Shadow AI refers to the unauthorized use of personal AI tools (ChatGPT, Gemini, Claude, etc.) by employees for work tasks without IT or security team approval. In 2025, 47% of employees use personal AI accounts for work, often uploading sensitive company data in the process.

How much does Shadow AI cost a company?

Shadow AI adds an average of $670,000 in breach complexity costs when it is the vector for a data breach (IBM 2025). The IBM 2025 report found organizations with high shadow AI faced $4.74M average breach costs. Combined with per-record costs of $115-$178 and potential regulatory fines of up to 4% of annual revenue, the total exposure can reach millions for mid-size organizations.

How do I calculate my Shadow AI risk?

Use the EPH4 Shadow AI Risk Calculator. Enter your number of employees, average document uploads and prompts per user per month, annual revenue, and industry. The calculator uses 2025 benchmark data from Netskope, Harmonic, and IBM to estimate your monthly data exposures, annual financial risk, and maximum regulatory exposure.

What percentage of AI uploads contain sensitive data?

According to Harmonic's 2025 research, 22% of files uploaded to AI tools contain sensitive data including source code, internal documents, customer records, and intellectual property.

Shadow AI Risk Calculator | EPH4 Data-Privacy First AI

Your Organization

Total Employees Full-time employees with access to computers

Documents Uploaded to AI / User / Month Includes "summarize this," contract reviews, report analysis. Range: 1 - 10,000

Prompts per User / Month Manual text inputs to AI tools containing work context. Range: 1 - 5,000

Annual Revenue (USD) Used to estimate maximum regulatory fine exposure (GDPR/EU AI Act: up to 4%)

Industry Sector-specific risk multiplier based on data sensitivity

Your Risk Profile

Enter your organization details and hit calculate to see your risk profile.

Sensitive Assets Exfiltrated / Year

Documents and prompts containing sensitive data leaving your perimeter annually

Estimated Annual Financial Risk

Expected annual loss: breach probability × estimated breach cost (IBM 2025)

Maximum Regulatory Fine Exposure

GDPR / EU AI Act maximum penalty (4% of annual revenue)

Total Maximum Exposure

Combined expected breach cost + regulatory fine ceiling

Average Detection Gap

247 Days

Average time before organizations discover Shadow AI-related data leaks

Breakdown

Shadow AI users (47%) --

Sensitive docs/month --

Sensitive prompts/month --

Breach probability --

Est. breach cost (if occurs) --

Industry multiplier --

Cost per record (IBM 2025) $159

Shadow AI breach penalty $670,000

EPH4 eliminates Shadow AI risk with on-premise ephemeral AI workspaces. No data ever leaves your building.

Request a Demo

How This Calculator Works

Formula A: Monthly Sensitive Data Points

We calculate the number of sensitive data units leaving your organization each month:

Exposures = (Employees x 0.47) x [(Docs x 0.22) + (Prompts x 0.042)]

Only the 47% of employees using unauthorized AI are counted. Document uploads are weighted at 22% sensitivity, manual prompts at 4.2%.

Formula B: Breach Cost If Occurs (IBM-Bounded)

We estimate the cost of a Shadow AI-driven breach using IBM per-record costs, bounded by the IBM study's actual data range (2,960 – 113,620 records):

Capped Records = min(Annual Exposures, 113,620)

Breach Cost = min((Capped Records x $159) + $670K, $10.22M x Industry Multiplier)

$159 is the weighted average cost per leaked record (IBM 2025). $670K is the added breach cost for Shadow AI. The $10.22M cap is the highest average breach cost observed in the IBM 2025 study (United States). Per-record costs are not extrapolated beyond the study's range, consistent with IBM's own methodology guidance.

Formula C: Breach Probability

The annual probability of a Shadow AI-related breach, based on exposure intensity per user:

Probability = 5% + (min(Exposure Per User / 500, 1) x 20%)

Range: 5% (minimal exposure) to 25% (heavy exposure). IBM 2025 found 20% of breached organizations suffered a Shadow AI incident, informing this range.

Formula D: Expected Annual Financial Risk

The probability-weighted expected annual loss from a Shadow AI breach, capped at annual revenue (a company's expected breach loss cannot exceed its revenue):

Annual Risk = min(Breach Probability x Breach Cost (If Occurs), Annual Revenue)

Formula E: Total Exposure (Including Fines)

EU AI Act and GDPR impose fines up to 4% of global annual revenue:

Total Exposure = Annual Risk + (Revenue x 0.04)

Industry Multipliers

Risk is adjusted by sector to reflect data sensitivity and regulatory burden:

Healthcare — 1.7x ($7.42M avg breach cost, HIPAA exposure)
Technology / SaaS — 1.1x ($4.79M avg breach cost)
Financial Services — 1.3x ($5.56M avg breach cost)
Legal / Government — 1.0x (blended Services + Public sector)
Retail / Manufacturing — 0.9x ($3.54M Retail / $5.00M Industrial blended)
Other — 1.0x (baseline)

Data Sources

Netskope 2025 — 47% shadow AI usage rate among enterprise employees
Harmonic Security 2025 — 22% of files uploaded to AI contain sensitive data
IBM Cost of a Data Breach 2025 — $670K added breach cost for Shadow AI vector; $159 weighted avg cost per record; 247-day Shadow AI detection gap
GDPR / EU AI Act — Maximum fine of 4% of annual global turnover