Employees’ enthusiasm for AI-driven productivity collides with the institutional inertia of large firms trying to control an unpredictable technology.

AI Risk Awareness and Organizational Readiness — Lessons from Recent Studies

by ChatGPT-5

Two recent reports — “43 Percent of Workers Plug Sensitive Work Information into AI Tools” (ASIS International, October 2025) and “Majority of Large U.S. Firms Flag AI Risks in Public Disclosures” (Carrier Management, October 2025) — paint a converging picture of a corporate world struggling to keep pace with the realities of artificial intelligence. On one hand, employees are rapidly integrating AI into daily workflows, often at the expense of data security. On the other, large enterprises are beginning to formally acknowledge AI’s risks in regulatory filings, signaling a maturing understanding but uneven implementation of AI governance. Together, these findings reveal a widening gap between organizational adoption and institutional control — a gap that could expose even the most sophisticated firms to operational, legal, and reputational damage.

The Human Factor: Unchecked AI Use and Data Leakage

The ASIS report highlights a striking behavioral risk: nearly two-thirds of surveyed employees now use AI tools, yet 58 percent have received no training on associated risks. Even more concerning, 43 percent admit to entering sensitive company information into generative AI systems — including internal documents, financial data, and client details. Many users are unaware that such interactions are typically retained and may become part of model training datasets. This behavior turns every untrained employee into a potential breach vector.

The absence of clear organizational boundaries between personal and professional AI use compounds the problem. Workers are embracing AI faster than their employers can regulate it, creating “shadow AI” ecosystems. The result is a silent erosion of data integrity and client trust. The article connects this behavioral risk to a broader surge in AI-enabled scams, impersonation attacks, and misinformation. Despite growing concern among employees about these threats, training participation remains low — only one-third of those with access to cybersecurity education actually engage with it. Time constraints, skepticism about training efficacy, and productivity pressure all contribute to a culture of complacency.

The Enterprise View: AI as a Material Risk

Meanwhile, the Carrier Management analysis of S&P 500 filings shows that 72 percent of companies now disclose AI-related risks in their Form 10-K statements — a 12 percent increase since 2023. The sectors leading these disclosures — financial services, healthcare, and industrials — are precisely those with high regulatory exposure and sensitive data environments. The top risks identified include reputational damage (38 percent of firms), cybersecurity vulnerabilities (20 percent), and legal and regulatory uncertainty.

Reputational risk dominates because AI failures are highly visible and emotionally charged: biased outputs, unsafe recommendations, or chatbot missteps can trigger immediate consumer backlash and shareholder anxiety. Cybersecurity concerns center on AI’s dual role as both a defense enhancer and an attack enabler — expanding the attack surface while also empowering adversaries. Legal and regulatory risks, particularly under evolving regimes such as the EU AI Act and state-level privacy laws (e.g., CCPA/CPRA), add layers of complexity. Companies cite uncertainty over intellectual property, data provenance, and compliance obligations as persistent strategic threats.

Converging Insights: A Governance Mismatch

Taken together, these two reports expose a disjointed state of AI maturity. Employees are experimenting with AI tools in unsupervised ways, while companies are formally documenting AI risks to satisfy investors and regulators — but often without operational mechanisms to mitigate them. This governance mismatch highlights a structural weakness: AI is treated as both an opportunity and a disclosure item, but rarely as an integrated risk domain with consistent accountability from the boardroom to the individual user.

The behavioral findings from the NCA/CybSafe survey suggest that corporate risk disclosures may understate the magnitude of internal vulnerabilities. If nearly half of employees are leaking sensitive data into external systems, the exposure is already systemic. Conversely, the formal recognition of AI risks by public firms signals an emerging compliance culture — but one still dominated by retrospective reporting rather than proactive prevention.

Recommendations for Large Businesses

To address this widening gap, large enterprises should move beyond high-level AI ethics statements and adopt concrete, enforceable measures that link risk disclosure to behavior management and operational resilience:

1. Institutionalize AI Governance Frameworks
   Establish enterprise-wide AI governance programs that align security, compliance, and innovation teams under a unified framework. AI risk should be integrated into enterprise risk management (ERM) systems and subject to board oversight.

2. Deploy Secure, Internal AI Environments
   Replace public, consumer-grade AI tools with enterprise-secured platforms or locally hosted models. Sensitive data should never transit through unvetted third-party systems.

3. Mandate Continuous Employee Training
   Make AI risk literacy mandatory across all levels. Move from static annual modules to ongoing, role-specific microlearning — reinforcing practical awareness of data privacy, IP rights, and prompt hygiene.

4. Implement AI Usage Monitoring and Access Controls
   Track AI tool usage through data-loss prevention (DLP) systems and enforce access segmentation. Require user re-verification when suspicious activity or excessive AI interactions occur.

5. Link Public Disclosures to Internal Controls
   Ensure that what is disclosed to regulators is backed by measurable safeguards. Reputational and cybersecurity risks cited in filings should correspond to verifiable mitigation plans, audits, and vendor due diligence.

6. Develop Clear AI Incident Response Protocols
   Treat AI-related data leaks or model malfunctions as distinct incident categories. Establish escalation paths involving legal, communications, and compliance teams to manage reputational fallout swiftly.

7. Audit Vendor and Model Provenance
   Require transparency from AI vendors regarding data sources, model retraining practices, and compliance with emerging AI-specific regulations. Vendor exposure should be mapped as part of the organization’s own risk perimeter.

8. Integrate Human-in-the-Loop Safeguards
   For all automated or generative systems influencing business decisions, retain human oversight at critical points of output validation, especially in regulated or customer-facing processes.

Conclusion

These two reports capture the dual nature of AI in 2025: transformative yet perilous. Employees’ enthusiasm for AI-driven productivity collides with the institutional inertia of large firms trying to control an unpredictable technology. The next frontier of corporate governance lies in closing this gap — transforming awareness into accountability and risk disclosure into demonstrable resilience. Businesses that succeed will not only protect their data and reputation but also position themselves as credible and trusted actors in an increasingly AI-dependent economy.

Key takeaway: AI governance is no longer a compliance checkbox — it is a strategic imperative that connects human behavior, corporate responsibility, and long-term business sustainability.