Do you know what AI is leaking out of your company?

Somewhere in your organisation, right now, an employee is pasting something into a chatbot they shouldn’t. They’re not malicious – just trying to do better work, faster.

It might be a draft board paper with market-sensitive information, a customer list, or a client’s medical history. Details of an unannounced product. Questions about handling a mistake the company has made.

The chatbot accepts the input, ships the data to a server usually outside the company, and stores it in your account history. Then it gives you that helpful answer. But now, that data is out there, waiting to be spilled in the first widescale security breach of an AI service.

It’s why we’ve developed Vocus Secure Shield – fast network connectivity combined with a built-in security layer that supports staff in remaining compliant with information policies.

It can work whether team members are in the office, or using a configured device at home or out in the field. It monitors AI activity in real time and is designed to detect and block sensitive data before the prompt reaches the public AI model.

Most importantly, it’s designed not to make life hard for staff by blocking large swathes of the internet – quite the opposite; it’s about supporting staff in doing their best work, but safely.

The new shadow IT

Shadow IT started decades ago with Access databases – sensitive customer data sitting unmanaged on individual desktops and being passed around on USB sticks.

The new version – public AI – is harder to govern and more dangerous.

Many generative AI tools record what users input and, depending on the product and its settings, may store chats long term to train future versions of the model. The free public versions often run on overseas servers, where the privacy protections that apply can be unclear.

We haven’t yet seen a widescale security breach of an AI model, but when it happens, I predict it will cause serious harm and embarrassment (consider how you’d feel if all the information you’ve put into an AI engine was made public!)

How widespread is this?

The federal Jobs and Skills Australia report Our Gen AI Transition, published in March 2026, found between 21 and 27 per cent of white-collar Australians use generative AI at work without their manager’s knowledge. A 2025 KPMG and University of Melbourne study put the global figure as high as 57 per cent.

Research by Josys of 500 Australian technology decision-makers, published in 2025, found more than one in three Australian professionals regularly upload sensitive company data into public AI platforms. Strategy documents, financial records and customer files.

As bad as this sounds, these are not exotic edge cases. It’s almost certainly happening in every organisation right now. Legal firms, GP clinics, accounting practices, procurement teams.

The temptation of tools that make hard work feel easier is irresistible. It’s human nature. How many families kept using the wash board once the washing machine was available, or kept having ice delivered once the fridge was invented?

Blocking is not the answer

The leadership instinct is to ban everything except one approved corporate tool. It does not work – staff move to personal devices, hotspot their phones to their laptops or use home computers and home internet. Whenever a new public model outperforms the officially approved one, they find a way.

If someone asked your CIO which AI tools were being used by which staff, what data was put into them and what sensitive data was either leaked or blocked from leaking, could they answer it?

If the likely answer makes you uncomfortable, you probably already have a sense of how much data is leaking out of your company – just not a clear one.

Secure Shield was built so that next time someone puts that question to your CIO, the answer is clear.