New KnowBe4 research reveals a major cyber blind spot as 55% of UK employees use unsanctioned AI, exposing firms to data leaks and compliance risks.

1 day ago

UK's Shadow AI Epidemic: Over Half of Staff Use Unapproved AI Tools

LEEDS, England – June 30, 2026 – A startling new report has revealed a pervasive and high-risk trend inside British organisations: more than half of all employees are using ‘unapproved’ artificial intelligence tools at work. The finding is a central highlight of the latest research from KnowBe4, the global leader in digital workforce security. Titled From Agentic Risk to Human Wins, the report exposes a growing chasm between corporate security policy and daily employee practice, creating a significant blind spot that cybercriminals are poised to exploit.

The research, which surveyed 80 decision-makers and 300 employees in UK organisations with 250 or more staff, found that this rise in so-called ‘Shadow AI’ is a top concern for business leaders. In fact, 58% of decision-makers cited the use of unapproved software and AI tools as their number one human-related cyber risk. Their concern is not misplaced. The study confirmed that 55% of employees admitted to using these unsanctioned tools, often in pursuit of productivity gains. More alarmingly, one in ten employees confessed to knowingly entering sensitive company information into public AI platforms, even when they understood the potential security ramifications. This indicates that the problem extends beyond simple ignorance into a complex behavioral issue where perceived efficiency outweighs security protocols.

A Widening Chasm: Shadow AI and the Confidence Deficit

The phenomenon of ‘Shadow AI’ is the latest evolution of ‘Shadow IT’—the long-standing practice of employees using unauthorised hardware, software, or services. However, the generative and data-hungry nature of modern AI platforms introduces unprecedented risks, including corporate data leakage, intellectual property loss, and major compliance breaches. While leaders are acutely aware of the danger, the research highlights a critical disconnect in their perception of the workforce's preparedness.

A significant ‘confidence deficit’ exists between leadership and staff, particularly concerning emerging AI-driven threats. An overwhelming 81% of decision-makers believe their employees could successfully identify a sophisticated deepfake video or audio impersonation. In stark contrast, only 66% of employees share that confidence in their own abilities. This 15-point gap represents a dangerous overestimation of human resilience in the face of increasingly convincing AI-generated attacks.

This gap is less pronounced with more traditional threats. For instance, 98% of decision-makers are confident their teams can spot a phishing email, a sentiment largely shared by employees themselves (95%). According to KnowBe4, this high level of confidence is likely a direct result of focused training and measurement. In the UK, phishing reporting rates are the most frequently measured human-risk indicator (44%), demonstrating that consistent awareness efforts yield tangible results. The challenge, therefore, lies in applying this same rigour to the rapidly evolving landscape of AI-enabled threats.

The Human Factor: When Workplace Pressure Overrides Protocol

While technology and threat vectors evolve, the human element remains a constant and complex variable in the cybersecurity equation. The report suggests that security failures are less about gaps in knowledge and more about behavioural responses under duress. Nearly half of all employees (47%) acknowledged that time pressure or simple distraction can lead them to make security mistakes, even when they know the correct action to take. Decision-makers concur, with 93% agreeing that employees often know what to do but may act differently when under pressure.

High workloads and workplace fatigue were identified as major contributors to this vulnerability. Thirty-eight percent of decision-makers noted that these pressures are likely to cause cyber-related errors. This pressure cooker environment, combined with rising expectations to use AI for productivity, creates a perfect storm for risky behaviour. Employees, trying to manage their workloads, turn to unapproved AI tools for help, inadvertently opening the door to security threats.

This pressure also influences threat perception. For employees on the front lines, phishing and impersonation emails remain the top perceived cause of human-related cyber risk (56%). Decision-makers, however, are looking ahead with greater concern for emerging AI threats. Their top worries include sensitive data being shared with AI tools (46%) and AI agents taking action without human oversight (43%). This divergence shows that while leaders are strategizing for future risks, employees are grappling with the immediate pressures that make them vulnerable to threats both old and new.

Navigating the New Regulatory Horizon

The challenges posed by Shadow AI and human fallibility are not occurring in a vacuum. The UK's forthcoming Cyber Security and Resilience Bill is set to dramatically reshape the nation's cybersecurity landscape, transforming many current best practices into legal obligations. The vast majority of business leaders (85%) believe the bill will play a significant role in how they manage human-related cyber risk.

The legislation is expected to intensify scrutiny on several key areas highlighted in the KnowBe4 report. With 39% of decision-makers identifying risks from third-party suppliers as a major driver of cyber risk, the bill's anticipated focus on supply chain security will be critical. Furthermore, it will almost certainly force organisations to establish robust AI governance frameworks to gain control over the proliferation of unapproved tools. The finding that 84% of organisations say regulatory requirements are already the primary driver for escalating cybersecurity incidents suggests that this new legislation will be a powerful catalyst for change.

Despite this looming regulatory pressure and their own stated concerns, many organisations are struggling to keep pace. Almost half (49%) of decision-makers count managing the safe use of AI as a top concern, yet only 16% feel they are currently effective in doing so. Among organisations already using AI tools in their workflows, a staggering 85% say ‘improvement is needed’ to ensure those tools operate within security policies and approved risk limits.

Forging a Resilient Security Culture in the AI Era

Addressing the multifaceted challenge of Shadow AI requires more than just new policies or technologies; it demands a fundamental shift towards building a strong, resilient security culture. The report argues that organisations must move beyond a compliance-only mindset and embed security as a core value that guides behaviour at every level.

“Undeniably, AI tools and agents are reshaping the workplace, but organisations can’t afford to overlook the human element of cybersecurity,” said Javvad Malik, lead CISO advisor at KnowBe4. “Our research shows that while UK businesses are embracing AI to drive productivity, many employees are still under pressure, using unapproved tools and regularly facing (and fearing) sophisticated threats such as deepfakes and phishing. Building a strong security culture, especially one that prioritises education, behavioural support and safe AI adoption, will be critical to reducing human-related cyber risk in the years ahead.”

Achieving this involves a multi-pronged strategy. First, organisations must establish clear AI governance using established frameworks like the NIST AI Risk Management Framework to guide the safe and ethical adoption of approved tools. Second, they must invest in continuous, context-driven security awareness training that addresses both the latest AI threats and the psychological pressures employees face. Finally, leaders must foster a supportive environment where employees feel safe to report security mistakes without fear of reprisal. By securing both its human and AI agents, the modern workforce can build the trust and defense needed to thrive in the new digital era.

UAID: 40498