The Shadow AI Index: Q3 2026

What the Shadow AI Index measures

Most existing "shadow AI" numbers are a single prevalence percentage: the share of employees who have ever used a non-sanctioned AI tool at work. That is a useful headline but a poor management metric. It conflates very different exposures. Someone using ChatGPT to rewrite an internal newsletter is not the same as a clinician dictating patient notes into a personal account of an unrelated chatbot. The Shadow AI Index proposes four components that any organisation can measure independently and track over time.

Combined, the four components map onto a 0-to-4 maturity tier we unpack later in this report. The tier is the verdict; the four components are the diagnostic that says where you are bleeding risk. A Tier 1 organisation has high Prevalence and high Velocity but only crude Sensitivity measurement; a Tier 3 organisation has stabilised Velocity and is actively suppressing Sensitivity through runtime controls. The point of the Index is not to score organisations but to give them a vocabulary for the next ninety days.

We were deliberately conservative in how many components we included. A more elaborate model could add a fifth (User Repeat-Use), a sixth (Sanctioned-Adjacent Use), and so on. Practitioners told us a four-component model is the maximum that survives presentation to a non-technical board, and the minimum that captures the substantive differences between organisations. See the honest self-critique section for where we suspect this compression loses information.

Methodology

Sources we synthesised

• IBM Cost of a Data Breach Report 2025 - cross-industry breach cost data with a new shadow-AI segment. Sample of 600+ breached organisations across 17 industries and 16 regions, with cost normalisation across geographies.
• Salesforce State of the AI Connected Worker / State of the Connected Customer - employee-side adoption telemetry. Sample of 14,000+ workers in 14 countries, including a focused subset on unsanctioned AI tool use.
• Gartner Hype Cycle for Artificial Intelligence 2025 - positioning data on enterprise AI controls maturity, including the cycle's placement of AI Governance and AI TRiSM categories.
• IDC AI Adoption Surveys 2025 - tool-level adoption data and per-industry segmentation, particularly useful for the Diversity component of the Index.
• Stanford HAI AI Index Report 2025 - longitudinal data on enterprise AI deployment and risk-incident reporting, with strong methodology disclosure for cross-survey integration.
• Stack Overflow Developer Survey 2025 - a developer-population sample on AI coding-assistant usage, of which a substantial portion falls outside corporate Copilot or equivalent sanctioned tenancies.
• IAPP-EY Annual Privacy Governance Report - privacy-officer perspective on AI-related disclosure incidents and notification volume.

How we combined them

For each metric in the Index, we located the closest analogue in each source, normalised wording (different surveys use "not authorised", "not sanctioned", "not reviewed" with subtly different definitions), and reported a range rather than a single point estimate. Where ranges across sources overlap, we used the overlap. Where they diverge, we report the divergence rather than averaging them into a false precision.

For the maturity tiers themselves, we triangulated the published survey data against ~40 customer-discovery conversations Areebi has held with CISOs, CIOs, and Heads of AI across mid-market and enterprise organisations between January and May 2026. Those conversations are not a representative sample, but they were decisive in calibrating which tier transitions felt natural and which felt forced. We disclose this with the obvious caveat that we sell a Tier 3-to-Tier 4 product and our own commercial incentives colour what counts as "mature".

Caveats we hold honestly

• Definitional drift."Shadow AI" means different things in different surveys. Salesforce's connected-worker framing emphasises personal-account use; IBM's breach-cost framing emphasises post-incident attribution. Cross-survey synthesis introduces measurement noise even when methodology disclosure is good.
• Self-report bias. Workforce surveys ask employees whether they have used unsanctioned AI; some under-report because they suspect retaliation, some over-report because they find it socially desirable to claim AI literacy. Both biases pull the headline number in different directions and partially cancel.
• Sample-size differences. Sample sizes range from under 1,000 to over 30,000 across the seven sources, with very different geographic and industry weighting. We use the published weights where disclosed.
• Time horizon. The most recent IBM and Stanford releases are from the back half of 2025. The shadow AI category is moving fast enough that 6-month-old data may understate Q3 2026 reality. Future quarterly indices will narrow this lag.
• No primary Areebi survey yet. Q4 2026 is expected to include a primary Areebi panel of approximately 500 security and AI leaders. This Q3 release is the baseline that panel will be measured against.

Findings

Cross-industry headline

Across the seven sources, the prevalence of unsanctioned AI use in mid-market and enterprise organisations sits in a 55-65% range. The range is wide because the underlying questions differ. The Salesforce State of the AI Connected Worker leans toward the upper end with its 90-day window and inclusive definition; the IAPP-EY Privacy Governance Report leans toward the lower end with its requirement that the use involve sensitive data. The midpoint of roughly 60% is the most defensible single number to cite in a slide, but practitioners should use the range with both endpoints named so the audience can interrogate the underlying definitions.

The IBM Cost of a Data Breach Report 2025 measures the impact side: the average global cost of a data breach involving shadow AI sits roughly USD 670,000 above the baseline breach cost, and the associated mean-time-to-detect runs months longer than for controlled incidents because shadow channels are not monitored. Regulated industries see multiples of this delta when notification obligations stack with class-action exposure.

Healthcare deep-dive

Healthcare consistently shows the highest combined Sensitivity score across the synthesis. The three vectors are predictable but worth naming: clinical documentation, administrative support, and translational research. Clinicians paste de-identified-but-not- really patient narratives into a general chatbot to draft a SOAP note; admin staff use a free transcription tool to summarise an insurance call that included the patient's social security number; research coordinators use AI summarisation tools on draft grant applications that contain unpublished trial data.

Within healthcare, the most-cited unsanctioned tools in 2025-2026 cross-survey data are general-purpose chatbots (ChatGPT free tier, Claude.ai free tier, Gemini personal accounts), AI transcription services that were never reviewed by privacy or security teams, and AI features quietly added to incumbent vendors' SaaS apps (note-taker plug-ins, summary tools, calendar assistants). Estimated prevalence range for healthcare organisations: 50-70%, with high variance by sub-sector. Sensitivity, conditional on shadow use, is elevated relative to other industries because PHI exposure is the mode rather than the exception.

See our HIPAA compliance brief for the regulatory anatomy of these exposures, and our healthcare solutions overview for the corresponding control set.

Financial services

Financial services divides into three quite different patterns. In customer support and claims, the dominant shadow AI exposure is the use of personal-account chatbots to draft customer correspondence, with the inadvertent inclusion of policy details, transaction histories, and personal identifiers. In trading and quantitative research, the exposure is the use of AI coding assistants in personal IDEs that send model context to a vendor outside the sanctioned tenancy. In retail banking branches, the exposure is much more like the healthcare admin pattern - free transcription and summarisation tools used in compliance training and customer interactions.

The estimated prevalence range for financial services is 55-65%, tracking the cross-industry median. The Sensitivity score is high because the regulatory regime treats nearly all customer-touching data as in-scope for confidentiality obligations under SOX, FINRA, GLBA, and analogous regimes outside the United States. We see particularly elevated Velocity scores in fintech subsidiaries of larger institutions, where engineering-led adoption outpaces the slower review process at the parent level.

See our SOC 2 compliance brief and financial services solutions overview for the runtime controls that compress this exposure.

Legal services

Legal services exhibit a bimodal pattern. Firms that have invested in vendor-reviewed AI research and drafting tools (Harvey, Co-Counsel, Lexis+ AI) show contained shadow AI exposure that concentrates in secretarial and administrative tasks. Firms that have only published a partner-circulated "do not use AI" memo show among the highest prevalence rates of any industry in the synthesis, with associates routinely using personal chatbot accounts for first-draft research and document summarisation under partner-imposed deadlines.

Sensitivity in legal services is unique because privilege attaches to a wide circle of communications. The pasting of an opposing- party filing into a personal chatbot account may not breach a client confidentiality clause directly, but it can be argued to constitute disclosure to a third party in a way that weakens attorney-client privilege downstream. The 2025 IAPP report specifically calls this out as an underappreciated exposure. Estimated prevalence range for legal: 55-70%.

Government and public sector

Government and public-sector shadow AI exposure is dominated less by direct employee use (FedRAMP-bound environments make it technically harder, though not impossible) and more by contractor and subcontractor use. A federal civilian agency may have a zero-tolerance internal policy and still see substantial shadow AI volume on the laptops of the systems integrator staff augmenting its programme office. The Section 508 accessibility framing complicates this further because some AI-assisted accessibility tools, if procured through a non-FedRAMP path, can create policy/practice conflicts that the contracting officer is the last to find out about.

For state and local governments without an equivalent FedRAMP-style posture, prevalence rises closer to the cross-industry median of 55-65% with high Velocity in education and human-services departments. See our FedRAMP-AI compliance brief and government solutions overview.

Technology and software

The Stack Overflow Developer Survey 2025 reports the highest shadow AI prevalence of any segment in the synthesis: more than 80% of working developers report some AI coding-assistant use, with a substantial slice using tools outside their employer's sanctioned Copilot or equivalent tenancy. The risk character is distinct from regulated-industry shadow AI: the exposed data class is usually source code and configuration rather than PHI or PII. That does not make it less consequential; for engineering-led companies, source code is the primary IP asset and a code paste into a personal account is functionally a leak.

Within technology companies, we see the sharpest divergence between Tier 1 (audit complete, no enforcement) and Tier 3 (runtime enforcement active). The transition is gated less by policy clarity and more by the willingness of engineering leadership to accept a degree of friction in developer workflow. See our code-generation use case for the specific controls that handle code-paste exposure.

Manufacturing and intellectual property

Manufacturing shows lower headline prevalence than the cross-industry median - more like 40-55% - but a uniquely high per-incident Sensitivity. The exposed data classes are design files, process documentation, supplier contracts, and trade-secret specifications. Shadow AI in this segment tends to be concentrated in engineering and procurement rather than diffused across the workforce; a single bill of materials pasted into a chatbot can disclose a supply-chain advantage built over years.

The Velocity component is also distinct: manufacturers adopt shadow AI more slowly but, once adoption begins, the same handful of senior engineers tend to be the highest-leverage users, which concentrates Sensitivity sharply. See our manufacturing solutions overview.

What the most-common shadow tools look like

Across industries, the IDC AI Adoption Surveys 2025 and our own customer-discovery telemetry agree on the same five-or-so tools being dominant in unsanctioned use: general-purpose chatbots accessed via personal accounts, AI features inside incumbent SaaS tools that were not specifically reviewed (note-takers, summary features, calendar AI), browser-based AI assistants and extensions, AI transcription tools, and AI coding assistants in personal IDEs. Newer entrants - agentic AI tools, multi-modal assistants, and AI browsers - are climbing rapidly on the Velocity metric but had not displaced this base set as of Q3 2026.

For a deeper treatment of how to discover what tools your workforce is actually using, see our shadow AI primer and the discovery section of our platform overview.

The Areebi Shadow AI Index: a 4-tier maturity model

The four components above describe the diagnostic. The Tier scale describes the response. We borrowed the spirit of the Capability Maturity Model and the NIST AI RMF's Govern/Map/Measure/Manage posture but compressed the model to four tiers because anything more elaborate fails the board-deck test. At Areebi, we use this scale internally to qualify which prospects are ready for a runtime engagement and which still need to do their Tier 0-to-1 work first.

At Areebi, we have observed that the highest-friction transition is not Tier 0 to Tier 1 - that is mostly a willingness-to-look problem and the discovery tools are cheap. The highest-friction transition is Tier 2 to Tier 3, because moving from a paper policy to a runtime control set requires the organisation to accept some workflow friction in exchange for evidence. Tier 4 is then a multi-quarter discipline of feeding the runtime data back into the policy and the threat model.

Self-assessment checklist

To self-assess, ask the following yes/no questions. Your tier is the highest number for which all preceding questions are "yes".

1. Tier 1. Do you have a catalogue of the top ten unsanctioned AI tools your workforce is actually using, with evidence (not anecdote)?
2. Tier 2. Do you have a published AI Acceptable Use Policy, acknowledged by every employee, refreshed at least annually?
3. Tier 3. Do you have a runtime control plane that can redact sensitive data, log the session, and enforce a policy rule before content leaves the perimeter?
4. Tier 4. Do you review the Shadow AI Index at executive level quarterly, with a feedback loop into both policy and training?

Most organisations who run this exercise honestly land at Tier 1 or Tier 2 - the policy exists, but the enforcement does not. The point of the Index is to be honest about that gap and to choose the next thirty-day step rather than the next twelve-month plan. We have generated a free shadow-AI policy generator and a free NIST AI RMF gap analyser to accelerate the Tier 1 and Tier 2 work.

What to do about it: a 30/60/90-day plan

The right next step depends on which tier you are in. The following plan is calibrated for the typical Tier 0-to-1 organisation - the common case - and pulls forward to Tier 3 within ninety days. Organisations already at Tier 2 should compress this into the first sixty days; Tier 3 organisations should treat the same content as a programme audit rather than a starting point.

Where Areebi fits

Areebi is built specifically for the Tier 2-to-Tier 3 transition. We are the runtime layer that turns an Acceptable Use Policy from a document into a control plane. We do not replace your existing identity provider, your SIEM, or your DLP for non-AI channels; we sit alongside them and provide the AI-specific telemetry, redaction, and enforcement those tools cannot give you out of the box.

If you want to see the runtime in action, you can book a demo or take the self-guided product tour. For pricing transparency, see the pricing page and the ROI calculator.

What we got wrong (or are unsure about)

An honest research report names its weak spots. Three things in this Q3 2026 release feel unfinished and we will say so before a critic does.

Definitional drift across the synthesis

The single biggest weakness is that "non-sanctioned" is defined differently across the seven sources. Some surveys count personal-account use only; some count any tool that has not been explicitly reviewed; some count AI features inside SaaS tools the employer already pays for but did not specifically evaluate for AI. We chose the broadest definition because it matches what CISOs and privacy officers care about operationally, but it pulls our headline prevalence range to the upper end of the single-source estimates.

The four-tier model may compress reality

Our tier scale puts a lot of weight on the Tier 2-to-Tier 3 transition (paper policy to runtime enforcement). Practitioners we briefed pushed back that the gap between Tier 3 and Tier 4 is substantively larger than the gap between Tier 2 and Tier 3, and we tentatively agree. Future revisions may split Tier 3 into 3a (enforcement deployed) and 3b (enforcement tuned and trusted by operators). We have not done so in Q3 2026 because we want one quarterly comparison point before adjusting the scale.

Geographic skew

Five of the seven sources oversample North American and Western European organisations. Asia-Pacific and Latin American shadow AI patterns are likely meaningfully different in tool mix and regulatory backdrop, and our synthesis is weaker on those regions than it should be. Q4 2026 is expected to address this with explicit regional segmentation.

What we will measure differently in Q4 2026

• Primary Areebi survey. We will field a 500- respondent panel of security, privacy, and AI leaders in mid-market and enterprise organisations.
• Velocity series. Q4 will be the first quarter-over-quarter Velocity measurement, the first longitudinal data point in the Index.
• Tier 3 split. Q4 will pilot a 3a/3b split on a subset of organisations to see whether the finer distinction improves decision usefulness.
• Regional segmentation. APAC and LATAM cuts will be reported separately rather than absorbed into the global average.

Citation-friendly Q&A

The following Q&A is written so individual answers can stand alone as citation units in AI-engine responses and analyst notes. Each answer is self-contained and references its source.

References and further reading

The following sources are publicly accessible at the URLs listed. Where a source is paywalled, the URL points to the summary or press release. We have not modified any number from its original source.

1. IBM & Ponemon Institute, Cost of a Data Breach Report 2025. ibm.com/reports/data-breach
2. Salesforce, State of the Connected Customer (6th edition) and State of the AI Connected Worker. salesforce.com/resources/research-reports/state-of-the-connected-customer
3. Gartner, Hype Cycle for Artificial Intelligence 2025. gartner.com/en/articles/hype-cycle-for-artificial-intelligence
4. IDC, Worldwide AI and Generative AI Spending Guide and AI Adoption Surveys 2025. idc.com (Worldwide AI Spending Guide)
5. Stanford Institute for Human-Centered AI, AI Index Report 2025. hai.stanford.edu/ai-index
6. Stack Overflow, Developer Survey 2025. survey.stackoverflow.co/2025
7. IAPP & EY, Annual Privacy Governance Report. iapp.org/resources/article/privacy-governance-report
8. National Institute of Standards and Technology, AI Risk Management Framework (AI 100-1). nist.gov/itl/ai-risk-management-framework
9. European Union, Regulation (EU) 2024/1689 (the EU AI Act). eur-lex.europa.eu/eli/reg/2024/1689/oj
10. International Organization for Standardization, ISO/IEC 42001:2023 AI management system. iso.org/standard/81230.html