Shadow AI, the unauthorized use of AI tools by employees outside approved environments, is creating new cybersecurity and data governance risks for financial institutions, as a recent SEC disclosure makes clear.
In a recent Form 8‑K filing, a Pennsylvania bank serving the tri‑state area disclosed a material cybersecurity incident involving the handling of non‑public customer information through an unauthorized AI‑based software application. According to the disclosure, the institution became aware of the incident internally, took steps to secure the information and initiated an investigation with the assistance of external cybersecurity advisors. The bank noted that while the incident did not disrupt operations, customer access or core systems, the volume and sensitive nature of the data involved led management to conclude the event was material and required public disclosure.
This disclosure is notable because the incident did not stem from a traditional system intrusion or ransomware attack, but rather from the unauthorized use of technology within the organization, underscoring how emerging tools—particularly AI—introduce new dimensions of operational and information security risk.
Shadow AI Control Gaps: How Governance Weaknesses Enable Unauthorized AI Use
Incidents involving unauthorized AI tools are increasingly being discussed under the concept of “Shadow AI.” Shadow AI generally refers to the use of AI applications by employees outside of approved technology environments and without formal governance, security review or data‑handling controls. While the Form 8‑K does not use the term “Shadow AI,” the circumstances described are consistent with the types of governance and control challenges organizations face when AI adoption outpaces policy and oversight.
Events of this nature often point to gaps in technology governance, data handling controls and employee awareness rather than failures of perimeter security. The use of an unauthorized AI application suggests that controls around acceptable technology use, data classification and data loss prevention may not have been sufficiently defined, enforced or monitored.
In many institutions, policies governing new technologies lag behind rapid adoption by end users. Without clear guidance on what tools are approved, how customer data may be used and where it may be transmitted, employees may unintentionally expose sensitive information. Equally important is governance: when accountability for AI usage, data stewardship and technology risk is fragmented or unclear, risk escalates quickly.
Shadow AI Fallout: Regulatory, Legal and Reputational Risks for Financial Institutions
Cybersecurity incidents involving customer information can have far‑reaching consequences, even when core systems remain unaffected. These may include regulatory scrutiny, notification obligations under applicable privacy and safeguarding laws, reputational damage, customer trust erosion and increased oversight expectations from regulators and examiners.
For financial institutions, disclosures like this also reinforce supervisory expectations around management oversight, risk assessments and internal controls related to emerging technologies. As regulators increasingly focus on how institutions govern AI and other advanced tools, events tied to unauthorized usage may draw heightened attention to enterprise‑wide risk management practices.
The AI Governance Question Every Bank Leader Needs to Answer
Incidents tied to unauthorized AI use prompt an important question for bank leadership and risk professionals: What are you doing to protect your data and empower your teams to harness AI safely?
Balancing innovation with risk management requires more than technical controls—it requires a shared understanding across the organization of acceptable use, accountability and risk ownership.
Building an AI Governance Framework: Key Controls for Financial Institutions
To reduce the likelihood of similar incidents, financial institutions should consider a control environment that includes:
- Clear AI and technology governance, including defined ownership, approval processes and alignment with enterprise risk management.
- Formal acceptable use and data handling policies that explicitly address AI tools and third‑party platforms.
- Data classification and data loss prevention controls designed to prevent sensitive information from being transmitted to unauthorized systems.
- Employee training and awareness programs focused on practical scenarios involving AI, data privacy and cybersecurity risk.
- Ongoing monitoring and risk assessments to identify emerging technology risks as tools and use cases evolve.
Taken together, these elements help institutions move from reactive response to proactive risk management.
How AI Tools Are Reshaping Cybersecurity Risk for Financial Institutions
This recent Form 8‑K disclosure serves as a timely reminder that cybersecurity risk is no longer confined to malicious external threats. As AI tools become more accessible and embedded in daily workflows, governance, policy and education play an equally critical role in safeguarding customer data and maintaining regulatory trust. Financial institutions that proactively address these areas will be better positioned to innovate responsibly while managing risk.
How Schneider Downs Can Help
If your institution is navigating Shadow AI exposure or looking to strengthen AI governance controls, Schneider Downs can help. Our team works with financial institutions to assess control environments, close data protection gaps and build practical, regulator-ready solutions.
In addition, we offer AI Strategy services to help your organization define responsible AI use cases and build governance frameworks from the ground up. We also deliver targeted AI governance training — giving your leadership and staff the practical knowledge to adopt AI safely while protecting customer data and maintaining regulatory trust.
For more information, please contact our team at [email protected].
About Schneider Downs Financial Services
The Schneider Downs Financial Services industry group supports financial institutions as they navigate evolving risk, regulatory and governance challenges. Our professionals work with institutions to strengthen internal audit, risk advisory, and related risk management programs that support sound decision-making, operational effectiveness and regulatory alignment.
Through services spanning internal audit, risk advisory, IT risk advisory, third-party risk management, fraud risk advisory and enterprise risk and compliance, we help financial institutions design and enhance resilient, risk-based programs aligned with their strategic objectives and operating environment.
To learn more, visit our Financial Services Industry Group page.
