Employees Are Outsmarting Company Security Controls
▼ Summary
– AI tools are widely used by employees but often without proper policy awareness or compliance, creating security risks through unapproved “shadow AI” usage.
– SaaS sprawl and shadow IT are growing problems as employees frequently download unauthorized work tools, with many apps remaining unmanaged by security systems like SSO.
– Password reuse, sharing, and weak credentials remain common unsafe practices and a leading cause of data breaches, despite increased interest in passkey adoption.
– Device management is increasingly complex in hybrid work environments, with personal devices often lacking corporate security protections and MDM tools proving inadequate.
– Organizations are advised to shift from blocking new tools to implementing continuous monitoring, automated governance, and better visibility across all systems and access points.
The rapid adoption of artificial intelligence, software-as-a-service platforms, and personal devices is fundamentally reshaping how employees accomplish their daily tasks. Unfortunately, traditional security measures like single sign-on, mobile device management, and identity and access management systems are struggling to keep pace with these evolving work patterns. This mismatch creates a significant disconnect between organizational security assumptions and actual data access behaviors among both human workers and automated AI agents.
Security researchers identify this growing divide as the “access-trust gap,” which manifests across four critical areas: AI governance, SaaS and shadow IT usage, credential management, and endpoint security. Each domain reveals a consistent trend of swift technology adoption occurring alongside insufficient organizational oversight.
Artificial intelligence tools have become nearly ubiquitous in the workplace, with 73% of employees incorporating AI into their job functions. Despite this widespread usage, more than one-third of workers acknowledge they don’t consistently follow company guidelines regarding AI, with many uncertain about what those policies actually entail. While most security teams believe their organization has established AI protocols, a surprising number of employees report never having encountered any formal guidance.
The situation becomes more complicated with shadow AI implementations. Approximately 27% of workers have utilized AI tools that lack official company approval. These applications typically operate through web browsers and offer free access, making them incredibly easy to adopt while remaining virtually undetectable to IT departments. This visibility gap creates substantial risk when employees input sensitive corporate information into unvetted systems.
Security experts recommend that organizations transition from outright blocking AI tools toward implementing monitoring and guidance frameworks. Establishing clear discovery processes, communication channels, and oversight mechanisms proves more effective than attempting to prohibit new technologies completely.
The expansion of cloud applications presents another significant challenge. Modern organizations typically depend on hundreds of SaaS tools, with many operating outside IT department visibility. More than half of employees confess to downloading work applications without proper authorization, frequently because approved alternatives function too slowly or lack essential features.
This unauthorized adoption fuels what security professionals call SaaS sprawl. Seventy percent of security experts acknowledge that SSO solutions don’t provide comprehensive identity protection, with only about two-thirds of enterprise applications typically integrated with single sign-on systems. The remaining unmanaged applications create substantial security vulnerabilities.
Inadequate offboarding procedures compound these problems. Thirty-eight percent of employees admit they’ve accessed former employers’ accounts or data after leaving their positions. Inconsistent departure processes and fragmented access systems make these security lapses surprisingly common.
Implementing continuous discovery for both approved and unapproved applications, coupled with automated governance that monitors access over time, provides a more effective security approach. Comprehensive visibility across all tools, not just those connected to SSO, proves essential for reducing hidden risks.
Password-related vulnerabilities continue to plague organizations despite years of security awareness training. Two-thirds of employees admit to engaging in unsafe practices including password reuse, credential sharing, dependence on default passwords, or transmitting login information through email and messaging platforms.
Weak authentication methods remain a primary factor in security breaches. Nearly half of surveyed professionals identify employees using weak or compromised passwords as their most significant challenge. Among organizations that experienced material breaches during the past three years, stolen credentials represented the second most common cause, trailing only software vulnerabilities.
Many companies are now turning to passkey technology as a potential solution. Eighty-nine percent of security leaders report their organizations are either encouraging or planning to encourage passkey adoption. These authentication systems replace traditional passwords with biometric or device-based verification that resists phishing attempts and supports regulatory compliance standards.
“Passkey enthusiasm doesn’t surprise me because implementing companies are making conversion incredibly simple, often just one click completes the process,” noted Brian Morris, CISO at Gray Media.
Security professionals recognize that traditional passwords will coexist with newer authentication systems for the foreseeable future. The practical objective involves reducing how frequently users handle raw credentials rather than attempting to eliminate passwords entirely.
The shift toward hybrid and remote work arrangements has dramatically complicated device management. Nearly three-quarters of employees use personal devices for work purposes at least occasionally, with over half doing so weekly.
While Mobile Device Management remains the standard control method for company-owned hardware, security leaders increasingly recognize its limitations. MDM tools often fail to adequately protect managed devices or ensure compliance, having been originally designed for organization-owned computers rather than environments where personnel frequently switch between personal and corporate devices accessing cloud services.
Personal devices offer convenience but typically lack the security protections found on corporate machines. Even when companies formally prohibit bring-your-own-device practices, enforcement often proves inconsistent, with employees continuing to access corporate data from personal smartphones and laptops.
(Source: HelpNet Security)
