GENERATIVE AI IS BECOMING THE NEW INSIDER RISK AT WORK

Generative AI has, in a very short time, moved from pilot projects to an everyday tool in both boardrooms and project teams.

A range of surveys shows that the technology is now deeply integrated into daily work: around 80 per cent of IT leaders and 63 per cent of employees state that they use generative AI in their professional roles. At the same time, 61 per cent of organisations say that AI is their greatest data security risk in the coming years, according to the Thales 2026 Data Threat Report.

This is creating a new security landscape where the line between legitimate tools and potential leakage channels is becoming increasingly blurred. To handle this, many organisations are now combining technical controls with governance, training, and support from external specialist partners who work with both AI development and cyber security.

Published: 09.06.2026

From “shadow AI” to structured use

The use of generative AI has largely grown from the bottom up, and statistics from Deloitte provide a picture of how.

According to their survey, 77 per cent of employees who use AI at work do so in models that have not been developed or procured by their employer. 52 per cent use publicly available free services, while 25 per cent pay out of pocket for AI tools they consider necessary to get the job done. Only 19 per cent say they use exclusively AI that the employer has developed or procured.

The consequences are already visible. In the Cisco 2024 Data Privacy Benchmark Study, 48 per cent of companies report incidents where confidential data has been uploaded to public AI services. 68 per cent worry that sensitive information will end up in the public domain or with competitors, and 27 per cent have therefore completely banned public AI services at work.

The data shows that the problem is not isolated mistakes, but recurring patterns of behaviour. Many organisations using generative AI exhibit high‑risk behaviours, and a large share of the prompts sent to AI models contain potentially sensitive information. The risk landscape is characterised by everyday situations where internal documents, source code, customer data or strategic material are shared with external services just to “try things out”.

An increasing number of companies are therefore trying to move usage from “shadow AI” to controlled, secure platforms in their own environment. We see this in the strong demand for help in establishing enterprise‑grade AI solutions close to the customer’s data, with access control, logging and encryption, instead of letting sensitive information leave the organisation’s control in public services.

AI as a trusted insider

The classic view of insider threats has focused on people with legitimate access who abuse it, intentionally or unintentionally. With generative AI, a new type of “trusted insider” is emerging

AI systems are often given broad, automated access to email, chats, documents, code repositories and business systems, sometimes broader than any individual human user, but without equally mature control mechanisms.

Generative models are also being integrated directly into collaboration tools, development environments and customer‑facing systems. AI agents can not only suggest actions but also carry them out. Data connections are set up quickly to realise business value, often before there is a full overview of which information is being exposed.

The result is that a misconfigured AI system can collect, summarise or forward large amounts of sensitive data in a very short time, while its activity in the logs can resemble legitimate operations. This shifts security work towards identity and access for both humans and machines, rather than focusing solely on user accounts.

In practice, this means that more organisations are now applying principles such as “least privilege” to AI agents as well, with separate service accounts, clearly delimited data sources and continuous review of access patterns. We see it as crucial to combine our expertise in AI development and cyber security in order to design such solutions as part of architecture and implementation, rather than adding them as a thin layer afterwards.

AI is strengthening the attackers’ toolkit

Generative AI is changing not only how organisations work, but also how attackers operate. 38 per cent of security leaders rank AI‑enabled ransomware as their biggest concern. 82 per cent of organisations believe that phishing emails have become harder to detect when generated using generative AI, and 60 per cent report that they have already experienced attacks where deepfake technology was used.

It is no longer about poorly spelled mass emails. With the help of generative AI, attackers can create tailored messages in the recipient’s language, imitate tone of voice and refer to relevant internal projects, especially when some information has already leaked. As more organisations open up their data to AI platforms, the value of a successful intrusion increases.

This is driving a need for more advanced detection that takes AI‑generated patterns into account. Solutions where machine learning is used on the defensive side to identify anomalous behaviour in both email flows and authentication patterns are becoming more common.

There is growing demand for combining generative AI with traditional security analytics to detect abnormal events faster, and to build automated incident response where AI support helps security teams analyse logs, correlate events and propose actions.

Model manipulation and data poisoning

As organisations move from merely consuming off‑the‑shelf AI services to training or fine‑tuning their own models, new risks arise deeper in the stack. One area is data poisoning, where training data is manipulated in order to steer the model in an undesirable direction – via open data sources or internal systems where an attacker gains influence over which data points end up as training material.

Another area concerns targeted prompt attacks and attempts to gradually extract a model’s knowledge or internal rules. Through carefully designed prompts, an outsider can try to gain access to information or behaviours that were never intended to be exposed.

At the same time, surveys show that 60 per cent of leaders and 41 per cent of staff admit that they feed AI tools with internal data, which increases the risk that models are trained on material that should never leave the organisation’s own environment. 59 per cent of Swedish IT security leaders explicitly see generative AI as one of the greatest security problems in the coming years.

To manage this, security needs to follow the entire model lifecycle. Instead of focusing solely on the user interface, organisations must work with governance of data sources, traceability in training pipelines, version control and protection against unauthorised access to models in production.

Governance, data and capability – three foundations

To reduce risks without losing pace in development, three main areas are emerging.

The first is governance: clear principles and practical guidelines for how generative AI may be used. This includes defining which types of data may never leave the organisation, which approved services exist, and how follow‑up and incident management around AI should work.

The second is the data foundation. Without an up‑to‑date data catalogue and effective classification, it is difficult to know what can be exposed to AI systems. The work ranges from identifying where information is stored to implementing classification models, encryption and segmentation in cloud and hybrid environments.

The third area is capability and culture. Generative AI is easy to adopt, which means both good and bad behaviours spread quickly. Security training therefore needs to be tied directly to employees’ daily work, with concrete examples of safe versus risky ways of using AI.

Towards a more controlled AI everyday

Today’s figures point to a risk landscape where high‑risk behaviours are common, policy frameworks are often absent or incomplete, and control over data is insufficient. At the same time, there is a shift under way where more organisations are moving from experiments and isolated initiatives to structured investments in secure platforms, better data governance and integrated security throughout the AI lifecycle.

In this work, technology partners with experience of both advanced AI development and safety‑critical environments play a central role. By combining architecture, data management, application development and cyber security, companies like HiQ can help organisations move from ad‑hoc usage to a controlled AI‑driven everyday reality, where productivity and innovation can grow without compromising security.

Curious about how your organisation can adopt AI safely and sustainably? Get in touch and let’s talk.

Contact us Join the team

Get in touch!

Choose your nearest office, looking forward to hear from you!

Read more articles here

insight What Is DevEx and How to Support It with Smart Tooling
insight Griffin Tech Days – Transformation of Defense Technology shaped in Lapland
insight Anders Spalding appointed Head of Protective Security as HiQ strengthens its offering
insight Great Apes reaches the finals in Grand One and Vuoden Huiput
insight Digital renewal of investment services begins – LocalTapiola and HiQ deepen their strategic partnership
insight The Cyber Landscape 2020–2025: From Pandemic Shock to AI-Driven Threats
insight Atlassian Rovo: AI as the Hub of Future Collaboration 
insight What role do OpenShift technologies play in building digital resilience in organizations?
insight From Data to Agency: Navigating the AI Maturity Path to Agentic Systems
insight NIS2 Makes Cybersecurity a C-Suite Responsibility – Are You Ready? 
insight AI for all – HiQ’s AI Roadshow brought practical skills to every role
insight Ensure your Products Meet the New EU Security Requirements
insight HiQ builds Finland’s highest-quality network of cybersecurity companies
insight HiQ approved as a NATO technology supplier – A step towards a stronger role in international defense, security, and cyber domains
insight Remote work from Italy: Lead AI Consultant takes his meetings under the palm trees
subway entry
insight Strong authentication doesn’t guarantee safety when phishing sites dominate search engine results
henri-burtsov
insight Henri Burtsov appointed as HiQ’s Head of Cyber Business
adaptive-ui
insight Why Hyperadaptive UIs will lead the way in Human-AI Interaction
ai-machine-customers
insight Who gets recommended by AI? What every online retailer should know about the AI-driven shift in shopping
insight HiQ joins the Digital Defence Ecosystem, strengthening the commitment to advancing Finland’s defence and security
insight AI scores race days and optimizes Suomen Hippos’ trotting race calendar
insight HiQ expands in Europe – Strengthens its position in a rapidly growing tech market
insight New Chief Financial Officer for HiQ
insight A denial-of-service attack doesn’t just halt your business – It’s also a blow to your reputation
insight Designer Anh Ngo turned a childhood hobby into an award-winning career
insight Change in HiQ’s Management Team – Jouko Pirinen takes over HiQ’s Service Deliveries
insight Live Shopping combines nostalgic entertainment with modern digital commerce
insight 6 digital commerce needs, 6 solutions: Why Shopify is right for you, too
insight Why is testing the cornerstone of software quality? Jenny Salo explains
insight AI knows what you need and orders it for you – buying is changing, here’s how
insight eBook: 10 things you should do based on NIS2
insight Remote work in Spain? HiQ says yes to flexible telecommuting
insight 3 problems, 3 solutions: save your customer experience with Service Design
insight Defend Against DDoS Attacks: 5 Effective Ways to Protect Your Services
insight Three new Atlassian features to enhance teamwork and development processes
insight Minna Lindholm’s first 100 days as Managing Director
insight 5 concrete examples of using GenAI search in business
insight Emerging AI infrastructure and the future of enterprise technology
insight Have you unlocked your data goldmine yet? Here’s how AI trends shape the future of business
insight HiQ is building Finland’s strongest Atlassian team to challenge market leaders and expand service offerings
insight Navigating the AI Revolution: A Strategic Approach for Businesses
insight Agile development brings cost efficiency to Public Sector digitalization
insight How to keep up with the pressure of fast-paced change in digital services? Example cases of success
insight How to keep up with the public sector’s usability requirements from both consumers and legislation?
insight Whitepaper: Unified service development between the network and the physical environment
insight Minna Lindholm is the new Managing Director of growing HiQ Finland
insight Empower your company with a custom GenAI-powered search engine
insight HiQ acquires Ambientia’s Public business sector
insight HiQ to join forces with Ambientia’s public consulting unit
insight Transforming business with Generative AI – Four expert insights
insight Artificial intelligence (AI), data, and automation into a service area
insight From circus performer to software developer: HiQ’s Henkka enjoys strange challenges
insight Discovering the potential of coding assistants
insight Flexible culture drives well-being in work
insight “Work should be adapted to other life, not just the other way around”
insight Composable commerce – what, how, and to whom?
insight Harnessing data for business development
insight Unleashing the Power of Innovation and Inspiration: Greetings from Adobe Summit EMEA 2023 in London
insight Looking to build a service that leverages generative AI? Consider at least these things
insight There’s always too little customer understanding – this is how you can increase yours
insight Identification is on the rise – secure services are now more usable than ever
insight The best career path can be found by experimenting
insight Headless – Not Quite Such a Headless Approach
insight More productive and agile mobile development with Flutter
insight “Mato, come look – There’s a female nerd here!”
insight Senior Software Engineer Tapani has worked at HiQ for over 30 years: “I have never wanted to change companies”
insight HiQ’s Vibe Master, Judith, calls for appreciative encounters in working life: “You are fine just as you are”
insight What is service design – and what it definitely is not?
insight From bouncy castles to day care – how families are supported at HiQ
insight A digital loyalty programme is a prerequisite for a seamless customer experience
insight Freelancers and subcontractors as part of the HiQ team
insight HiQ acquires Lamia
insight In the best partnerships, everyone wins – HiQ invests in growth with a network of experts
Image placeholder
insight Scandio to be part of HiQ
insight How to secure your digital service’s competetiveness?
insight Summer has arrived at Levi Resort
insight St1 chose HiQ as its support partner for its mobile applications
Image placeholder
insight HiQ acquires Cogitel