The approved process for analyzing customer churn data takes three days. Gary knows this because Gary has submitted the request four times this quarter and waited each time while the data team queued it behind six other departments with a more senior sponsor. The AI tool Gary saw at a conference does it in three minutes. He signs up with his work email. Uploads the dataset. Gets his answer. Shows his team lead. His team lead sees a result and doesn't ask questions.
Within a month, two other departments are on it. Nobody tells security. Nobody tells compliance. Nobody reads the terms of service, which explain in language designed to be skipped that uploaded data may be used to improve the provider’s models. Nobody asked who owns that provider, and how far the raw data can go. Gary just donated two years of customer transaction data to a training set his organization will never see, never audit, and never get back. He did it because the approved process moved at the speed of Toronto traffic and nobody gave him a better option.
Gary isn’t the problem. Gary is the symptom.
The threat that already has a staff badge
HiddenLayer’s 2026 AI Threat Landscape Report puts shadow AI adoption at 76% of organizations, up from 61% the year before. Fifteen points in twelve months. But that number undersells what’s actually happening, because most of that shadow AI didn’t sneak in through the back door. It arrived in a software update.
Your CRM got an AI assistant last quarter. Your service desk added a chatbot that triages tickets. Your HR platform now screens resumes with a model nobody in IT was asked to evaluate. Each of these tools touches your data, holds permissions inherited from the platform it lives inside, and makes decisions about what to surface, filter, or forward. None of them went through a security review, because nobody classified a software update as a new AI deployment. The vendor didn’t call it that. They called it “enhanced features” in a font size that doesn’t invite questions. Nobody checked if those tools inherit the users own permissions. Gary's login can access a lot of sensitive materials.
One in eight companies surveyed by HiddenLayer have already experienced a breach linked to agentic AI systems. And 53% admitted they’ve withheld breach reporting because they’re afraid of the backlash. The incident count in the news is a floor. The ceiling is somewhere nobody’s willing to talk about publicly.
The AI that forgot what it was supposed to protect
Your resume screener has been filtering out qualified candidates for three months. Not obviously. Not in a way that triggers a complaint. It just quietly stopped surfacing people that didn't fit the training model it learned in another geography and industry, because something in its training data taught it those patterns were noise. Your hiring manager thinks the talent pool is weak. Your HR director is planning a recruiting spend increase. The model thinks it’s doing exactly what you asked. Your dashboard agrees. They’re both wrong.
Lakera AI published research showing how poisoned data, injected through an AI agent’s own data feed, can corrupt its long-term memory. Not its outputs. Its understanding. The agent develops a persistent, incorrect belief about its own security policies and defends that belief as correct when humans question it. An AI that’s been compromised this way doesn’t throw errors. It throws confidence. It looks fine on every dashboard you have because the dashboards measure what the agent reports about itself.
Then there’s the cascade. Galileo AI ran simulations of multi-agent systems and found that a single compromised agent poisoned 87% of downstream decision-making within four hours. Your SIEM shows fifty failed transactions. It can’t tell you which agent started the chain, because the agents communicate in ways your monitoring tools weren’t built to parse. This isn’t a spectacular breach. It’s a slow drift that looks like normal operations until the damage is structural. Like carbon monoxide. Odourless, colourless, and the detector you bought was designed for smoke.
And if you think the approved tools are the only exposure: earlier this year, a supply chain attack hit the OpenAI plugin ecosystem. Compromised agent credentials harvested from 47 enterprise deployments. Customer data, financial records, proprietary code, accessed for six months before anyone noticed. Not because security teams were negligent. Because the compromised plugin was approved. The credentials it used were the ones it was supposed to have. The data it accessed was data it had permission to touch. The only wrong thing was where that data went afterward, through a channel nobody thought to monitor, because why would you monitor a tool that’s doing exactly what it’s allowed to do?
Gary’s door is still open
Gary’s tool is still running. His team uses it daily. It’s not on the asset inventory. It’s not in the incident response playbook. If something goes wrong with it tomorrow, nobody knows who to call or what to shut down. And Gary’s tool is one of dozens scattered across the org, adopted by people who needed something faster than the process they were given.
The answer isn’t banning Gary’s tools. Banning them is how you guarantee shadow AI doubles by next quarter. People find workarounds when you take away the thing that made them productive, and the workarounds don’t come with terms of service at all.
The answer is building the architecture that lets Gary use AI safely with guardrails he never has to think about. Policy-as-code that constrains what the tool can access, what data it can reach, where it can send outputs. Governance that catches new tools when they connect, assesses them before the first dataset is uploaded, and either brings them into the fold or explains to Gary why this one doesn’t meet the bar. An inventory that knows what’s running before the security team has to find out the hard way.
That’s the foundation work we keep coming back to. The cataloguing, the mapping, the governance architecture. We’ve written about it in the Data Series and we’ve been doing it for fifty years under different names. The organizations furthest ahead on AI security right now aren’t the ones with the best models. They’re the ones who did the boring inventory work and built architecture that lets them say yes to new tools without wondering what they’re exposing.
Gary is still clicking. The question is what catches what comes next.
Read next
Every vendor in Canada is saying “sovereign” right now. Telus, Bell, CGI, your toonie’s worth of LinkedIn ads before lunch. Article 4 takes the word out of the press release cycle and into the architecture conversation where it belongs. What does sovereignty actually mean when someone tests it? Less than you’d think. More than you’d hope. Sovereignty is an architecture decision.
Cites
HiddenLayer 2026 AI Threat Landscape Report: 76% shadow AI adoption, 1 in 8 breached via agentic AI, 53% withheld breach reporting
Lakera AI: Research on long-term memory corruption in AI agents via poisoned data feeds
Galileo AI: Multi-agent cascade simulations, single compromised agent poisoning 87% of downstream decisions in four hours
OpenAI plugin ecosystem supply chain attack: 47 enterprise deployments compromised, six months undetected
