The 2026 shadow AI baseline for 50-person companies.

What "shadow AI" actually means

Shadow AI is any AI tool used inside a company without IT or security approval. It is the AI version of shadow IT. The defining feature is that the company does not know the tool is in use, so it cannot govern what is sent to it.

The shape is familiar to anyone who watched shadow IT play out in 2010. An engineer pastes source code into ChatGPT. A salesperson summarizes customer calls in Claude. A marketer drops campaign copy into a personal Gemini account. None of these people are doing anything wrong; they are doing their job faster. The risk is not the AI. The risk is that the company is not in the loop.

The relevant question for a 50-person company is not "should we allow AI?" The honest answer to that has been settled: yes, you allow it, because if you do not, your team will use it on personal accounts and you will lose all visibility. The relevant question is "which AI is in use right now, who is using each one, and what are they sending to it?"

The six numbers, with sources

27 active AI tools per 50-person company

The median Northbeams customer with 50 active employees has 27 distinct AI tools in active use across the company. The distribution is heavy-tailed: the 25th-percentile customer has 18 tools, the 75th-percentile customer has 41, and the long tail goes past 80. Most IT leads, before they install measurement, guess between 3 and 8.

The catalogue counts a tool once even if it has multiple surfaces. ChatGPT-via-browser, ChatGPT-via-desktop-app, and the OpenAI API all count as one tool. The 27 number is therefore conservative.

143 sensitive prompts a month

In the same 50-person company, the on-device classifier flags 143 sensitive prompts per month on average. "Sensitive" means the prompt matched at least one rule in one of the high-confidence categories: credentials, customer PII, source code, contracts, regulated health or education data, or financial records. The single largest category in 2026 customer data is source code (38%), followed by customer PII (29%), followed by API credentials (18%).

143 a month is roughly 5 per workday. That is the floor. The ceiling, in the 75th-percentile customer, is over 600 a month.

80% using AI without IT approval

Per the Microsoft and LinkedIn 2024 Work Trend Index, 80% of AI users at work use AI without their IT department's approval, and 78% bring their own AI tools to work. This is the single most important number for an SMB with no enterprise SSO and no MDM, because it tells you the baseline you will start from. Your employees are already using AI. The decision is whether you can see it.

$670,000 additional breach cost

The IBM Cost of a Data Breach Report 2024 priced the average global cost of a data breach at $4.88M and called out shadow data, which includes shadow AI, as a $670,000 premium on top of the average. The same report priced individual leaked records at $160 each, which gives you a back-of-envelope calculator: a leak of 5,000 customer records into a consumer AI tool is an $800,000 line item before you have written your first lawyer's check.

"Average" hides a lot. Healthcare breaches averaged $9.77M; financial-services breaches averaged $6.08M. The $670K shadow-data premium is on top of those averages, not instead of them.

60% have already had an AI exposure

Cyberhaven's Q1 2025 AI Adoption and Risk Report surveyed enterprise sensors across roughly 3 million end-users and found that 60% of the surveyed organizations had at least one confirmed AI data exposure event in the prior 12 months. The most common exposure category was source code pasted into consumer AI tools, followed by customer PII in support and sales contexts.

The number that matters here is not 60%, which is alarming but already a year old. It is the trend line: Cyberhaven's same-question number in Q1 2024 was 38%. The exposure rate is climbing roughly 22 percentage points per year, faster than enterprise AI policy can keep up.

+26.2% longer to identify and contain

Shadow-data breaches take 26.2% longer to identify and contain than non-shadow breaches, per IBM 2024. A non-shadow breach in the report averaged 258 days from intrusion to containment. Shadow-data breaches averaged 326 days. That extra time is when the cost premium accrues: legal exposure compounds, regulator clocks tick, and the affected records sit in someone else's training pipeline.

What this looks like on a real 50-person team

Take the median Northbeams customer in 2026. The IT lead before install believes there are "maybe 5 or 6 AI tools" in the company. Slack mentions, browser extensions, and the company SSO surface that count. After 24 hours of measurement, the dashboard shows 27.

Of the 22 the IT lead did not know about:

• About 8 are personal-account uses of mainstream tools (ChatGPT, Claude, Gemini, Perplexity) by employees who never thought to ask whether the company had a sanctioned account.
• About 6 are coding agents installed at the CLI (claude, aider, plus IDE-embedded tools like Cursor and the Copilot CLI). These are mostly engineering and they are mostly leaking source code.
• About 4 are AI features turned on inside SaaS tools the company already pays for. Notion AI, Atlassian Intelligence, Slack AI, Loom AI. The IT lead "approved" these by signing the parent SaaS contract, but never approved sending data to the underlying model providers.
• About 3 are voice/meeting tools. Granola, Otter, Fireflies, the in-Zoom AI summary feature. These send customer-call transcripts to model providers.
• The last 1 is something weird. A growth marketer using a personal Replit Agent, an HR lead pasting interview notes into a personal Gemini, a finance person dropping an investor update into a personal Claude. These are the highest-risk and the hardest to discover by survey.

Of the 143 sensitive findings per month, the same pattern holds: most are routine and most are fixable with a one-line user policy ("use the company-paid Claude account, not a personal one"). The ones that matter are the long tail.

Why the numbers got worse than 2024

Three forces compounded between 2024 and 2026.

Coding agents matured. In 2024, the typical engineer used GitHub Copilot inside an IDE, which sent diffs to GitHub under an enterprise contract. By 2026, Claude Code, Cursor, Aider, and a handful of others run as desktop apps or CLI tools that connect directly to model providers, often outside any enterprise contract. The "I just installed a coding agent on my work laptop" move is now invisible to most IT setups.

Desktop AI apps proliferated. ChatGPT Desktop, Claude Desktop, Granola, Cursor, and Perplexity Comet all run as native applications outside the browser, where most enterprise visibility lives. A CASB or browser-based DLP that worked fine in 2024 sees none of this traffic in 2026.

The "AI feature" creep inside SaaS. Every B2B SaaS shipped an AI feature in 2025. Each of those features sends customer data to a model provider, often a different one than the SaaS vendor's main provider, often under a sub-processor change-notice the customer did not read. Aggregate exposure surface grew without any single product looking suspicious.

What changes after install

Two things change in the first 24 hours after a typical SMB installs Northbeams.

First, the inventory question is settled. The IT lead can answer "how many AI tools are in the company" with a number, not a guess. That is enough to start a conversation with the auditor or the CFO.

Second, the long-tail problem becomes visible. The five or six tools the IT lead expected are not the risk. The risk is the personal-account marketing person and the personal-account HR lead and the engineer running a coding agent on Tuesdays. Once you can see them, you can write a policy. Until then, you are guessing.

The Northbeams calculator at /calculator takes the six numbers above and your headcount and produces a per-company dollar estimate of avoidable risk. That number is not a forecast; it is a way to get the conversation past "we don't think this is a big deal" and into "okay, what is the cheapest thing we can do this quarter to make it smaller."

Methodology and sources

Northbeams customer-base numbers

The 27-tool, 143-prompt, and "median time-to-first-block" numbers are aggregated across all paying Northbeams customer workspaces with at least 25 active users, observed over rolling 90-day windows. No per-customer attribution; no minimum-cohort exposure below 25 workspaces per metric. The full quarterly publication, including category breakdowns and quarter-over-quarter movement, is at /in-the-wild. First publication is Q3 2026.

External sources

1. IBM Cost of a Data Breach Report 2024. Annual study by IBM Security and the Ponemon Institute covering 604 breaches across 17 industries and 16 countries. Source for $4.88M average breach cost, $670K shadow-data premium, $160 per leaked record, and the +26.2% longer-to-identify finding.
   Available at ibm.com/reports/data-breach.
2. Cyberhaven Q1 2025 AI Adoption and Risk Report. Quarterly aggregate from Cyberhaven's enterprise endpoint sensors covering roughly 3 million end-users. Source for the 60% had-an-exposure number and the 38% Q1 2024 baseline used in the trend-line analysis.
3. Microsoft and LinkedIn 2024 Work Trend Index. Annual joint study covering 31,000 knowledge workers across 31 countries. Source for the 80% using-AI-without-IT-approval number and the 78% bring-your-own-AI number.
   Available at microsoft.com/en-us/worklab/work-trend-index.

FAQ

What is shadow AI?

Any AI tool used inside a company without IT or security approval. The defining feature is invisibility to the company, not the underlying tool.

How is shadow AI different from shadow IT?

The risk surface is different. Shadow IT is mostly about software the company has not vetted for security or licensing. Shadow AI adds a data-exfiltration vector: every prompt sent to an unsanctioned tool is data leaving the company, often into a third-party training set.

How many AI tools is a typical 50-person company using in 2026?

27, per Northbeams customer-base data. The 25th-percentile is 18; the 75th-percentile is 41.

What is the cost premium for breaches involving shadow AI?

$670,000 above the global average breach cost, per IBM 2024. Plus 26.2% longer to identify and contain.

Are these numbers conservative or aggressive?

Conservative. The Northbeams catalogue counts one tool per family even if it has browser, desktop, and CLI surfaces, and the 27 figure is the median, not the mean (which is higher). The IBM and Cyberhaven numbers are global averages and tend to underestimate companies that have invested in measurement.

Will these numbers go up in 2027?

Yes. The exposure-rate trend line from Cyberhaven was already 22 points per year between 2024 and 2025. Coding-agent adoption alone has added an estimated 4 to 6 tools per company between 2025 and 2026. We will refresh this page each May.

← Resources In the wild Coverage scorecard EU AI Act guide Contact What's new