2025年影子人工智能状况报告

2025 State of Shadow AI Report02reco.ai2025 State of Shadow AI ReportTable of ContentsExecutive Summary: The Shadow AI Era Is Here03Methodology04Glossary 
06Setting the Stage: Why We Should All Be Paying Attention to Shadow AI07Our Findings090911131517Recommendations for Security Leaders19Leveraging Reco to Tackle Shadow AI20Conclusion22Finding 5 - Understaffed and Overexposed: 27% of Small Company Employees Use Shadow AIFinding 4 - Shadow AI Isn't Temporary: Uncovering Months of Unsanctioned AI UsageFinding 3 - OpenAI Accounts for 53% of All Shadow AI Usage Across EnterprisesFinding 2 - The Popularity Trap: High Adoption Doesn't Mean High Security Finding 1 - 10 Shadow AI Apps Putting Your Data at RiskExecutive Summary: The Shadow AI Era 
Is HereSecurity leaders face an unprecedented reality: Shadow AI has infiltrated nearly every corner of the enterprise, creating massive blind spots that traditional security approaches cannot address. Our in-depth analysis of shadow AI usage across our customer base reveals five critical findings that demand immediate action.Sb Shadow AI runs deeper than most realize. These tools do not disappear after the testing and experimentation ends. For example, some apps run unsanctioned for over 400 days on average. In our study, we found CreativeX and System.com to have the longest standing access on average. Once embedded in workflows for months, these applications become nearly impossible to remove without disrupting business operations and upsetting its users. Every day they persist, the security debt compoundsƒDb Smaller organizations face disproportionate risk. The smaller the organization, the bigger the shadow AI problem. Companies with 11-50 employees show the highest risk concentration: 27% of their workforce uses unsanctioned AI tools. These organizations face the perfect storm: maximum AI adoption with minimum security resources to manage it.ib The threat is real and it's massive. We identified the 10 riskiest AI applications currently proliferating across our customer base, with security scores so low they should alarm any CISO. Three applications (Jivrus Technologies, Happytalk, and Stability AI) received failing grades meaning that they lack fundamental security controls like RBAC, MFA, and audit logging. These aren’t just any tools, they're processing corporate data dailyƒOb Mass adoption doesn't equal enterprise readiness. The most widely adopted AI tools aren't the most secure. CreativeX and Otter.ai boast thousands of users despite security scores that should disqualify them from enterprise use. Organizations are choosing AI tools like they choose consumer apps: based on features and convenience, not securityAb The OpenAI monopoly. OpenAI commands 53% of all shadow AI usage across the organizations we assessed, processing data from over 10,000 enterprise users in our study. This unprecedented concentration means half of all AI-related risk flows through a single platform. Any security incident, po