Nearly two-thirds of senior decision-makers admit to using unapproved AI tools, compared to just 31% of lower-level employees, according to a new survey from Microsoft solutions partner TrustedTech. The gap persists even though three in four workers acknowledge the security or data privacy risks - a disconnect that puts CISOs and IT leaders in an impossible bind: they own the risk but have no authority over the C-suite's tool choices.
The shadow AI gap starts at the top
Shadow IT has long plagued security teams, but the most dangerous source may be the executive floor. TrustedTech's data shows senior leaders are twice as likely as rank-and-file employees to use unsanctioned AI. That behavior undercuts governance in a way no policy can fix.
"If senior leaders bypass approved AI tools or policies, it sends an implied message that speed matters more than security and compliance," said Andy Nolan, VP of technology at TrustedTech. "Employees notice that behavior, and it becomes much harder to ask the rest of the organization to follow standards that leadership isn't following themselves, first."
Nolan also pointed out that executives routinely handle highly sensitive information - financial data, strategic plans, intellectual property - making their ungoverned AI use especially damaging. The report frames this not as a training gap but as a culture, incentives, and alternatives problem.
Why approved tools lose the race
The root cause isn't ignorance. "Most shadow AI users are not ignorant of the risk," the TrustedTech white paper states. "They are deliberately choosing to use these tools anyway." The reason: sanctioned options often feel slower, less capable, or simply don't exist.
"People use shadow AI because what their employer hands them is worse than mainstream AI tools, or because nothing has been approved in the first place," the report says. "That doesn't change until the sanctioned tools are genuinely worth using."
Nik Kale, a principal engineer at Cisco and member of the Coalition for Secure AI, pointed to a Teramind report that found two-thirds of C-level executives prioritize speed over security when using AI. The same report revealed that two-thirds of enterprise AI activity runs through personal accounts on platforms the company already licenses. "People are paying for the governed version and using the ungoverned version of the same product, so the problem isn't the tools," Kale said. "The approved path is slower, buried in procurement, or disconnected from where the work actually happens, and speed wins every time under a deadline."
Matthew Scavetta, chief technology innovation officer at Future Tech Enterprise, added that many organizations fail to make employees aware of available AI tools or to train them on sanctioned applications - driving users toward familiar, unsanctioned alternatives.
The CISO's impossible position
When executives bypass controls, the security team is left accountable for consequences they can't see. "When senior leaders use ungoverned AI tools for business decisions, those decisions still have consequences, such as financial commitments, contract reviews, and data sharing," said Amit Maloo, CISO at Ivalua. "But there is no audit trail, no permissions model, or no way to reconstruct what happened or why."
Maloo stressed that adding more governance won't fix the issue. "Policies and restrictions slow shadow AI down, but they don't stop it, especially when the people using it are senior enough to absorb the disciplinary risk," he said. The better path, he argued, is providing tools that give users full, secure access to the systems and data they need - removing the trade-off between capability and compliance.
Nolan agreed: "CISOs and CIOs can't solve the problem by becoming the AI police. Their role is to help the business innovate safely. That requires executive alignment, clear governance, and providing secure AI tools that people actually want to use. When leadership embraces those solutions, the rest of the organization is almost sure to follow."
Why this matters for Executives and Strategy
The TrustedTech data makes clear that shadow AI is not a rank-and-file discipline issue - it's a leadership credibility problem. When the C-suite uses unapproved tools, the implicit message is that deadlines beat governance. That cascades through the organization, making written policies unenforceable. The fix isn't more rules; it's a visible commitment from the top to use - and even demand - secure, well-integrated AI tools that match the pace of business. Resources like AI for Executives & Strategy can help senior leaders understand the governance, culture, and incentive levers needed to close the gap. If the secure path isn't the easiest path, no amount of training will keep shadow AI out of the boardroom.
Your membership also unlocks: