Teramind warns of AI governance gap at enterprises

Teramind has released research on workplace AI use, pointing to a gap between how executives and employees approach AI security.

The Shadow AI Behaviour Report found that 69% of C-suite leaders prioritise speed over security when using AI tools, compared with 37% of frontline employees. It also found that 67% of enterprise AI usage runs through unmanaged personal accounts on corporate devices, including on platforms employers have already licensed.

The research was produced by Teramind's Research & Intelligence Team and drew on behavioural telemetry, a survey of 300 global enterprise Chief Information Security Officers, and third-party data from IBM Cost of a Data Breach 2025 and Gartner 2025.

The figures add to employer concerns over the spread of so-called shadow AI, where staff use artificial intelligence tools outside formal company oversight. Here, the report argues that the bigger issue is not just unauthorised tools, but approved services used in ways companies cannot see or control.

Among the other findings, 86% of organisations said they have no visibility into how data moves to and from AI tools. It also found that 45% of employees look for workarounds when AI tools are restricted, while 48% said they would keep using AI even if it were explicitly banned.

Deadline pressure appeared to be a major factor. According to the report, 60% of employees said the productivity benefits of unsanctioned AI outweigh the security risks when time is tight.

Another finding pointed to generational differences in behaviour. The study found that 62% of Gen Z employees are actively hiding their AI use at work.

Governance gap

The data suggests many organisations are struggling to apply AI governance consistently across the business. The contrast between senior leaders and frontline staff is particularly sensitive because executives often set the policies others are expected to follow.

The findings challenge the assumption that the main risk comes from staff turning to rogue AI apps. Instead, most enterprise AI activity takes place on approved platforms, but through personal accounts or usage patterns outside formal monitoring.

That creates a governance gap for employers that may believe they have reduced risk by approving certain tools. If use shifts into unmanaged accounts, companies can lose visibility over what information is being entered, how outputs are used, and whether corporate data is moving beyond internal controls.

The report linked that gap to a wider set of business risks, including data loss, compliance failures and insider threats. Those risks can arise even when workers are using approved systems, if the organisation cannot track how AI tools are being used.

The report framed this around both approved and unapproved use. "The conversation around AI governance has largely focused on employees using unauthorized tools, but our research suggests the problem runs much deeper," said Gal Perl, Chief Product Officer, Teramind.

"When leadership teams prioritize speed over security, it becomes significantly harder to build a culture of accountability around AI use," Perl said.

Visibility issue

The research points to visibility as a more pressing problem than outright prohibition. Bans and restrictions may have limited effect if employees continue using the tools through personal accounts or informal workarounds.

That is reinforced by the finding that nearly half of employees would continue using AI even if it were banned. Combined with the high proportion of organisations lacking visibility into data movement, the figures suggest policy alone may not reflect day-to-day behaviour.

Organisations with more mature AI governance programmes tend to share a set of features, according to Teramind. These include greater visibility into AI usage, stronger accountability measures, clearer rules, and more consistent enforcement across different levels of seniority.

The report did not break out all sector-level differences, but said the issue spans global enterprises and extends beyond technical teams. The use of personal accounts on company devices suggests AI oversight is becoming as much an operational issue as a cyber security one.

For many employers, the results may sharpen questions over whether formal approval of AI platforms is enough. If workers are using the same services through unmanaged identities, a corporate licence may do little to guarantee oversight.

Perl said the problem is often misdiagnosed. "Organisations don't have a shadow AI problem as much as they have a visibility problem," he said. "You can't govern what you can't see. The companies succeeding with AI governance aren't necessarily the ones with the strictest policies. They're the ones with the clearest understanding of how AI is actually being used across their workforce."