When asked to estimate Shadow AI usage in their environments, senior leaders gave answers that ranged from "a few tools" to "every employee, every day." But the more revealing data is what happens when those leaders go looking. One in four discovered substantially more than they thought, and the gap between confidence and control is wider than the field generally admits.
When asked: "Was the discovered number much higher, much lower, or roughly the same as your initial estimate?"
1 in 4 senior leaders (25%) said the discovered count was much higher than they had initially believed; about a third found it roughly as expected. Based on respondents who compared their estimate to what their team actually discovered.
When asked: "What percentage of your employees would you estimate are using unauthorized GenAI apps?"
Median estimate: 30% of employees using unauthorized GenAI apps; 65% put the figure at 25% or higher. Based on respondents who provided a specific percentage.
When asked: "How confident are you that you can identify which AI services employees are sending data to, and what data is being sent?"
Cross-tab: Industry × discovery gap (discovered more Shadow AI than believed)
Share of each industry who found the number of Shadow AI tools their team actually discovered was much higher than they had believed. Financial Services 29% (n=82), Manufacturing 26% (n=38), Technology 25% (n=65), Healthcare 25% (n=40), Retail 12% (n=33). The underestimation is broad-based, only Retail stands apart.
Confidence and control are not lining up. The leaders most certain they can see what employees are doing with AI still report incident rates of 50%, no lower than their moderately confident peers at 56%. High confidence offers no protection against incidents. Visibility, as defined today, is not the same as the granular, prompt-level observability needed to actually catch sensitive data on the way out.
The Shadow AI conversation is often framed around what could happen. The data here suggests the question is academic. A clear majority of senior security leaders confirmed that sensitive data has already been submitted to unauthorized AI services in the past 12 months. The exposed data spans the full sensitivity spectrum, from strategic documents and customer PII to financial records and, most damaging of all, proprietary source code and technical assets.
When asked: "Has your organization experienced a confirmed or suspected incident of sensitive data being submitted to an unauthorized AI service in the past 12 months?"
Among incident-reporting organizations in the conversational wave, when asked: "What kind of data was involved? Source code, customer PII, financial data, strategic documents, something else?"
Multi-select question, captured in the conversational wave where the data-type follow-up was asked (base 90). Strategic documents (38%) and customer PII (38%) were named most often, but source code and technical/IP assets (33%) represent the highest-severity exposures, with respondents describing proprietary code, configuration data, and development environments reaching unauthorized models. Total exceeds 100% because incidents commonly involved multiple types.
Cross-tab: Industry × incident in past 12 months
Share of each industry reporting a confirmed or suspected GenAI data incident, among those who gave a clear yes/no. Financial Services 63% (n=73), Technology 62% (n=81), Healthcare 48% (n=40), Retail 44% (n=34), Manufacturing 33% (n=39). With the combined dataset, every industry is now shown individually.
The breadth is the story: incidents span strategic documents (38%), customer PII (38%), financial data (36%), and source code and technical assets (33%). But not all exposures carry equal weight. While business documents and customer data show up most often, the source-code and IP leaks are the ones that keep CISOs up at night, proprietary code, configuration files, and development-environment details handed to models with no contractual protection and no way to claw the data back. The through-line across every category is the same: productivity intent, security consequence.
With the combined dataset, the incident pattern holds across sectors rather than being concentrated in one. Financial Services (63%) and Technology (62%) cluster at the top, Healthcare (48%) and Retail (44%) sit in the middle, and Manufacturing trails at 33%. The likeliest reading is not that Manufacturing is safer but that it has both lower GenAI adoption and thinner detection in place, so fewer incidents surface.
Most organizations now have a written GenAI acceptable-use policy. Far fewer have backed that policy with technical controls. The gap between the two creates a brittle compliance posture, where employees are trusted to follow the rules but no system is watching to confirm they do. The resulting blind spot is what makes Shadow AI so persistent.
When asked: "Does your organization have a formal acceptable-use policy for GenAI tools, and if so, what technical controls are actually enforcing it?"
"Technical enforcement" includes DLP, CASB/SSE, secure web gateways, endpoint controls, identity-based restrictions, or AI-specific governance tools. "Policy only" means the organization has written rules but lacks technical mechanisms to enforce them.
Cross-tab: Q7 enforcement state × Q5 incident rate
Among organizations with technical enforcement, 68% had a confirmed or suspected incident. Among those with policy but no technical enforcement, 46% reported incidents. Technical enforcement reveals incidents that policy-only environments cannot see.
The 22-point incident-rate gap between organizations with technical enforcement and those running on policy alone is a visibility gap, not a security gap. Teams with DLP, CASB, and AI-specific controls are seeing the leaks that always existed. Teams running on honor-system policies are flying blind, and the absence of reported incidents in those environments is not reassurance. It's the problem.
Beyond Shadow AI itself, security leaders see a broader pattern. AI-powered phishing, deepfake fraud, automated exploit development, and adversarial AI are all moving faster than the cycles of traditional defense. Two-thirds of leaders willing to take a clear position say their teams are falling behind. Detection is where they feel furthest behind, and the budget is moving to match.
When asked: "Do you feel like AI-driven threats — not just data leakage, but AI-powered attacks, automated exploits, deepfakes — are outpacing your team's ability to defend against them?"
Among respondents who took a clear yes/no position, 65% reported feeling outpaced. A further group gave nuanced or non-committal answers.
Follow-up question: "Where's the gap widest, detection, response, or intelligence?"
Multi-select among respondents in the conversational wave who specified at least one area. Many named more than one, which is why the bars exceed 100% in total.
Cross-tab: Industry × budget increase due to GenAI
Share increasing DLP budget specifically because of GenAI concerns, among those who addressed budget direction. Technology 100% (n=61), Healthcare 91% (n=23), Financial Services 90% (n=51), Manufacturing 89% (n=28), Retail 86% (n=22). The appetite for data-protection investment is near-universal across sectors.
Detection sits at the top of the gap list because it is the precondition for everything else. Without seeing the threat, response and intelligence teams have nothing to act on. The 93% security budget shift in response to GenAI is the buying signal that follows, with DLP investment named most frequently, and it spans every sector, from Technology (100%) to Retail (86%). Leaders are funding the visibility they currently lack, with AI-aware monitoring at the front of the line.
The picture from these 294 senior security leaders is consistent. Sensitive data is moving to unauthorized AI services. Most organizations have written the right policies and lack the technical controls to back them up. The pace of AI-driven threats is outrunning the cycles of traditional defense, and detection is where the gap is widest.
What the research suggests is needed: integrated AI-aware data loss prevention, real-time visibility into GenAI usage across endpoints, cloud, and network, and threat intelligence that adapts as the AI threat landscape moves. Fortinet's portfolio is positioned to address each of these dimensions.
Learn More About Fortinet's AI Security Solutions →Fortinet commissioned this primary research with 294 senior security and IT leaders across six target industries. Conversational interview format, fielded May 7 – June 9, 2026, combining an initial wave with supplemental responses to strengthen industry representation.
This dataset combines an initial fielding wave with later supplemental responses, deduplicated by unique respondent ID so no participant is counted twice; the final base is 294 unique senior security and IT leaders. Because the interviews are conversational, not every respondent addressed every question, so percentages are calculated as a share of those who answered each question, and cross-tab charts report the base (n) of clear responses for each segment. The data-type and detection/response/intelligence breakdowns reflect the conversational wave, where those follow-up questions were asked. Multi-select questions are flagged where they exceed 100% by design. Industry cross-tabs are shown for each sector individually. Open-ended responses were classified into the categories shown using consistent rules; ambiguous responses that did not clearly map to a category were excluded from the relevant rate.