A KnowBe4 funded survey finds 55% of UK workers use unapproved AI tools and one in ten have knowingly pasted sensitive data into them — KnowBe4 sells AI security training, so read the findings with that weight.
More than half of UK office workers are using AI tools their employer has not approved, and roughly one in ten say they have knowingly entered sensitive information into those tools despite understanding the risk. Yet among the bosses responsible for setting and enforcing the rules, only 16% say they are currently effective at managing safe AI use, even as 85% acknowledge improvement is needed. That gap, between the governance standard companies say they aspire to and the actual control surface they maintain, is the structural core of this story.
The UK findings come from KnowBe4, a security-awareness vendor that sells the kind of training the report implicitly argues for. Its 'From Agentic Risk to Human Wins' study polled 80 UK decision makers and 300 UK employees at organisations with 250 or more staff, across private and public sectors and industries including IT, healthcare and consumer services. The sample is modest, and the funder has a commercial position in the answer. Read with that weight, the picture is still striking.
Among UK employees, 55% admit to using unapproved AI tools at work, and about one in ten knowingly fed sensitive information into AI platforms despite understanding the risks. On the management side, 58% of UK decision makers rank unapproved software and AI tools as their top human-related cyber risk, ahead of phishing and impersonation. The risk ranking inside the same survey is sharper still: 46% of UK leaders flag sensitive data being shared with AI as a primary concern, 43% worry about AI acting without human oversight, and 40% point to phishing and impersonation. The gap between what leaders say worries them and what controls they have is the under-reported shape.
Independent trade press is pointing at the same pattern from a different angle. The Register reports that UK management is 'blinded by confidence' about shadow-AI visibility: workforce-admission numbers outrun the controls leaders think they have in place. The same confidence gap shows up inside KnowBe4's data on a newer threat. 81% of UK decision makers say their staff can recognise a deepfake video; only 66% of employees agree they can. The bosses think the frontline is sharper than the frontline thinks it is.
Outside the UK, the pattern is not KnowBe4-only. TechTimes, citing UpGuard, puts unsanctioned worker AI use near 45% globally, and Cybersecurity Dive frames the issue as a cross-market trust problem between employees and the AI tools their employers have not sanctioned. The UK figures sit at the high end of that range, not an outlier.
Analyst consensus now treats AI compliance and GenAI governance as critical CIO priorities for 2026. Gartner's top cybersecurity trends name AI compliance, the risk from AI agents that act on their own, and quantum-era cryptography among the year's biggest shifts, and the firm's November 2025 note on GenAI blind spots argues that most CIOs still cannot answer where their organisation's GenAI data is going. The KnowBe4 survey reads, from one angle, as a UK-specific echo of that analyst warning.
The mechanism is what makes the 16% figure sting. In the era of AI tools that act on their own, the productivity grey area has become a measurable data-exposure channel: those tools can paste, query, summarise or send sensitive material without a human click. Traditional security training asks staff to recognise a phishing email and report it. It does not, by itself, stop a worker from pasting a customer list into a chatbot the employer has never reviewed. The vendor answer, more awareness training, addresses the behaviour layer. The analyst answer, AI governance and approved-tool inventories, addresses the surface. The UK data suggests neither is being delivered.
What to watch next: whether the 58% of UK decision makers who flag unapproved AI as the top human risk start disclosing material breach or near-miss events tied to shadow tools, and whether the UK Information Commissioner's Office treats unauthorised AI input of personal data as a reportable category under existing UK GDPR rules. The number to beat, if governance is going to close, is the 16%.