Artificial intelligence has become a daily tool in Polish companies, but organizations are struggling to keep up with the pace of adoption. According to a new report by ESET and DAGMA Bezpieczeństwo IT, 62% of employees use AI at work, and over a third would bypass company restrictions if access were limited. The lack of clear policies and secure tools is fueling the phenomenon of shadow AI, creating real cybersecurity risks.
The third edition of the report „Cyberportret polskiego biznesu 2026” (Cyber Portrait of Polish Business 2026), set to premiere at the CYBERSEC EXPO & FORUM conference in Katowice on June 15–16, reveals a widening gap between employee AI adoption and corporate governance. While 62% of employees now use generative AI tools for work tasks, only 27% of companies have a formal written AI policy in place. This regulatory void leaves most workers operating in an unregulated gray zone, often unaware of the consequences.
Shadow AI, defined as the use of unauthorized or unvetted AI tools outside official company channels, is on the rise. A significant 35% of surveyed employees admitted they would try to circumvent employer-imposed restrictions on AI tools if those restrictions prevented them from using their preferred solutions. More than a quarter said they would use personal devices to run AI queries and then send the results to their work devices. For many, productivity and convenience trump security.
The risk of sensitive data leakage
The report also highlights a direct threat to corporate data: 10% of employees confessed to feeding sensitive company information into public AI models. This practice increases the risk of data being stored on servers outside the European Union, being used to train future models, or being accessed by third parties. Consequences range from loss of trade secrets to GDPR fines.
Only 38% of companies have deployed enterprise-grade AI solutions that offer greater control over data processing. The absence of secure, approved tools pushes employees toward free public platforms, where they often use personal accounts and expose corporate data to unknown cloud environments.
How companies can respond to the AI risk
Experts emphasize that banning AI outright is not a solution. – The starting point should be understanding the scale of the phenomenon, then introducing clear rules about what is allowed and what is not, and most importantly why. Without explaining the reasons, it is hard to expect an employee to understand that pasting company data into a public language model can threaten the entire organization. It is also worth ensuring access to safe, approved tools – then employees will not have to reach for private accounts. The lack of such rules drives shadow AI. The biggest risk is data leakage into a cloud over which the organization has no control. The response is not a ban, but explaining the risk and pointing to safe alternatives – said Dawid Koziorowski, offensive cybersecurity team leader at DAGMA Bezpieczeństwo IT.
The authors of the report call on decision-makers to implement comprehensive AI governance that balances employee productivity with data protection. Skills awareness training, clear usage guidelines, and controlled deployment of enterprise AI platforms are key measures. As AI becomes embedded in daily operations, companies that fail to act now may find themselves exposed to breaches they could have prevented.
Źródło: WNP.PL, Fot. ESET / DAGMA Bezpieczeństwo IT
