Employees are adopting artificial intelligence (AI) tools faster than companies can secure them, creating a growing “Shadow AI” problem that could expose confidential business information, according to cybersecurity company Palo Alto Networks.
“I think it’s good to know that the Philippines is really adopting AI at a fast pace because anybody could actually use ChatGPT, Gemini, and everyone else,” said Jobert David, system engineering head of Palo Alto Networks Philippines. “But, of course, with great power comes great responsibility.”
David said while organizations are rapidly embracing AI, many still lack visibility into how employees are using these tools and whether sensitive data is being shared.
Shadow AI is the use of AI tools such as ChatGPT, Gemini, or other AI applications for work without a company’s knowledge or approval. Employees may use them to write reports, summarize documents, answer emails, or analyze data, but they can also accidentally upload confidential company information, customer data, or other sensitive files, creating security and privacy risks.
David said many customers now ask how they can determine whether employees are using approved AI applications and whether confidential company data is ending up in public AI platforms.
“The first rule of thumb is you need to know what AI tools are running in your network and what employees are using,” David said. “You cannot secure what you don’t know.”
To reduce the risk, David said organizations should adopt a “secure AI by design” approach built around three steps: discover AI usage, assess the risks, and protect sensitive information.
Rather than banning AI, companies should establish policies that define which AI services employees may use and what information can be uploaded.
“Security is a business enabler. We’re not really prohibiting the use of AI,” David said. “AI is good for us, but we need to ensure we have the proper barriers to help maximize the full output of AI while doing AI security.”
“More often than not, we are finding those exposed,” said Philippa Cogswell, managing partner, JAPAC, Unit 42 of Palo Alto Networks.
She said organizations should understand their attack surface because many are surprised to discover internet-facing systems, domains, or digital assets they did not realize were exposed.
Cogswell also said defenders must adopt AI as aggressively as cybercriminals.
“If attackers are using AI, we are also using AI,” she said. “You need to fight AI with AI.”
Palo Alto Networks said it is integrating AI across its cybersecurity portfolio to automate threat detection and incident response. The company uses AI to analyze large volumes of security data, allowing analysts to focus on investigating complex attacks instead of repetitive tasks.
As AI adoption accelerates, cybersecurity experts warn that organizations that fail to monitor Shadow AI risk exposing sensitive information while giving attackers new opportunities to exploit AI-powered systems.