Artificial intelligence adoption is accelerating but so are the risks

As artificial intelligence (AI) tools become embedded across the workplace, businesses are increasingly grappling with an uncomfortable paradox: while AI promises efficiency, productivity and innovation, it is also introducing new and often poorly understood risks.

Recent high-profile issues involving companies such as Air Canada and McDonald’s, where AI-driven customer systems produced incorrect or misleading outputs, have highlighted how even well-resourced organisations can struggle to manage these technologies effectively. At the same time, internal use of AI is rising rapidly. It is estimated that more than 60% of employees capable of working remotely now integrate AI tools into their day-to-day processes.

This combination of rapid adoption and immature governance is creating a new category of organisational risk. Analysis undertaken by TRG Datacenters, drawing upon academic research, industry reports and documented legal cases, identifies six major areas where AI is currently generating the greatest operational and compliance vulnerabilities.

What emerges is less a story of technological failure and more a reflection of organisational readiness. Simply put, many companies are deploying AI faster than they are building the governance frameworks required to control it.

Shadow AI: An invisible threat inside the organisation

One of the most pressing issues is the emergence of so‑called “shadow AI”, which represents the unofficial use of AI tools by employees outside formal IT oversight. The problem is scale. Estimates suggest that around two-thirds of organisations do not fully understand what data employees are sharing with AI platforms. In practice, this often involves staff copying sensitive material, an assortment of client data, internal strategy documents, or proprietary code into generative AI systems such as ChatGPT.

From a compliance perspective, this represents a potential breach of confidentiality agreements, data protection regulations, and intellectual property controls. From a security standpoint, it is even more concerning: once data leaves the organisation, control over how it is stored, processed or reused can be lost.

The financial impact is also notable. Shadow AI-related breaches are estimated to cost substantially more than conventional incidents, reflecting the complexity and uncertainty surrounding these events.

The solution lies not in banning AI outright, an approach unlikely to succeed, but in formalising its use. Organisations need to implement clear policies, supported by monitoring tools and training programmes, so that AI adoption occurs within defined boundaries rather than in the shadows.

Over-permissioning: When AI has too much power

A second risk concerns the integration of AI agents into corporate systems with insufficient restrictions. In an effort to accelerate automation, some organisations grant AI tools broad access to databases, production systems and code repositories. The rationale is efficiency: the more data and functions an AI agent can access, the more useful it becomes.

However, this approach ignores a fundamental principle of information security: least privilege. AI systems, particularly those capable of autonomous decision-making, can act unpredictably when given excessive permissions.

There have already been instances where AI agents have inadvertently deleted production data or compromised system integrity. Such events illustrate a key difference between human and machine actors: AI lacks contextual understanding and does not inherently recognise the consequences of its actions. Mitigation requires a combination of technical controls and cultural change. Access permissions must be tightly defined, and employees need to understand that an AI system is not a colleague—it is a tool that requires careful supervision.

Hallucinations: A persistent reliability problem

Generative AI systems are also prone to “hallucinations”—instances where the model produces information that is false yet presented as fact. While improvements in model design have reduced the incidence of such errors, rates of incorrect output remain significant. In customer-facing environments, the consequences can be immediate: misinformation, reputational damage and, increasingly, legal exposure.

The cases involving Air Canada and McDonald’s underline this point. When AI systems provide incorrect advice or misleading information, organisations remain accountable for the outcome, regardless of whether a human or machine generated the response.

From a quality perspective, this aligns with broader issues in regulated industries: outputs must be verified before they are relied upon. In practice, this means implementing human oversight as a non-negotiable element of AI workflows.

The growing threat of deepfakes and impersonation

The integration of AI into business processes is also expanding the attack surface for cybercrime. AI-generated deepfakes are becoming increasingly convincing. Cases of fraudulent video calls and voice cloning scams have demonstrated how attackers can exploit trust within organisations.

These threats are particularly difficult to manage because they target human perception rather than technical systems. An employee who believes they are interacting with a legitimate colleague may unknowingly authorise a transaction or disclose sensitive information.

Addressing this risk requires a shift in organisational awareness. Training programmes must evolve to include the identification of AI-generated content, and verification processes should be strengthened for high-risk communications.

Another area of concern is algorithmic bias, particularly in applications such as recruitment and performance management. AI systems learn from historical data, and where that data contains biases, the resulting outputs can perpetuate or even amplify those biases. Studies have shown, for example, that automated recruitment tools may favour candidates associated with certain demographic groups.

For organisations, the implications are both ethical and legal. Discriminatory outcomes can lead to reputational damage, employee dissatisfaction, and regulatory scrutiny.

The challenge here is not solely technical. While improving training data is essential, organisations must also recognise the limitations of AI in making complex, context-sensitive decisions.

Human oversight is critical, particularly in areas that directly affect individuals’ careers and livelihoods. AI can support decision-making, but final judgments should remain with accountable human actors.

Accountability: Who is responsible when AI fails?

Perhaps the most complex issue is accountability. When an AI system makes a decision that leads to harm—financial, operational or reputational—who is responsible? The developer, the organisation, the user, or the system itself?

Current evidence suggests that many organisations are ill-prepared to answer this question. A relatively small proportion consider themselves highly equipped to manage AI-related risk, and governance structures are often underdeveloped.

From a regulatory perspective, however, the situation is clear: responsibility ultimately rests with the organisation deploying the technology. AI does not absolve liability.

To address this, companies need to establish clear accountability frameworks. This includes maintaining detailed audit trails, documenting decision-making processes, and staying aligned with emerging legal requirements.

The overarching theme across these risk areas is a mismatch between the pace of AI adoption and the development of governance mechanisms. Organisations are encouraging employees to “use AI more” yet often fail to provide the necessary guidance on how this should be done safely. As a result, workers are left to make their own judgments, sometimes with serious consequences.