Summary
- Sixty-four per cent of surveyed employees said they used unauthorised AI tools for work.
- Password reuse, password sharing, public Wi-Fi use, and access without a virtual private network remained widespread.
- The survey covers 684 employees in eight countries and relies on self-reported behaviour.
Almost two-thirds of employees surveyed by WatchGuard said they had used an unauthorised artificial-intelligence tool for work, while fewer than three in ten believed their organisation maintained an accurate inventory of the software in use.
The company’s 2026 Cybersecurity Hygiene Report surveyed 684 employees at organisations with between 50 and 500 staff across the UK, Germany, France, Spain, the United States, Australia, Mexico, and Brazil.
Alongside the 64% reporting unauthorised AI use, 76% said they reused passwords, 30% shared passwords with other people, and 70% used public Wi-Fi for work. Half said they accessed corporate resources without virtual private network protection, while 55% used work devices for personal activity.
Nearly 40% said their employer lacked full visibility of the applications employees used. WatchGuard’s report also found that 23% had never received phishing training and that three-quarters said they had experienced a cyber incident during the previous year.
The findings are based on self-reported behaviour rather than technical observation. Respondents may interpret practices differently, and the sample does not provide precise national estimates for each of the eight countries.
Even with those limitations, the results describe a control gap in which employees adopt services faster than organisations can identify them, while long-standing weaknesses involving credentials and remote access remain widespread.
Shadow AI expands application governance
Unauthorised AI use may involve employees placing customer records, internal documents, source code, contracts, meeting notes, or operational information into consumer services. The resulting exposure depends on the data submitted, the provider’s terms, account settings, retention arrangements, and model-training practices.
A prohibition can reduce visible use without removing the demand that led employees to the service. Personal accounts, browsers, and unmanaged devices can move activity outside corporate monitoring while leaving less evidence of where information has gone.
Approved services need to satisfy the work employees are trying to complete. Policies should specify which tools can be used, which data classifications may be submitted, how outputs are checked, and who owns decisions that rely on generated content.
Application discovery is part of the same control system. An organisation that cannot identify the browser services and software used by its workforce cannot assess supplier terms, revoke access, investigate leakage, or establish whether a third party holds sensitive information.
Smaller businesses commonly depend on managed service providers for endpoint and network administration. An MSP may maintain those systems while having limited visibility of browser applications and personal AI accounts unless its contractual scope and telemetry include them.
Existing identity weaknesses increase the exposure
The password findings show that AI adoption is developing alongside unresolved identity problems. Reused or shared credentials can turn compromise of one service into access across email, cloud applications, supplier portals, and collaboration platforms.
Multi-factor authentication reduces some account-takeover risk, but it does not correct excessive permissions, shared accounts, or poor joiner, mover, and leaver processes. Password managers can reduce reuse when their own recovery and administrative controls are well governed.
Public Wi-Fi is not automatically unsafe where applications use strong encryption and devices are correctly managed. Exposure increases when an untrusted network is combined with an unmanaged endpoint, weak authentication, outdated software, or direct access to internal services.
A virtual private network is also not a universal measure of secure remote access. Application-level access systems may provide tighter controls, while an overly broad VPN can expose more of the internal environment than the user requires. The survey records inconsistent practices but does not describe the architecture behind every response.
Risk develops where work incentives, approved tools, identity controls, visibility, and policy do not align. Browser and software inventories, identity logs, data controls, helpdesk records, and sanctioned AI usage can show where policy differs from daily work and where intervention is required.



