June 18, 2026

AI Has Become the New Shadow IT

AI is now embedded in how teams work, often before the business has put any controls around it. That gap between adoption and governance is the new shadow IT, and it was the issue that dominated the room at our recent ASE Tech Evolve | Resilience in Action executive lunch with Veeam.

AI Has Become the New Shadow IT

Here's what leaders learned at ASE Tech Evolve.

AI is now embedded in how teams work, often before the business has put any controls around it. That gap between adoption and governance is the new shadow IT, and it was the issue that dominated the room at our recent ASE Tech Evolve | Resilience in Action executive lunch with Veeam.

TL;DR

AI tools are now embedded in everyday work, often without IT's knowledge or any guardrails, which makes AI the new shadow IT.

The Veeam Data Trust and Resilience Report 2026 found that 43% of organisations say AI adoption is outpacing their ability to secure data, and 25% name shadow IT and unauthorised AI use as a primary security concern.

ASE Tech Evolve is an invitation-only executive event that uses live, interactive breach simulations rather than presentations, so leaders make real decisions and see how an incident actually unfolds.

The scenario that drew the most discussion showed a compromised AI assistant quietly exfiltrating data, manipulating payments, and suppressing security alerts while looking like legitimate activity.

Adopting AI safely comes down to six things: visibility into what is in use, enforced controls, data residency, human oversight, cross-functional ownership of AI risk, and a small, measured rollout.

What is AI shadow IT?

Shadow IT used to mean staff using unsanctioned apps or cloud accounts. Today it is the AI assistant your team relies on for daily work, usually without IT's knowledge or any guardrails in place. People paste company data, financials, and customer information into free tools because the tools are useful, and sensitive data gets exposed without anyone noticing.

The Veeam Data Trust and Resilience Report 2026 puts numbers to it:

  • 43% of organisations say AI adoption is outpacing their ability to secure their data and models.
  • 42% have limited visibility into the AI tools being used across their business.
  • 25% name shadow IT and unauthorised AI tool use as a primary security concern.

The pattern we hear is consistent: the data is not ready for AI, but staff are already using it.

What is an ASE Tech Evolve event?

ASE Tech Evolve is a series of invitation-only executive sessions built around live, interactive cyber incident simulations rather than presentations. Each session puts a room of senior leaders inside a realistic breach scenario and asks them to make the decisions an incident actually demands.

Here is how it works:

  • Participants take on a role such as CEO, CFO, operations manager, or IT lead, and work through a scenario based on a fictional company under attack.
  • Partway through, new information is introduced, often through action cards revealed mid-scenario, forcing the group to adapt as the situation escalates.
  • The most recent session, Resilience in Action, was run with Veeam and facilitated by Kristof Kazmer alongside John Wood from Veeam.

What makes ASE Tech Evolve different?

Most security events involve a vendor talking at an audience. Evolve flips that. Because leaders are making decisions under pressure rather than listening to slides, the session surfaces the questions executives usually never get to ask, in an open setting where no question is treated as too basic.

The real value is visibility. Most executives have never seen what a cyber incident looks like from the inside, so security stays an abstract line item. Once a leader has worked through an incident first-hand, the conversation changes. As our facilitator put it, awareness beats a commercial conversation. The discussion moves from “we need more budget” to “here is the risk we are mitigating, and here is why it matters to the business.”

Who should attend an ASE Tech Evolve event?

Evolve is built for senior decision-makers who carry responsibility for risk but do not always have the technical detail to weigh it. It is most useful for:

  • CEOs, CFOs, CIOs, and the IT and security leaders accountable for cyber risk.
  • Leaders who are new to a role and have inherited a security environment they did not build.
  • Executives sitting on questions they have not been able to get answered clearly.
  • Organisations operating under compliance obligations such as the SOCI Act, CPS 234, or privacy regulation.
  • Businesses working out how to adopt AI safely, where AI readiness is now a live question.

What did the AI scenario reveal?

A compromised AI integration does not look like an attack. It looks like normal business activity. In the scenario that drew the most discussion, an AI assistant deployed across operations and finance was quietly compromised, and the sequence played out like this:

  • Sensitive customer and financial data was exfiltrated without triggering a single alert.
  • Payment approvals were manipulated and operational priorities were altered.
  • The AI suppressed and deprioritised the security warnings that would have flagged the breach, delaying detection.
  • By the time anyone noticed, the compromise had spread deeper into the business.

That is the trap with AI risk. The activity looks legitimate, so traditional alerts stay quiet while exposure grows. It is also the scenario most directly in front of every business right now.

What other insights came out of the event?

A few themes ran through the discussion, and they line up with the Veeam research.

  • Confidence is not the same as capability. 90% of organisations say they are confident they can recover from a cyber incident, yet only 28% of ransomware victims fully recovered their data. Backups and a policy are not the same as proving you can recover under pressure.
  • Compliance is becoming a resilience driver, not a separate exercise. 33% of organisations rank regulatory and compliance mandates among the top risks to data resilience over the next year, and 58% cite data residency and sovereignty as the most important factor in where they place their data. For regulated and critical infrastructure operators, security and compliance are now the same conversation.
  • Policy alone does not reduce risk. The organisations seeing better outcomes back their policies with enforced controls such as data loss prevention, sensitivity labelling, and access management, rather than relying on written guidance and good intent.

How to know if you have the right guardrails

The questions worth asking are practical:

  • Do you know which AI tools your staff are actually using?
  • Is your data ready for AI, or is sensitive information exposed the moment someone uploads it?
  • Have your security policies been updated for AI-specific risks?
  • Do you have data loss prevention, sensitivity labelling, and access controls in place?

How to adopt AI without creating new risk

The leaders getting this right are not slowing AI down. They are putting structure around it so that adoption and security move together. Six principles consistently separate the organisations that stay in control from those that do not:

  • Find out what is already in use. You cannot govern tools you cannot see, and most shadow AI stays invisible because no one has asked. A short discovery exercise that maps which tools staff are using, and against which data, is usually more revealing than any policy document.
  • Back policy with enforced controls. Access should be tied to identity so that any AI tool can only reach the data a given user is already permitted to see. Sensitive information should be classified and protected by data loss prevention, and every interaction should be logged to the same audit standard as the rest of your environment.
  • Keep your data inside sanctioned boundaries. Favour deployments where your prompts and outputs are not used to train external models and where data stays within agreed regional limits. For organisations carrying data residency or sovereignty obligations, this is not optional.
  • Keep a person accountable for consequential decisions. AI is well suited to drafting, summarising, and analysing, but any decision that affects a customer, an employee, a financial result, or a regulatory obligation should sit with a human who reviews the output and signs off.
  • Give AI risk a clear, cross-functional owner. Governance most often rests with a single executive, which leaves blind spots, because AI risk spans security, IT, data, compliance, and the wider business. Organisations that share oversight across those functions report stronger alignment between policy, controls, and recovery.
  • Move in small, observable steps. Choose a few high-value use cases, run a controlled pilot, measure what actually changes, and scale only what works. Adoption that is deliberate is far easier to secure than adoption that happens by accident.

Where ASE Tech fits

For two decades, ASE Tech has helped organisations in highly regulated and critical infrastructure sectors answer exactly these questions. Many of our customers are switching on AI for their teams right now, and we help them do it safely: mapping where AI fits, piloting it in a controlled way, and operating it inside the security and governance posture they already trust us with.

If AI is already part of how your business runs, the first step is knowing where and how. Get in touch and we will help you find out what is in use and put the right guardrails around it.

Technology without compromise starts here
For more than 20 years, ASE Tech has helped Australia’s most critical industries cut waste, reduce risk, and keep systems performing 24×7. Now we bring the same engineer-led approach to your business, delivering technology chosen on merit, built for resilience, and proven to deliver better outcomes.
Book a Call Today
All rights reserved. 2026 ASE Tech.