One-third of Australian professionals regularly upload confidential company information to AI platforms without oversight, creating significant compliance and security risks for organisations across critical sectors, according to new research.

The study by SaaS management platform Josys found 36% of workers upload sensitive data including strategic plans, financial documents and customer personally identifiable information to AI tools like ChatGPT, often bypassing corporate security protocols.

Sales and marketing teams pose the highest risk, with 37% uploading sensitive data, followed by finance and IT telecommunications at 36% each, and healthcare at 31%. These sectors handle highly regulated information yet demonstrate the greatest exposure to "shadow AI" risks.

The research reveals a critical disconnect between AI adoption and organisational preparedness. While 78% of professionals now use AI tools daily, 70% of organisations have little to no visibility into which platforms employees actually use.

"Shadow AI is no longer a fringe issue. It's a looming full-scale governance failure unfolding in real time across Australian workplaces," said Jun Yokote, COO and President of Josys International.

Only one-third of organisations (33%) are fully prepared to assess AI risks before deployment, with 20% completely unprepared. The situation is worse for smaller companies, with just 30% of organisations under 250 employees feeling equipped to evaluate AI risks.

Compliance Under Pressure

Nearly half (47%) of respondents identified upcoming AI model transparency requirements and Privacy Act amendments as their biggest compliance challenges. Despite these pressures, 50% still rely on manual policy reviews and one-third have no formal AI governance processes.

The research found alarming levels of sensitive data exposure:

• 44% upload strategic and planning documents
• 40% share technical information
• 34% upload financial data
• 24% input customer PII
• 18% share intellectual property and legal documents

Larger organisations show higher exposure rates, with companies earning A$1-9.99 million annually showing 32% of staff uploading sensitive data, suggesting risk increases with organisational complexity.

Current enforcement mechanisms appear inadequate. Only 25% of organisations believe their tools effectively enforce AI usage policies in real-time, while 57% rate their capabilities as somewhat effective to completely ineffective.

Barriers to improvement include resistance to change, budget constraints, and lack of visibility into AI usage across the enterprise, with 83% of organisations citing these challenges.

This research was conducted by Josys in collaboration with Censuswide, surveying 500 Australian technology decision makers across various sectors and company sizes.