← Field notes
CISO Shadow AI · data exfiltration

The chatbot nobody approved

A security chief went looking for a data leak. He found three hundred employees who'd quietly hired an assistant — and a lesson about what the word "no" actually costs.

Field Notes CXO Technology editorial May 2026 · 9 min read
Featuring Palo Alto Networks

We sat down with Reza, the CISO of a mid-size enterprise software company, who went looking for one careless employee and found three hundred. He asked us not to name the company. He was happy to name the lesson.

Q Field Notes asksHow did you find out? What was the moment?

It was boring. That's the part I keep coming back to. Not a breach notification, not a ransom note — one line in a data-loss dashboard I check most mornings out of habit. A fragment of a customer contract had left the building inside a request to a public language model. I assumed one employee, one careless afternoon. I made a note to have a word.

Then I pulled the thread. Instead of one request, I asked the logs for all of them — every call to every public AI endpoint over ninety days. I read the number twice. It wasn't one person. It was most of the company.

300+employees using unsanctioned AI
90 daysof silent traffic before anyone looked
0who had asked permission first

Engineers pasting stack traces · sales rewriting proposals · a finance analyst who fed a full quarter's forecast in "to make it sound more confident."

Q Field Notes asksWeren't they being reckless?

That's what took me a week to get past, and it's the whole point. They weren't being reckless. They were being productive. Every one of those three hundred requests was someone trying to do their job slightly faster. Shadow AI, looked at without flinching, isn't a security failure. It's a product review. My people ran a bake-off between the tools I gave them and the one they found — and the one they found won, three hundred to nothing.

Shadow IT is what people do when the official answer is slower than the problem. It's the most honest signal you get all year.

Q Field Notes asksWhy not just block it and move on?

Because that's the reflex, and the reflex is wrong. I could have written a firewall rule, sent a stern all-hands, and the dashboard would have gone quiet for about a week. The problem is what actually happens when you block the network: the work moves to a phone. People don't stop using the better tool. They stop using it where you can see them. You trade a problem you can measure for one you can't — and call it a win because the graph went flat. Flat graphs are sometimes the most dangerous thing on the screen.

Reflex · block it

Say no, faster

  • Traffic goes dark, not away
  • Usage moves to phones, off-network
  • A measurable risk becomes invisible
What worked · pave it

Say yes, safely

  • Visibility into every AI app in use
  • One sanctioned gateway people prefer
  • Sensitive data redacted on the way out
Q Field Notes asksSo what did you actually do instead?

I assumed my people were right and my tooling was wrong. The question stopped being how do I stop this and became how do I make the safe path the easy path — because the only durable way to beat a shortcut is to pave a better road. That's where Palo Alto Networks came in, and I want to be precise, because it's less glamorous than the marketing and more useful. They didn't sell me a wall. They gave me a pair of glasses first — which AI apps, which data, which of the three hundred were genuinely risky versus merely undocumented. For the first time the shadow had edges.

Palo Alto Networks
The vendor in the room · Palo Alto Networks

The shift that mattered wasn't a blocklist. It was inline visibility plus a sanctioned gateway — employees kept the assistant they'd chosen, but contracts, forecasts and source code were redacted on the way out and the whole flow was logged. Security stopped being the department of no and became the department of yes, through here.

Then the gateway: a sanctioned route to the same class of tool with the dangerous parts handled automatically. Customer data redacted before it left. Source code kept inside. Every request logged — not to punish anyone, but so that the next time a contract fragment showed up in a dashboard, I'd know in thirty seconds whether it was a leak or a Tuesday. The finance analyst who fed in the forecast? She kept using AI to sound confident. She just did it through a door that stripped the numbers she shouldn't share and kept the ones she should. She never noticed the door. That's what good security feels like from the inside: nothing.

Q Field Notes asksWhat's the lesson for other CISOs?

The leak was never really the model. The model was just where the pressure escaped. The actual hole was the gap between what people needed and what they were allowed to use — and that gap was there long before anyone typed a prompt. AI didn't create the shadow. It turned the lights on it.

300 : 0
Your employees already voted on the tool. The only question left is whether they vote where you can see it — or somewhere you can't.

The CISOs who do well from here won't be the ones who say no faster. They'll be the ones who notice that "no" is a product decision with a cost — and who get good at saying yes, safely, before three hundred colleagues say yes for them. Because they already did. The dashboard was just the last to know.