Shadow AI: How One ChatGPT Prompt Can Cost Your Company $670K

How One Semiconductor Engineer Triggered Samsung's ChatGPT Ban

Back in April 2023, a Samsung engineer was stuck on a problem. A line of source code for a confidential semiconductor process wasn't working. He pasted the code into ChatGPT, got a fix, and carried on with the project. He was probably proud of his efficiency.

Three weeks later, two more employees had done similar things: one had a confidential meeting transcribed, another had a chip production test sequence optimized. Samsung pulled the plug and banned all generative AI tools company-wide. By that point, however, the data had already been transmitted to an external server, and was therefore no longer under Samsung's control.

The story shows up in every compliance briefing since. What hasn't changed is the frequency. We see the same pattern in nearly every client conversation, just without the headline.

The Number Every CEO Should Know

In 2025, IBM surveyed over 600 organizations worldwide on data incidents. The central finding:

An incident involving high Shadow AI activity costs companies on average $670,000 more than a comparable incident without an AI dimension.

In addition:

• One in five organizations has already reported a Shadow AI-related incident
• 97 % of affected organizations had no access controls for AI tools in place
• 63 % have no AI governance policy at all
• In two-thirds of these incidents, customer data was involved

This isn't a theoretical risk anymore. For one in five companies it's already reality. For the other four it's a question of probability, not possibility.

Three Scenarios We See Every Week

Scenario one. A sales support rep in a mid-sized European company has 60 minutes to respond to a complex customer inquiry. She pastes the inquiry, including customer name, order history, and contract terms, into ChatGPT, asks for a draft, sends out an excellent response. The data is now with the provider. Whether it's used for training depends on her account type, which she set up herself, on a personal email.

Scenario two. A division head spends Sunday evening on a presentation for Monday's board meeting. He pastes confidential quarterly numbers into a chatbot to clean up the wording. Personal laptop, not his work device. Data out, no trace in IT logs.

Scenario three. A marketing intern needs to deliver a competitor analysis by Thursday. He uses an AI tool he discovered on TikTok. The provider is based somewhere. The data residency is documented nowhere. Possibly China. Possibly EU. Nobody has ever checked.

According to the LayerX 2025 report, 77 % of employees in larger companies regularly paste content into chatbots. 68 % use free versions through personal accounts. More than half input sensitive information. These aren't outliers. This is the norm.

What GDPR and the EU AI Act Have to Say

Pasting your customers' data into ChatGPT.com isn't just a gut-feel problem. In many cases it's a legal breach.

GDPR requires you to know where personal data is processed, who sees it, and on what legal basis. An employee who pastes data into an unsanctioned tool creates a data processing event you have neither vetted nor covered contractually nor documented. In a breach, your leadership is liable, not the individual employee.

From August 2026, the EU AI Act adds further penalties. For prohibited practices up to €35 million or 7 % of global annual turnover, whichever is higher. What needs to be in place by then we cover in our EU AI Act roadmap.

What Works and What Doesn't

The first thing many companies try is also the weakest: a ban. Block ChatGPT in the browser, blacklist all AI tools, threatening memo from the CISO. That doesn't solve the problem, it pushes it underground. Employees then use smartphones, personal devices, or one of the dozens of alternatives they got recommended on LinkedIn. You can't measure anything anymore, but data keeps flowing.

What actually works is this sequence:

First: offer an officially sanctioned, safe alternative. As long as your employees don't have a good legitimate solution, they'll find suboptimal ones. For writing and research, Microsoft 365 Copilot Enterprise usually covers the ground. For deeper knowledge access, a Corporate LLM on your own infrastructure.

Second: a short, clear Acceptable Use Policy. Three pages, no legalese. What can go in, what can't, what to do when in doubt.

Third: train, don't lecture. Employees who understand why something is a problem stick to rules more reliably than those who simply signed a PDF.

Fourth: brief the board with honest numbers. If leadership doesn't know where the company actually stands today, it can't decide where it should be tomorrow.

Get Started

Shadow AI is not reversible. Data that has left the company doesn't come back. The risk is controllable, if you address it now rather than after the first incident. We help companies with inventory, policy drafting, and rolling out safer alternatives. If this is on your plate, let us know.

Sources

• IBM Security, "Cost of a Data Breach Report 2025"
• IBM Newsroom, "13 % of Organizations Reported Breaches of AI Models or Applications, 97 % of Which Lacked Proper AI Access Controls", July 2025
• LayerX, "Enterprise AI and SaaS Data Security Report 2025"
• Bloomberg, "Samsung Bans Generative AI Use by Staff After ChatGPT Data Leak", May 2023
• EU AI Act, Article 99 (Penalties)