80% of Workers Use Unapproved AI Tools and 49% Hide It From IT. The $650K Breach Bill Is Just the Start.

In March 2026, Teramind launched an AI governance platform aimed at enterprises running agentic and generative AI tools. The research they cited is a wake-up call for any team that assumes "we have a policy" is enough. Over 80% of workers use unapproved AI tools. One in three has shared proprietary or sensitive data with unsanctioned services. Forty-nine percent hide their AI usage from IT. And AI-associated breaches now average more than $650,000 per incident — with agentic systems amplifying exposure because autonomous actions can exfiltrate data or trigger downstream systems before anyone notices. For developers and IT leaders, the gap is no longer whether AI is in the building; it is whether you can see it, govern it, and align it with compliance before the next breach.

The Scale of the Problem

Worker access to AI tools grew by roughly 50% in 2025 alone. By 2026, 23% of organisations already deploy autonomous agentic systems — agents that can take actions across apps, APIs, and data without a human approving every step. That creates a dual risk: approved tools (Copilot, Gemini, Claude Code) are used in ways that violate policy, and shadow tools (personal ChatGPT, unknown APIs, open-source agents run on work machines) operate with no visibility. When something goes wrong — a prompt injects malicious instructions, an agent forwards internal data to an external API, or a developer pastes customer PII into a consumer chatbot — the blast radius can span compliance, legal, and security. The $650K figure is an average; single incidents can run into the millions when regulatory fines and remediation are included.

What Teramind’s Platform Does (and Why It Signals Demand)

Teramind’s offering provides visibility across approved and shadow AI usage: full conversation logging, screen recording, OCR, and forensic recording of AI activity, plus automated policy enforcement to block unauthorised data sharing and risky behaviour. It is built to support SOX, HIPAA, CMMC, FedRAMP, SOC 2, ISO 27001, and EU AI Act requirements. The fact that a dedicated AI governance product is now in market reflects a real need: compliance and security teams are being asked to answer for AI use they cannot currently see or control.

What Developers and IT Should Do Now

1. Inventory AI in the stack. List every AI tool, API, and agent that has access to internal data or systems — approved and suspected. That includes SaaS (Copilot, ChatGPT Team, Claude for Work), custom integrations (RAG, agents calling internal APIs), and open-source or self-hosted agents. You cannot govern what you do not know exists.

2. Define and communicate a clear AI use policy. Specify which tools are allowed for which data classes (e.g. no customer PII in consumer ChatGPT), what can be sent to external APIs, and what requires approval (e.g. agentic actions that modify production). Make the policy easy to find and enforce it in onboarding and audits.

3. Enforce at the edges where you can. Use DLP, CASB, or dedicated AI governance tools to block or warn when sensitive data is sent to unsanctioned endpoints. For agentic systems, require human-in-the-loop or approval gates for high-risk actions and log all agent decisions for audit.

4. Plan for compliance and breach response. Map AI usage to SOX, HIPAA, GDPR, EU AI Act, or other frameworks that apply. Ensure you can demonstrate who used which AI on what data and what happened. Have an incident playbook that includes "AI exfiltrated data" and "agent took unauthorised action" scenarios.

Shadow AI is not going away. The goal is to bring it into the light: approved tools used within guardrails, and unapproved use detected and curtailed before it becomes a $650K headline.