Shadow AI Is The Blind Spot No Australian Board Can Ignore
Australia’s corporate leaders are sleepwalking into a technology blind spot that will cost them dearly. Shadow AI is already entrenched in workplaces, and boards that treat it as a side issue are making the same mistake they made a decade ago with shadow IT and cloud adoption. Back then, companies allowed employees to use unapproved cloud apps because they seemed harmless. The result? Exposed data, regulatory failures, and an entire new category of cyber risk.
Posted: Thursday, Sep 04

i 3 Table of Contents

Shadow AI Is The Blind Spot No Australian Board Can Ignore

Introduction

Australia’s corporate leaders are sleepwalking into a technology blind spot that will cost them dearly. Shadow AI is already entrenched in workplaces, and boards that treat it as a side issue are making the same mistake they made a decade ago with shadow IT and cloud adoption. Back then, companies allowed employees to use unapproved cloud apps because they seemed harmless. The result? Exposed data, regulatory failures, and an entire new category of cyber risk.

AI is moving even faster, and the risks are magnified. Employees are pasting sensitive financials into copilots, letting AI assistants generate critical code, and relying on large language models to make strategic recommendations. This isn’t “playing around with chatbots.” It’s the backbone of decision-making in companies handling billions of dollars.

In fact, 63% of employees across Australia and New Zealand admit to using AI tools at work, yet only 11% of organisations formally permit it, and just 4% provide any training. The scale of unmanaged use makes one thing clear: most boards can’t answer the simplest questions—What AI tools are being used inside our company? By whom? For what purpose?

Australia’s Voluntary Guardrails Aren’t Enough

The federal government has introduced voluntary AI ethics principles and a new AI Safety Standard. A proposal paper for mandatory guardrails in “high-risk” use cases is on the table. But the operative word here is voluntary. Australia is tinkering at the edges while our businesses are plunging head-first into AI adoption.

Meanwhile, Jobs and Skills Australia reports that up to 27% of workers are using AI without their manager’s approval, highlighting how quickly “shadow AI” has taken root. Waiting for legislation to catch up is a fool’s game. Boards must act now, not when regulators tell them to.

AI Is Not a Side Hustle; It’s a New Attack Surface

The uncomfortable truth is, AI has already become a new category of enterprise risk. Misconfigured copilots can leak confidential data. AI agents can be manipulated via prompt injection, jailbreaking, or malicious training data. What starts as an experiment in efficiency quickly becomes an insider threat.

Australia’s directors cannot claim ignorance. We’ve seen this movie play out before with the cloud, and the ending doesn’t change. First comes adoption. Then comes risk. Then comes regulation. And in between? Data breaches, lawsuits, and shareholder pain. A Governance Institute submission recently found that while 90% of Australian organisations report some AI usage, most lack any governance frameworks. That gap is a direct line to future liability.

The Board’s Responsibility

Cybersecurity is no longer a line item buried in the CIO’s budget. It’s a governance issue that regulators, investors, and customers scrutinise. Shadow AI deserves the same treatment. Boards should demand immediate visibility into AI usage, technical enforcement of AI policies, and proactive alignment with global frameworks.

Ignoring this responsibility is not just negligent; it’s reckless. In an era when directors can be held personally liable for cybersecurity failures, the cost of complacency is measured not just in corporate losses but also in reputational and legal fallout.

The lesson here is that AI security is not optional. It is not a future concern. It is not someone else’s problem. It is the next frontier of enterprise risk, and Australian boards that fail to get ahead of it will be remembered the same way as those who dismissed cloud security are remembered—short-sighted, unprepared, and on the wrong side of history.

Shadow AI is the boardroom blind spot of this decade. Don’t ignore it.

Bob Huber
Robert Huber, Tenable’s chief security officer, head of research and president of Tenable Public Sector, LLC, oversees the company’s global security and research teams, working cross-functionally to reduce risk to the organization, its customers and the broader industry. He has more than 25 years of cyber security experience across the financial, defense, critical infrastructure and technology sectors. Prior to joining Tenable, Robert was a chief security and strategy officer at Eastwind Networks. He was previously co-founder and president of Critical Intelligence, an OT threat intelligence and solutions provider, which cyber threat intelligence leader iSIGHT Partners acquired in 2015. He also served as a member of the Lockheed Martin CIRT, an OT security researcher at Idaho National Laboratory and was a chief security architect for JP Morgan Chase. Robert is a board member and advisor to several security startups and served in the U.S. Air Force and Air National Guard for more than 22 years. Before retiring in 2021, he provided offensive and defensive cyber capabilities supporting the National Security Agency (NSA), United States Cyber Command and state missions.
Share This