Even the guardians are breaking the rules. A new survey by Mindgard has revealed a troubling shift in cybersecurity: security professionals themselves are turning to generative AI tools without approval. More than half admit to it. Others suspect it’s happening. This isn’t happening in the marketing department. It’s happening in the security operations center.
Over 500 cybersecurity professionals were surveyed at RSA Conference and Infosecurity Europe 2025. The results show a profession at odds with itself, embracing AI while sidestepping its own safeguards.
The Watchers Are Watching Less
They call it Shadow AI. Like Shadow IT before it, it’s the use of unsanctioned tools inside an organization. But this time the stakes are higher. AI tools like ChatGPT and GitHub Copilot aren’t just helping with office admin. They’re touching code, customer records, and sensitive data.
According to the survey, 56% of security professionals said their organizations are using AI without formal approval. Another 22% suspect it’s happening. What’s more, 87% of those same professionals are using AI in their own daily work. Nearly one in four admit they’re doing it with personal accounts, no approval, no logging, no compliance.
Policy Is Lagging. AI Isn’t Waiting. Security teams are sprinting ahead, while governance is stuck in traffic.
Nearly 90% of cybersecurity staff have used generative AI. But only 32% of organizations have formal policies in place to control it. The tools are everywhere, but enforcement is nowhere. Only 24% of organizations rely on informal monitoring, like spot checks or surveys. Fourteen percent have no oversight at all.
Twelve percent of respondents said they have no idea what’s being entered into AI systems. That blind spot is already leaking. Thirty percent admitted to uploading internal documents. Another 29% said customer data had gone into AI tools.
Who Owns the Risk?
Nobody seems to know. Some 39% of respondents said no one owns AI risk in their organization. Another 38% pointed to the security team. Fewer still mentioned data science, the C-suite, or legal.
That lack of clarity matters. AI governance isn’t just about security. It touches compliance, legal exposure, intellectual property, and vendor trust. Without a coordinated approach, risk falls through the cracks.
Peter Garraghan, CEO and Co-founder of Mindgard, didn’t mince words: “Shadow AI isn’t a future problem. It’s here. And it’s inside the teams meant to protect you.”
A New Kind of Adoption Curve
The survey paints a picture of accelerating use and uneven maturity. A staggering 87% of security pros say they use AI in their daily work. Another 76% believe their peers are doing the same. These are not occasional users. Nearly half are applying AI across multiple tasks: writing detection rules, generating phishing simulations, debugging code. Only 5% say they don’t use AI at all.
Use cases are growing more technical. While many still use AI for summarizing content (57%) or drafting policies (45%), a large share are writing code (40%) and building detection logic (33%). AI is becoming core to the work of security itself.
Grassroots Before Governance
The pattern is clear. AI use often starts at the edge, with curiosity, browser extensions, side projects. Then it spreads. But policy, structure, and ownership rarely catch up.
A quarter of security professionals are using AI informally, outside sanctioned tools. Another third say they’ve seen it used for routine work: ticket triage, research, internal memos.
Even inside security, the risk is often invisible. Only 32% of companies actively monitor AI activity. Eleven percent plan to, someday. Another 11% have no plans at all.
A Crossroads for Security Leadership
The report shows a profession split in two. On one side, AI’s promise: faster workflows, sharper detection, better response. On the other, unmanaged risk, sensitive data exposure, and vanishing accountability.
Organizations need more than visibility.
They need ownership. That means clear roles across legal, compliance, data, and security. And it means governance that matches the pace of adoption.
Without it, Shadow AI will keep growing inside the very teams charged with shutting it down.
For this study, Mindgard surveyed 500 cybersecurity professionals during RSA Conference 2025 in San Francisco and InfoSecurity Europe 2025 in London. Respondents spanned all levels of experience and company sizes, with 61% in management roles. One third worked for large enterprises, 31% for midsize firms, and 32% for small businesses.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.