New Study Reveals 400+ Days of Hidden AI Tool Usage Across Enterprises, Creating Mounting Data Exposure
Reco's The State of Shadow AI Report Exposes Critical Security Gaps as OpenAI Commands 53% of All Unsanctioned Enterprise AI Usage
[Miami, FL August 4, 2025] – Reco, the leader in Dynamic SaaS Security, today released its comprehensive The State of Shadow AI Report, revealing that shadow AI has become a pervasive enterprise security threat with small and midsized businesses facing disproportionate risk. The study, based on analysis of real-world usage data across Reco's customer base, found that 27% of employees at companies with 11-50 workers are using unsanctioned AI tools, creating massive security blind spots.
Key Findings Reveal Unprecedented Risk Concentration
The report identifies five critical findings that demand immediate security attention:
- 10 high-risk shadow AI applications are actively putting enterprise data at risk, with three apps—Jivrus Technologies, Happytalk, and Stability AI—receiving failing security grades for lacking fundamental controls like encryption and multi-factor authentication
- OpenAI commands 53% of all shadow AI usage across enterprises, processing data from over 10,000 users in the study, creating unprecedented risk concentration in a single platform
- Shadow AI persistence averages 400+ days, with some applications running unsanctioned for over a year, proving this isn't temporary experimentation but embedded business dependency
- Small companies face 4x higher exposure, with organizations of 11-50 employees showing 269 Shadow AI tools per 1,000 employees, the highest concentration of any company size
- Popular doesn't mean secure, as widely-adopted AI tools like CreativeX and Otter.ai maintain thousands of users despite security scores that should disqualify them from enterprise use
Financial Impact Now Quantifiable
According to IBM's Cost of a Data Breach Report 2025, breaches among organizations with high levels of Shadow AI usage carry an added cost of $670,000 compared to the global average breach cost, making shadow AI governance a critical business imperative.
"Security leaders face an unprecedented reality: shadow AI has infiltrated nearly every corner of the enterprise, creating massive blind spots that traditional security approaches cannot address," said Ofer Klein, CEO & Cofounder at Reco. "Our analysis reveals that employees are choosing AI tools like consumer apps: based on features and convenience, not security. This approach is exposing sensitive data, intellectual property, and customer information to significant risks."
Small Businesses Bear Disproportionate Risk
The report reveals a dangerous paradox for small and medium businesses: they show the highest per-capita shadow AI adoption while having the fewest resources to manage it. With 27% of their workforce using unsanctioned tools, these organizations face a perfect storm of maximum AI adoption with minimum security oversight.
"The same flexibility that helps smaller companies innovate quickly also enables ungoverned AI adoption," the report notes. "Without bureaucratic approval processes, employees freely experiment with AI tools, inadvertently exposing customer data, intellectual property, and competitive intelligence to unknown third parties."
OpenAI's Market Dominance Creates Systemic Risk
The study found that OpenAI alone accounts for 53% of all shadow AI usage across enterprises, with over 10,000 users tracked in the research. This unprecedented concentration means that any security incident, policy change, or service disruption at OpenAI could simultaneously impact the majority of enterprise AI workflows.
Methodology and Scope
Reco identified high-risk shadow AI applications through detailed analysis of anonymized, real-world usage data collected across its customer base. The assessment included internal telemetry, SaaS audit logs, third-party security ratings, and comprehensive evaluation across multiple security-relevant factors including encryption, authentication mechanisms, compliance certifications, and data handling practices.
About the Report
The State of Shadow AI Report presents analysis conducted by Reco based on comprehensive shadow AI data from Reco's enterprise customer base. The full report provides detailed recommendations for security leaders to transform shadow AI from risk to competitive advantage.
About Reco
Reco is the leader in Dynamic SaaS Security, the only approach that eliminates the SaaS Security Gap. The platform secures SaaS at every stage of its lifecycle through app discovery, posture management, identity and AI governance, and threat detection. Powered by the proprietary SaaS App Factory™ and Knowledge Graph, Reco supports 200+ applications and protects over 2 million users worldwide across some of the most trusted brands in the Fortune 100 and S&P 500.
Download the Report
The complete The State of Shadow AI Report is available for download at https://reco.ai/state-of-shadow-ai-report.
Andrea Bailiff-Gush
%201.svg)
ABOUT THE AUTHOR
Andrea is the Head of Marketing of Reco, responsible for driving demand and growth in SaaS security. Andrea is a cyber security veteran, having supported various security companies across various growth milestones, from Seed round to acquisition. She is passionate about growing businesses and teams to drive profitable outcomes and better well being for CISOs and security practitioners.
Andrea is the Head of Marketing of Reco, responsible for driving demand and growth in SaaS security. Andrea is a cyber security veteran, having supported various security companies across various growth milestones, from Seed round to acquisition. She is passionate about growing businesses and teams to drive profitable outcomes and better well being for CISOs and security practitioners.
