The biggest AI risk to most small businesses right now is not a hacker. It is a well-meaning employee pasting a client list, a contract, or a chunk of source code into a free chatbot to save twenty minutes. The habit even has a name: shadow AI, the unmanaged use of AI tools that nobody approved and nobody can see.
New 2026 reports show just how common this is, and the numbers are higher than most owners would guess.
What the data shows
Researchers who study what employees actually paste into AI tools are finding the same pattern across organizations of every size:
- 77% of employees have pasted company information into AI tools, and 82% of them used personal accounts rather than a managed, business version (LayerX Enterprise AI and SaaS Data Security Report).
- About 40% of all interactions with AI tools expose some form of sensitive data (Cyberhaven, 2026).
- 67% of employees reach AI tools from non-corporate accounts on their work devices, which keeps the activity invisible to IT.
- Verizon's 2026 Data Breach Investigations Report now lists shadow AI among the top insider-risk concerns.
The classic example is Samsung, where engineers pasted confidential source code and internal meeting notes into ChatGPT within a single month. They were not trying to leak anything. They were trying to get their work done faster.
Why it matters
Once sensitive data is typed into a public AI tool on a personal account, you have effectively lost control of it:
- Depending on the tool and settings, that text can be retained or used to improve the model, so it is no longer just yours.
- It is invisible to the usual safeguards. A paste into a browser tab slips past most data loss prevention, firewalls, and access controls entirely.
- It can become a privacy problem. If the data includes client or employee personal information, it may trigger obligations under Canadian privacy law, the same rules tightening across the country right now.