Managing Risk

TL;DR. The AI risk you are afraid of is not the AI risk that is going to hit you. The fear is regulator action and front-page lawsuits. The reality is your VP of Sales pasted a deal sheet into a free chat tool last Tuesday and you have no record of it. There are five failure modes that actually land in enterprises right now: data leakage, wrong answers, over-reliance, shadow AI, and ungoverned automation, the scheduled agent running on a clock that nobody in IT approved. Each has a small set of boring controls that work. The rest is theater.

Somebody on your leadership team has been emailed a slide deck about AI risk. It probably has a 4x4 matrix. It enumerates seventeen risk categories with red, yellow, and green dots. It mentions the EU AI Act. It includes a recommendation to establish an AI ethics committee. It is on the agenda for next month’s risk review.

In the same week, three things happened that the deck did not catch. A junior analyst pasted a draft client roster into a free chat tool to clean up the formatting. A customer service bot quoted a refund policy that the company does not have. And the VP whose seat sat idle for nine months started a personal Claude account because the approved tool was worse than the consumer version.

None of those will appear on the risk register. All of them are the actual risk.

Why the risk register misses

The default executive playbook for AI risk is the playbook for every other emerging risk. Convene a working group. Inventory the categories. Score each one on likelihood and impact. Color-code. Present quarterly. Track movement.

This catches nothing because risk registers operate at the wrong layer. Registers track categories. Incidents happen at surfaces. A category like “data privacy violation” tells you nothing about whether your people are pasting customer records into ChatGPT today. A category like “model bias” tells you nothing about whether the chatbot you deployed last quarter is making refund commitments you cannot honor. The register is at the altitude of an ethics committee. The incident is at the altitude of a browser tab.

The deeper problem is that the register lets the executive feel governed without doing anything operational. The slide is the artifact. The artifact substitutes for the control. Six quarters later there is a thick binder of governance documents and a security team that still has no idea which AI tools their employees opened this morning.

Risk that gets managed has telemetry, an owner, and a kill switch. Risk that gets registered has a color.

The five failure modes

Almost every real AI incident at a normal enterprise falls into one of five categories. Four of them are old news. The fifth arrived this year, when agents learned to run on a schedule. None of them are exotic. All of them have a control that costs less than the AI program.

Data leakage

Your people put things into AI tools that should not be there. Source code. Customer rosters. Salary spreadsheets. Draft contracts. Acquisition targets. Sometimes they use the consumer tier of a tool whose data terms permit training on inputs. Sometimes they use the enterprise tier but exfiltrate to a personal account on a weekend. Either way, the data is now somewhere it was not yesterday, and you cannot get it back.

Samsung remains the canonical version of this failure. In 2023, engineers pasted source code and internal meeting notes into a public chat tool to debug and summarize, the leak surfaced, and the company banned generative AI on company devices.¹ The reflex response was a perimeter ban. The actual lesson was that no approved equivalent existed when the work showed up.

The control is paired and unglamorous. First, an enterprise tier of an approved chat tool with a signed data agreement that prohibits training on your inputs. Second, an endpoint or browser-level data loss prevention tool that flags paste events into known AI domains, including the long tail. The first removes the reason to use a consumer tool. The second tells you when somebody used one anyway. You need both. Neither alone is a control. The IBM 2025 breach data is blunt on the point: 97 percent of organizations that reported an AI-related security incident lacked proper AI access controls.²

If you have neither, your data leakage program is a wish.

Wrong answers

Models confabulate. They produce text that looks correct, in a confident register, with no marker that anything is invented. In a workflow with a competent human reviewer this is annoying. In a workflow without one it is a lawsuit.

The two cases worth remembering are public. In Mata v. Avianca, lawyers submitted a brief citing six judicial decisions that did not exist. ChatGPT had fabricated them and the lawyers had not checked. The court sanctioned them.³ In Moffatt v. Air Canada, a customer service chatbot invented a bereavement fare policy. A small claims tribunal held the airline to it.⁴ The pattern is the same: a model produced confident output, no human verified it, the output bound the institution, the institution paid.

Hallucination rates have fallen, but they have not gone to zero, and they will not. A frontier model in 2026 is wrong on factual claims at a low single-digit rate in the best benchmarks and substantially higher in long-tail domains. Treat any quoted “hallucination is solved” claim as marketing. The control is not a better model. It is a discipline rule about which workflows are allowed to ship model output without a verifying human. The underlying reason these workflows fail without a check is that nothing in the environment is capable of saying “no” when the model is wrong, which is the same bottleneck that decides where AI compresses work and where it doesn’t.

The rule is binary. If model output reaches a customer, a court, a regulator, a counterparty, or a system of record without a human in the loop, the workflow is high-risk. High-risk workflows get a named reviewer, a logged sign-off, and a pre-mortem on what happens when the model is wrong. Everything else is low-risk and can ship faster. This is a one-page document, not a framework. Most orgs have neither.

Over-reliance

The third failure is slower and costs more. Your people get good at producing AI output and worse at producing the underlying judgment. The senior analyst who used to spot the discrepancy in a model now accepts the chatbot’s summary. The associate who used to write the memo now edits the draft. The engineer who used to read the code now reviews the diff. After a year, the muscle is softer. After three, the team cannot operate unaided.

The 2025 Microsoft and Carnegie Mellon study on knowledge workers using generative AI found a measurable shift away from independent critical evaluation toward verifying AI output, with the largest reduction in critical thinking exactly in the workers most confident in the model.⁵ That is the shape of the problem. Confidence rises faster than competence falls, so the decay is invisible until the moment you need the unaided skill and it is gone.

The control is cultural and small. Two practices catch most of it. First, a standing rule that any junior team member presenting AI-assisted work must be able to defend the underlying reasoning without the tool open. Not always. Periodically, in normal review. Second, at least one recurring task per role that is done unaided, by policy, because the skill is load-bearing for the rest of the work. A lawyer who cannot draft an argument from scratch is not a lawyer with leverage. A lawyer who cannot draft an argument from scratch is a paralegal with a subscription.

You will not see this risk on a dashboard. You will see it the first time a leveraged person leaves and the team behind them cannot reproduce the work.

Shadow AI

The policy guide treated shadow AI as a procurement failure: people use unapproved tools because the approved tool does not exist, is worse, or was never communicated. That framing is still right and it is still where most of the prevention work lives. But there is a residual risk after policy that is worth naming as its own failure mode.

Even with a good policy, an approved tool, and a two-week request SLA, some fraction of your people will continue to use consumer accounts. Some because the consumer model is genuinely better at their task. Some because they have a personal habit. Some because they are working from a phone and the enterprise tool is not installed. The IBM 2025 figure is again the relevant one: 63 percent of organizations had no governance to prevent shadow AI proliferation.² Even at the organizations that did, residual use was non-zero.

The control is detection plus disclosure. Detection is the same DLP and endpoint stack that catches data leakage, configured to alert on traffic to consumer AI domains, not just enterprise ones. Disclosure is a written rule that a fast self-report of an incident is met with documentation and no penalty, while a hidden one is treated as a security incident. The point of the disclosure rule is not forgiveness. It is incentive design. You cannot fix what you cannot see, and you cannot see what your people are punished for showing you. This is the same logic every mature security organization applies to phishing-click rates and vulnerability disclosure. It is not new. It is just newly applied to a surface most companies are still pretending does not exist.

The consumer chat account was the whole of shadow AI when this guide was first written. It is not anymore. The same tools now run on a schedule, which turns a moment into a standing job and makes it its own failure mode.

Ungoverned automation

The first four failure modes are things your people do. The fifth is something your tools now do on their own, on a clock, after everyone has gone home. Shadow AI used to mean a single risky action: a paste into a consumer tab, a moment you could in principle recover from. A scheduled agent is different in kind. Someone writes a prompt once, picks a cadence, and the agent runs unattended against real systems, producing output other people come to depend on, and it keeps running after that person changes teams or leaves.

You are accumulating a second workforce that is not on any org chart, and the data says you cannot see it. Roughly a quarter of organizations have full visibility into the agents operating inside them. About one in seven send agents into production with security or IT sign-off. Fewer than half of running agents are actively monitored.⁶ Gartner expects AI-related legal claims to clear two thousand this year, and the recurring cause is missing audit trails for automated actions in regulated contexts.⁷ This is not a future exposure. It is a maintenance backlog and a compliance gap already sitting on your books.

The control is an agent inventory plus a kill switch, and on the right plan both already exist. The inventory is a list of every scheduled task, routine, and standing agent running against your systems: what each one touches, on what cadence, and who owns it. The kill switch is the set of admin controls most companies pay for and never turn on. Disable unattended agents org-wide with a single toggle, or scope them by role, by connector, and by the branches a code agent may write to. Stream the actions into your SIEM through the compliance log so a scheduled job becomes an auditable event instead of a rumor. Lock the configuration through managed device settings so it cannot be loosened on an individual machine.

The catch is the plan. Those toggles live on the enterprise tier. The individual, power-user, and small-team plans run the same scheduled tasks with thin or absent admin visibility and no compliance logging, which means the load-bearing automation is most likely to sit exactly where you have the least ability to see it: on the seats your best people expensed themselves. Anything that has become load-bearing belongs on a plan you can govern. The seat upgrade is cheaper than the breach. And the verifier constraint decides which jobs may run unattended in the first place. Schedule the work two people can mechanically agree is correct. Do not schedule the work that needs a careful read before anyone trusts it.

The heuristic

If you remember nothing else.

1. Five failure modes, in order: data leakage, wrong answers, over-reliance, shadow AI, ungoverned automation. If your AI risk program names other categories before these five, it is not your AI risk program. It is somebody’s slide.
2. Each failure mode has a paired control. Approved tier plus DLP. High-risk-workflow rule plus named reviewer. Unaided-work practice plus defend-the-reasoning culture. Detection plus rewarded disclosure. Agent inventory plus kill switch. One half of any pair is not a control.
3. Telemetry beats policy. A control you cannot measure is a wish. The minimum telemetry is who is using which AI tool, on what surface, against which data class, and which agents run unattended, on what schedule, with which connectors and permissions.
4. Reward fast disclosure. Treat concealment as the incident. This is the only sentence on culture you need.
5. Kill switches matter more than approval gates. You will deploy AI things that fail. You need to be able to turn them off in an afternoon. For the agents, the off ramp already exists and is mostly unused: an admin toggle that disables every unattended agent at once, scoping by role, connector, and branch, a compliance log streamed to your SIEM, and managed device settings that keep anyone from loosening it locally. If you are paying for the enterprise tier, you already bought the off switch. Most companies have never turned it on. Procurement contracts should include the same off ramp for the tools you build on.
6. The risk you can name is not the risk that is coming. Reserve a small budget and a standing meeting for the failure mode you have not seen yet. The agentic-workflow incident is no longer that risk. It arrived this year, and it has a control, the one above. The model-update regression and the vendor that disappears mid-quarter are still ahead of you. Something on this list will happen this year, and the only question is whether it is already in your register.
7. No ethics committee. A named risk owner with a quarterly review and the authority to pull a tool off the approved list does the entire job an ethics committee was supposed to do, and actually does it.

Something to carry

Pull the last thirty days of endpoint or DLP logs filtered for traffic to known AI domains. The list is short and well-published. Every major chat tool, every major coding tool, plus the long tail of consumer wrappers your security team has probably already enumerated. Count distinct users.

That number is the only honest denominator you have. Compare it to the number of approved AI seats you’re paying for. The gap is your shadow AI footprint. Pull the prompt or paste content where your stack captures it, sample twenty events, and read them. You’ll find one of three things. You’ll find people doing routine work in the wrong tool, which is a procurement problem you can fix in two weeks. You’ll find people moving sensitive data into a consumer tool, which is a control problem you can fix in a quarter. Or you’ll find nothing concerning, which means your detection is misconfigured and you have no controls at all.

In any of the three cases, you now have a real starting point. The risk register didn’t give you one. It was never going to.

The whole nine-guide arc, read end to end, makes a single argument. The leverage is real, the spend is misallocated, the tools are choosable, the talent is identifiable, the returns are observable, and the risks are containable with controls that already exist in every other part of your business. None of it requires a transformation. It requires a working week, a named owner, and the willingness to make the call.

Footnotes

1. Mark Gurman, “Samsung Bans Staff’s AI Use After Spotting ChatGPT Data Leak,” Bloomberg, May 2023. ↩

2. IBM and Ponemon Institute, Cost of a Data Breach Report 2025. The 97 percent and 63 percent figures refer to organizations reporting AI-related security incidents in the survey population. Last verified 2026-04. ↩ ↩²

3. Mata v. Avianca, Inc., No. 22-cv-1461 (S.D.N.Y. 2023). Sanctions order issued June 2023. ↩

4. Moffatt v. Air Canada, 2024 BCCRT 149 (Civil Resolution Tribunal of British Columbia). Decision issued February 2024. ↩

5. Hao-Ping (Hank) Lee et al., “The Impact of Generative AI on Critical Thinking,” Microsoft Research and Carnegie Mellon University, CHI 2025. The finding most often cited is the negative correlation between confidence in the AI tool and engagement in independent critical evaluation among knowledge workers. ↩

6. 2026 industry surveys found roughly a quarter of organizations have full visibility into the agents operating inside them, about 14 percent send agents to production with full security or IT approval, and under half (around 47 percent) of running agents are actively monitored. Last verified 2026-06. ↩

7. Gartner has projected AI-related legal claims will exceed 2,000 by the end of 2026, with recurring causes including missing audit trails for automated actions and the inability to explain automated decisions in regulated contexts. ↩