make them uniquely dangerous. He adds, “A single misconfiguration or compromised credential could expose data or disrupt operations at a speed that traditional monitoring and incident response teams can’t match.”
And fundamentally, Wainwright argues that the growth of ‘shadow’ or ‘unapproved’ AI isn’t simply a compliance or cybersecurity problem, but rather a “symptom” of how organisations operate and attempt to chase technological innovations.
“Adoption is moving faster than oversight because innovation doesn’t wait for governance,” he says. “Employees see productivity gains and deploy solutions.”
From the perspective of employees, they’re simply using AI to get their jobs done more efficiently and effectively. But from their employer’s perspective, and from a security perspective, they’re inviting vulnerabilities and opening doors. So to combat this, Wainwright advises organisations to evolve their security practices to keep pace with the speed of innovation.
Innovation doesn’t wait for governance
“There’s a fundamental tension as organisations need to enable teams to innovate and deploy AI at scale, yet this same freedom creates governance challenges,” he says. “The traditional approach of locking down systems to maintain security stifles the competitive advantage that AI enables.”
Adopting AI governance frameworks and ‘zero trust’ approaches for agents
In view of this, Wainwright suggests that businesses should strongly consider deploying visibility software, which monitors which AI tools employees are using. This would “provide an easy, standardised path to production so that compliant adoption becomes frictionless,” enabling organisations to capitalise on the innovation and efficiency offered by new technologies.
In other words, organisations should adopt governance frameworks that enable the safe adoption of AI models and agents. Importantly, they should also ensure that such frameworks are clear, since while 65% of execs believe that their organisation’s AI policies are “very clear,” 57% of workers find company policies either unclear, obscure or nonexistent. In the face of this, businesses must clearly and openly define “which AI tools are approved and prohibited, specifying which data types can be used with AI and, critically, gatekeeping access to key systems of record,” according to Wainwright.
In terms of autonomous agents, enterprises can limit potential harms by assigning each agent “a distinct managed identity with scoped permissions,” rather than sharing credentials across all employees. Wainwright refers to this as a “Zero Trust” approach, where no agent or user is trusted by default. This approach is ultimately where organisations should be heading if they want to use agents widely without running considerable data and cyber risks.
“It requires identity-centric visibility that continuously verifies and monitors both human users and AI agents across app-to-app connections,” he explains. “It also means applying least privilege principles so agents can only access the specific data and systems they need for their immediate task – with permissions granted at the start and revoked upon completion.”
AI is everywhere. It’s in homes, schools, businesses, public services, headlines, films and music. Research from McKinsey reveals that 79% of organisations worldwide were using generative AI as of November 2025, while Stanford University’s AI Index Report 2026 finds that AI adoption has outpaced uptake of the PC and the Internet, reaching 53% saturation globally within three years of ChatGPT’s general release. But while there’s little question AI is now more or less ubiquitous, data also indicates big variations in the extent to which AI is being used, and also in how well it’s being used.
Case in point is Okta’s AI Agents at Work 2026 report, which has found that 52% of knowledge workers worldwide are using unapproved AI tools. This is despite the fact that 90% of executives are “confident” in their organisation’s oversight of AI usage, while 95% are similarly confident workers are using AI “responsibly.” Even more worryingly, 58% of organisations have experienced an AI-related cybersecurity incident within the past 12 months, underlying how risky it could be not to monitor the AI platforms and tools employees are utilising.
According to Okta, such percentages are an indicator of how AI adoption is accelerating beyond organisational oversight and management. And with the advent of autonomous agents, the threat to sensitive personal or proprietary data could become acute. As such, organisations need to start playing catch up very quickly, deploying the governance frameworks and security measures to ensure that AI usage remains deliberate, limited and secure.
