shadow AICISOAI governance DLPmid-market

Shadow AI Survey 2026: What 500-2,500 Employee CISOs Actually Know About Employee LLM Use (and What They Don't)

A 2026 state-of-the-field synthesis on shadow AI in 500-2,500 employee regulated mid-market: adoption rates, data exposure categories, detection gaps, and the CISO visibility problem — sourced from Saviynt, Gartner, Forrester, and aggregate DLP telemetry.

VeladonApril 17, 202620 min read

Shadow AI Survey 2026: What 500-2,500 Employee CISOs Actually Know About Employee LLM Use (and What They Don't)

Direct answer (first 40 words): In 2026, 60-70% of employees at 500-2,500 employee mid-market companies use public LLMs weekly, but only 5% of CISOs are confident they could contain a compromised AI interaction. The visibility gap is architectural, not operational, and endpoint DLP cannot close it.

The number that defines 2026 shadow AI is 47/5. Saviynt's 2026 CISO Report (n=235 security leaders) found that 47% of CISOs observed unauthorized agent or LLM behavior in their environment in the past twelve months — but only 5% of the same group reported confidence in their ability to contain a compromised AI interaction. That is 42 percentage points of gap between "we saw something happen" and "we can do something about it."

That gap is not a sign of bad CISOs. It is a sign of an architectural mismatch. The DLP infrastructure most 500-2,500 employee companies already paid for was designed for a world where sensitive data left the organization through email attachments, USB drives, and SSL-inspected web uploads. In 2026, sensitive data leaves the organization through a JavaScript textarea on chat.openai.com, encrypted over HTTPS, to a provider API that endpoint DLP does not parse. The existing stack is structurally blind to the new exfiltration channel.

Bessemer Venture Partners framed this as "the defining cybersecurity challenge of 2026" in their Q1 2026 Cybersecurity State of the Market. Gartner carved out a new market category — AI TRiSM (AI Trust, Risk, and Security Management) — in mid-2024 and by Q1 2026 already tracked 40+ vendors in it. G2's AI Governance category crossed 1,640 verified product reviews in the first quarter of 2026, a 6x increase year over year. The signal is consistent across analyst, VC, and buyer-review surfaces: this is now its own budget line.

This piece is a synthesis. We pulled Saviynt 2026 CISO Report figures, Gartner 2026 AI Adoption survey ranges, Forrester Wave AI Governance Q3 2025 analyst notes, aggregate DLP vendor telemetry cross-referenced across Harmonic Security, Cyberhaven, Nightfall, Credo AI, Lakera (now a Check Point company), and Protect AI public data, plus recurring threads in r/cybersecurity and r/AskNetsec over the last six months. What follows is what a CISO at a 1,200-employee regulated mid-market actually needs to know going into the August 2026 EU AI Act deadline.

How Widespread Is Shadow AI in 500-2,500 Employee Mid-Market Companies in 2026?

The short answer: it is a majority behavior, and it doubled between 2024 and 2026.

Aggregate adoption across surveys converges on 60-70% weekly active use of a public LLM for work at 500-2,500 employee mid-market companies. That is a weekly rate, not a "ever tried it" rate. Gartner's 2026 AI Adoption Survey puts the number at 64% weekly. Saviynt's 2026 CISO Report registers 68% among respondents whose companies fell in the mid-market band. Forrester's Q3 2025 wave numbers came in at 61%, with an explicit note that the number trends upward every quarter.

Breakdowns by function track the intuition:

Engineering and product: 85-90% weekly use. Code generation, pull request summarization, and documentation drafting are the dominant use cases. GitHub Copilot and Cursor blur the line between "AI tool" and "IDE feature," which further obscures what employees actually consider shadow AI.
Marketing and sales: 70-75% weekly use. Email drafting, ad copy iteration, personalization at scale, and competitive summarization.
Legal and finance: 55-65% weekly use. Contract clause research, earnings commentary drafting, variance analysis, redline review. This band is lower because the perceived risk is higher — many legal and finance employees have self-imposed firewalls around what they paste.
Operations and manufacturing: 30-45% weekly use. Adoption exists but is slower and narrower.

The tool-share picture is still converging. ChatGPT holds roughly 55% of employee LLM time, Claude 22%, Gemini 15%, and Copilot (browser + Edge sidebar) 8%. The long-tail — Perplexity, Grok, Mistral Chat, plus dozens of vertical-specialist LLMs — absorbs the remainder. ChatGPT's dominance is slowly eroding at the top of the mid-market, where Claude has become the default for writing-heavy teams and Gemini has become the default where Google Workspace is already the identity backbone.

The comparison to 2024 is where the story sharpens. Adoption roughly doubled between 2024 and 2026. The CISO's "acceptable visibility" into it stayed almost flat. The gap widened, not because CISOs got worse, but because the thing they were supposed to see grew faster than the tools they were given to see it.

What Percentage of Employees Use ChatGPT, Claude, and Gemini for Work Without a Policy?

Roughly 45-50% of active mid-market LLM usage happens in an environment with no meaningful CISO visibility. That number is the effective rate after you apply three filters to the raw 60-70% adoption figure.

Filter one: does a written AI policy exist? About 70% of companies in the 500-2,500 employee band have some written AI policy by Q1 2026. Two years ago that number was closer to 30%. The policy exists on paper.

Filter two: does the policy have an enforcement mechanism? Less than 40% of policies have any technical enforcement. The typical "enforcement" is a Slack message from the CISO when a new model ships, an onboarding slide, and a link to a Confluence page.

Filter three: is the enforcement mechanism architecturally capable of seeing the prompt? The existing endpoint DLP / network DLP / SaaS connector DLP stack at a mid-market company typically sees less than 20% of outbound browser traffic to chat.openai.com. That is not because the tools are misconfigured. It is because the prompt lives inside a JavaScript textarea, leaves via HTTPS, and never touches the clipboard, the filesystem, or the email-gateway surface that endpoint DLP inspects.

Stack the three filters and the effective rate of LLM usage happening in CISO blindness is 45-50%. Higher in engineering-heavy organizations. Lower in finance-heavy organizations, but lower by maybe ten percentage points — not by a category.

There is a second-order pattern worth flagging. Companies with the strongest-sounding AI policies on paper frequently have the worst effective visibility, because a strict policy without enforcement pushes usage to personal accounts, mobile hotspots, and BYOD laptops that corporate DLP never touches. "We banned it" and "we see nothing" are, in practice, the same operational outcome for a CISO trying to answer a Big 4 auditor's evidence request.

What Kinds of Data Are Actually Leaking into Public LLMs?

Aggregate DLP telemetry from multiple 2025-2026 vendor public data releases converges on a consistent five-category distribution. The numbers are weighted averages across vendor disclosures; individual customer environments vary by 5-10 points on any given category.

Internal strategy documents and meeting notes: 30% of incidents. Drafts of board updates, competitive analysis, roadmap documents, customer escalation summaries. Usually pasted to ask the LLM to "summarize this" or "rewrite this for a board audience."
Source code and API keys: 20% of incidents. This category is heavily weighted by severity per event. One pasted API key can produce a higher-consequence incident than 100 pasted strategy documents. Engineering teams paste tracebacks, config files, and deployment scripts; the secrets travel along for the ride.
Customer personal data: 18% of incidents. Names, emails, phone numbers, sometimes account IDs. Customer support teams ask the LLM to draft replies; the original customer message goes in with the reply draft.
Financial data: 14% of incidents. Unreleased earnings figures, unit economics, customer revenue breakouts, cap tables. Concentrated in finance, strategy, and operator-proximate functions.
HR data: 10% of incidents. Performance reviews, compensation data, terminations, sensitive complaints. This category is rare in volume but high in consequence when it hits.

The residual 8% covers customer health information (in regulated healthcare-adjacent businesses), legal contracts and privileged communications, and unpublished intellectual property disclosures — patent applications, design specs, pending product launches.

A category that deserves its own mention because it rarely surfaces in vendor marketing: employees pasting their own personal data on work laptops. Tax documents, medical records, visa paperwork, family schedules. The data is personal but the device is corporate. When the employee leaves, that data trail creates a GDPR-adjacent HR exposure that most employers have not thought through.

Frequency versus severity pulls in opposite directions. Internal strategy leads frequency. Source code and API keys lead severity per incident. Customer PII sits in the middle of both and is usually what triggers the first regulator question. The audit question most 2026 CISOs are now getting is not "how many leaks happened" but "what is the distribution and what is trending up."

How Much Do CISOs Actually See About Employee AI Usage?

The honest answer from the 2026 Saviynt data: CISOs see 47% of incidents as anomalies but can contain 5% with confidence.

Unpacking that 47% is important. "Observed unauthorized AI agent behavior" in the Saviynt question covers anything from a one-off disclosure flagged via an OSINT alert, to a customer complaint that routed to the security team, to a reddit post that a SOC analyst caught. "Observed" does not mean "saw in a monitored feed." For most CISOs it means "found out after the fact."

The baseline visibility a typical mid-market CISO actually has into daily AI usage is narrower than the 47% number suggests. The usual four layers:

Browser history: available if endpoint management captures it, but not structured, not tied to a specific prompt, and not retained long enough for quarterly evidence.
Network logs with SSL inspection: covers the fact that an employee talked to chat.openai.com, not what they said. Roughly half of mid-market companies run SSL inspection on egress; the other half do not, for privacy and performance reasons. Even where SSL inspection runs, LLM payload parsing is a separate add-on most companies have not purchased.
Endpoint DLP on files and clipboard: catches large pastes out of Word or PDF, misses the incremental paste-in that is the dominant workflow on ChatGPT.
SaaS connector DLP (Nightfall, Polymer, Cyberhaven for SaaS): covers Google Workspace, Microsoft 365, Slack, Notion — the OAuth-connected surfaces. Does not cover direct browser traffic to chat.openai.com, claude.ai, or gemini.google.com.

Stack those four and a typical CISO sees catastrophic events (the ones that trigger a complaint, a press mention, or a legal letter) reliably, and sees the daily baseline of ordinary employee prompts almost not at all. The 47% in the Saviynt report is the top of the iceberg. The 5% containment number is a measurement of what happens when an iceberg tip surfaces and the CISO has to act with the tools on hand.

Why Does the Visibility Gap Exist in the Modern Browser-Based LLM Stack?

The gap is architectural. It exists because the browser became an application runtime that mid-market DLP tools were not designed to instrument.

Walk through the physical path of a prompt. An employee opens chat.openai.com in Chrome. They type — or more commonly, paste — content into a textarea element rendered by the OpenAI single-page application. The text lives in a JavaScript variable bound to that DOM element. When they press enter, the SPA issues an HTTPS POST to api.openai.com with the prompt in a JSON body. The request is TLS-encrypted end to end. The response streams back into the DOM.

At no point in that path does the prompt pass through a surface endpoint DLP inspects. It does not cross the clipboard (unless pasted). It does not land in the filesystem. It does not travel as an email attachment. It does not show up in the browser's download manager. The only network record is an encrypted HTTPS request to an IP that resolves to a major cloud provider.

Three existing DLP categories each fail to close the gap for a specific reason:

Endpoint DLP (Forcepoint, Zscaler endpoint, Symantec): inspects filesystem operations, clipboard, USB, and some outbound email. Blind to in-page JavaScript textarea content.
Network DLP with TLS inspection: requires MITM certificate deployment, incurs measurable performance and privacy cost, and needs LLM-specific payload parsers to interpret modern JSON bodies that rotate schema quarterly. Most mid-market companies do not run it.
SaaS connector DLP (Nightfall, Polymer, some of Cyberhaven): covers OAuth-connected surfaces — Slack, Notion, Google Drive, Microsoft 365 — by integrating at the API layer. Does not have an OAuth surface into the browser chat session at chat.openai.com.

Browser-native AI governance DLP emerged in 2024-2025 specifically because the existing three layers all architecturally miss the textarea. This is not a marketing claim. It is a consequence of where the prompt actually lives during composition. A tool that sits in the browser — as an extension with manifest v3 content-script permission — can read the textarea before submit, apply redaction, log the structured event, and let the (redacted) prompt go out. No tool positioned anywhere else in the stack can do that.

Even mid-market companies with mature DLP deployments have five specific blind spots in 2026.

Blind spot one: browser-direct traffic to chat.openai.com, claude.ai, gemini.google.com, copilot.microsoft.com, and perplexity.ai. The in-page textarea is invisible to endpoint DLP. SSL inspection plus payload parsing can see it, but most mid-market companies run neither at the depth required.

Blind spot two: OAuth-embedded AI features inside productivity SaaS. Slack AI, Notion AI, Linear AI, Zendesk AI, HubSpot AI — each ships LLM access to the employee without the employee having to visit an external chat surface. SaaS DLP coverage is vendor-by-vendor; if your SaaS DLP tool does not ship a connector for a specific AI-embedded app, that app is uncovered.

Blind spot three: AI features inside browser extensions the company itself allows. Grammarly AI, DeepL Write, Loom AI, Lex, Descript — the employee installed them with corporate blessing because the non-AI version was already in use, and the AI feature shipped as a silent upgrade. Extension-inside-extension visibility is rare in 2026 DLP tooling.

Blind spot four: copilots embedded directly in tools the employee opens without realizing it. Gemini in Gmail, Copilot in the Edge sidebar, ChatGPT Atlas browser, Arc's AI features. These operate on the tab the employee already has open and the prompt frequently includes content scraped from that tab automatically. The employee did not paste anything, so endpoint DLP sees nothing.

Blind spot five: personal devices on corporate networks and corporate devices on personal networks. Bring-your-own-device policies, home-office days, coffee-shop tethering. None of the perimeter-based DLP surfaces work when the employee is authenticated to their own ChatGPT account from their personal laptop on a hotel Wi-Fi.

The practical implication: even a CISO with a five-figure endpoint DLP budget and a six-figure SaaS DLP budget is looking at a detection-coverage surface that misses the dominant modern prompt path. Adding browser-native AI DLP is not a redundancy. It is the layer that covers what the existing two layers architecturally cannot.

Which Policy Responses Actually Work, and Which Ones Backfire?

A pattern emerges across mid-market case studies that made it into 2025-2026 public debriefs, analyst interviews, and r/cybersecurity retrospectives.

Policies that work share three traits:

Permissive default with inline enforcement. ChatGPT is allowed, Claude is allowed, but the extension redacts PII, PHI, source secrets, and customer identifiers inline before submit. The employee sees what was redacted and why. They do not have to choose between productivity and policy.
Visible paper trail for the employee. When an auditor, manager, or customer asks "did you use AI for this?" the employee can answer with the Veladon or equivalent usage log, with the redaction evidence attached. This turns the policy from a surveillance posture into a compliance asset for the employee.
Policy tiering by data category. Silent redaction for PII (no friction). Confirmation dialog for financial data (moderate friction, rare trigger). Block with escalation for medical or legal-privileged data (high friction, very rare trigger). Matching friction to risk is what prevents click-through fatigue.

Policies that backfire share the opposite traits:

Blanket firewall ban on public LLM domains. Pushes usage to personal devices and personal accounts within two weeks. Drops measured productivity in knowledge-work roles. Creates a policy-versus-practice gap that every employee survey surfaces by month three.
Confirmation-dialog DLP on every prompt. Trains employees to click through without reading within two weeks. The audit trail degrades to a log of "user acknowledged" events that mean nothing under regulator scrutiny.
Invisible block rules. Employees paste, the system blocks silently, the employee tries again with a variation, eventually finds the path that goes through. Generates a hostile relationship with the tool and with security.

A practice that underrates its own value: quarterly transparency reports to employees. "In Q2, 12,847 prompts were redacted across 412 employees. Here are the categories. Here is what was not." Publishing the aggregate data on an internal dashboard reduces the "Big Brother" perception of the extension and increases voluntary reporting of edge cases. CISOs who do this report higher employee trust and fewer shadow-channel workarounds.

What Does 2026-2027 Shadow AI Look Like, and What Should CISOs Build Now?

Three forces shape the 2026-2027 horizon.

First, LLM-embedded agents move from prompt-response to autonomous task execution. The employee no longer types "write me an email" and sees a response. The agent reads their calendar, drafts the email, and sends it. The data exposure surface expands from "what did the employee paste" to "what did the agent access on the employee's behalf." Gartner's 2026 AI TRiSM category explicitly separates "agent governance" from "prompt governance" for this reason.

Second, the regulatory clock runs out for most mid-market deployers in August 2026. EU AI Act Article 26 and Article 50 apply to deployers starting August 2, 2026. The first wave of Big 4 readiness reviews have already started. A 1,400-employee SaaS vendor with any EU exposure is being asked for an AI system inventory, 90 days of usage logs, a human oversight policy per use case, and a quarterly evidence pack. The window to build this from zero is under four months.

Third, enterprise customers write evidence requirements into renewal contracts before regulators fine anyone. The commercial penalty arrives in 2026. The regulatory penalty arrives in 2027.

What a 500-2,500 employee CISO should build in the next two quarters:

A browser-side redaction and logging layer. This is the architectural gap the rest of the stack cannot fill. Deploy via MDM (Intune, Jamf, Chrome Enterprise managed policy) in under a week.
A structured usage log with fields that an EU AI Act Article 26 auditor actually needs: event ID, employee identifier, timestamp, AI system, prompt hash, redaction categories applied, output hash, policy version, use-case tag, oversight application.
A quarterly evidence pack auto-mapped to Article 26, Article 50, ISO 42001 Annex A, and NIST AI RMF GOVERN/MAP/MEASURE/MANAGE. Signed ZIP, structured JSON plus PDF summary, regulator-ready format.
An employee-visible transparency dashboard. This is the anti-backfire mechanism. Without it, the extension reads as surveillance. With it, the extension reads as compliance enablement.
A policy editor a Compliance Officer can read and edit. Not a security engineer's YAML file. Plain-English policy DSL with regex escape hatches for the few cases that need them.

The 47/5 gap is not closed by buying more endpoint DLP. It is closed by building the layer that sees the prompt before the prompt leaves. Veladon was built specifically for this — browser extension plus SaaS connectors, inline redaction across the top LLM surfaces, structured usage logs mapped to EU AI Act and ISO 42001, and a quarterly evidence pack that ships as base-plan functionality. See Veladon for EU AI Act, Veladon for ISO 42001, or Veladon vs Harmonic Security for the mid-market-versus-Fortune-500 breakdown.

If you are a CISO at a 500-2,500 employee mid-market and the 47/5 gap is the number that stuck, that is the gap Veladon closes. Join the early-access brief and get the browser-native visibility your endpoint DLP and network DLP architecturally cannot give you.

Frequently asked questions

What percentage of employees in mid-market companies use ChatGPT or Claude for work?

Multiple 2025-2026 industry surveys — including Saviynt's 2026 CISO Report (n=235) and Gartner's 2026 AI Adoption Survey — converge on the same range: 60-70% of employees in 500-2,500 employee mid-market companies use a public LLM (ChatGPT, Claude, Gemini, Copilot) for work at least weekly. Of those, roughly 45-50% do so without their employer having any visibility into the content of their prompts. The rate is higher in knowledge-work-heavy functions (engineering, marketing, legal, finance) and slightly lower in operations and manufacturing roles.

What kinds of data do employees actually paste into ChatGPT and Claude?

Based on 2025-2026 aggregate DLP telemetry from multiple vendors, the top five categories of sensitive data leaked to public LLMs are: (1) internal strategy documents and meeting notes (roughly 30% of incidents), (2) source code and API keys (20%), (3) customer personal data including names, emails, and phone numbers (18%), (4) financial data including unreleased earnings and customer revenue (14%), and (5) HR data including performance reviews and compensation (10%). The remaining 8% covers customer health information, legal contracts, and intellectual property disclosures.

How much visibility do CISOs actually have into employee LLM usage in 2026?

Saviynt's 2026 CISO Report indicates that 47% of CISOs report observing unauthorized agent or LLM behavior in their environment, but only 5% of the same group report confidence in their ability to contain a compromised AI interaction. The gap between detection and containment is the defining CISO visibility problem of 2026. Even CISOs with mature endpoint DLP typically see less than 20% of outbound browser traffic to public LLMs, because most endpoint DLP tools inspect file transfers and clipboard events but not the in-page JavaScript textarea where ChatGPT prompts are actually composed.

Why don't traditional DLP tools catch prompts sent to ChatGPT and Claude?

Traditional DLP tools inspect data at three layers: endpoint (file transfers, clipboard, USB), network (SSL-inspected traffic egress), and SaaS connector (OAuth into Google Workspace, Microsoft 365, Slack). None of these layers see the content of a prompt typed into chat.openai.com or claude.ai in the browser. The browser is a closed execution environment; the prompt lives in a JavaScript textarea and leaves via HTTPS to the provider's API — invisible to endpoint and network DLP unless the tool specifically decrypts TLS and parses the LLM API payload. This is the architectural reason browser-native AI DLP tools emerged in 2024-2025.

What is the difference between a shadow AI policy that works and one that backfires?

Policies that work share three traits: they are permissive by default (allow ChatGPT with redaction, don't block it), they redact sensitive data inline rather than interrupting the employee with confirmation dialogs, and they provide a visible paper trail the employee can point to when asked "did you use AI for this?" Policies that backfire share the opposite traits: outright bans push usage underground (personal devices, personal accounts), confirmation-dialog DLP trains employees to click-through-without-reading, and invisible block-rules create a climate of distrust where employees work around the tool rather than with it.

How does Veladon compare to a blanket ban on ChatGPT at the corporate firewall?

Blanket firewall bans fail at 500-2,500 employee mid-market in two ways. First, employees switch to personal devices, personal accounts, and mobile hotspots — you lose all visibility. Second, the productivity cost is real: 60-70% of knowledge workers use public LLMs weekly for legitimate work, and a blanket ban either drops productivity or pushes the work onto shadow surfaces. Veladon's approach is inline redaction with full audit trail: employees keep using ChatGPT and Claude the way they always did, sensitive data is redacted before the prompt leaves the browser, and your CISO gets the visibility that a firewall block only pretends to provide.

Shadow AI Survey 2026: What 500-2,500 Employee CISOs Actually Know About Employee LLM Use (and What They Don't)

How Widespread Is Shadow AI in 500-2,500 Employee Mid-Market Companies in 2026?

What Percentage of Employees Use ChatGPT, Claude, and Gemini for Work Without a Policy?

What Kinds of Data Are Actually Leaking into Public LLMs?

How Much Do CISOs Actually See About Employee AI Usage?

Why Does the Visibility Gap Exist in the Modern Browser-Based LLM Stack?

What Are the Top Detection Blind Spots Even in Companies With DLP Already?

Which Policy Responses Actually Work, and Which Ones Backfire?

What Does 2026-2027 Shadow AI Look Like, and What Should CISOs Build Now?

Frequently asked questions