Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because the governance gap is structural and self-reported by a majority of middle market executives — not a theoretical exposure but an observed, widespread operational condition where shadow AI use is already occurring without controls. Impact is high because the business consequences compound across dimensions simultaneously: uncontrolled data exfiltration of customer PII or confidential business data, client contract penalties, reputational damage, and regulatory scrutiny, all amplified by the perception-versus-reality gap that delays corrective action.
Treatment rationale: The risk is neither insurable away nor avoidable given competitive pressure to adopt AI, and acceptance is indefensible given the magnitude and active nature of the exposure — mitigation through AI governance frameworks, identity controls, and access policy is the only treatment that addresses the structural root cause.
Third-Party / Supply-Chain Risk
Ungoverned third-party AI integrations represent a direct NIST SP 800-161 supply-chain exposure: employees and business units connecting unsanctioned AI platforms (SaaS-based LLMs, co-pilot tools, data enrichment services) create data flows to external processors outside the organization's vendor risk management program, with no contractual data handling obligations, no data residency visibility, and no incident notification requirements in place.
Loss Exposure (illustrative)
Magnitude: moderate to high — illustrative $250K–$2M per material incident, reflecting breach notification costs, client remediation, regulatory response, and near-term reputational impact for a mid-market organization in the $50M–$500M revenue range
Frequency: Illustrative 1–3 material shadow AI incidents per year across an exposed mid-market organization with no AI governance controls and active unsanctioned tool usage across business units
Annualized: Illustrative ALE: $250K–$6M annually across the incident frequency range — skewed toward the higher end for organizations with significant PII volume or client data obligations
Basis: Loss magnitude derived from the identified consequence categories in the item (breach notification, contract penalties, reputational impact) scaled to mid-market revenue bands and typical organizational response costs for data exposure incidents at this scale. Frequency derived from the structural nature of the gap — widespread, ungoverned shadow AI use creates persistent and recurring exposure rather than a single discrete event. No third-party actuarial data cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• PII or confidential client data submitted to unsanctioned AI tools may invoke state and sector-specific breach notification obligations — verify with counsel.
• Client contracts containing data handling, confidentiality, or permissible-use clauses may be breached by shadow AI data submissions — verify with counsel.
• Cyber insurance policies may contain exclusions or notice requirements triggered by failure to maintain documented AI governance or access controls — verify with broker.
