Optro Data: Shadow AI Is Winning—82 Percent of Organizations Report Surge in AI-Enabled Attacks

LOS ANGELES, CA — May 12, 2026 —Optro (formerly AuditBoard), the leading AI-powered GRC platform empowering enterprises to transform risk into opportunity, today released “Human Behavior: The AI Risk Surface GRC Can't Ignore.” The report, which surveyed 800+ IT, security, audit, and GRC professionals, reveals a critical shift in the threat landscape: the most urgent AI risks don't come from model failures like hallucinations—they come from unvetted employee behavior and Shadow AI. The findings also informed Optro's recent acquisition of Midship, representing a significant milestone in delivering the first and only enterprise-grade agentic system of action for GRC.

The AI Visibility Gap: Governing the Invisible

AI adoption is outpacing governance. Despite rapid integration into daily workflows:

• Only 34 percent of organizations maintain a formal AI model inventory.
• Only 18 percent of organizations automatically block unauthorized AI domains.
• 56 percent of organizations use embedded AI within third-party vendor tools, which employees often don't even recognize as "using AI,” heightening the potential for unmanaged third-party threats.

The consequences are real: 82 percent of respondents reported an increase in AI-enabled attacks over the last 12 months. Chief Information Security Officers (CISOs) are feeling the pressure most acutely, with 72 percent reporting a "significant" increase in attacks, led primarily by AI-powered social engineering.

The Accountability Gap: Authority vs. Responsibility

GRC and security leaders are being held responsible for risks they lack the tools or authority to address:

• Over two-thirds said they were only "somewhat confident" or "not very confident" their organization could respond decisively to a fast-moving AI security incident.
• 23 percent of CISOs cite a lack of AI security expertise as their top barrier.
• 42 percent of CISOs say insufficient focus on AI governance is their primary concern about the future policy environment.

The Future of GRC AI Governance

Organizations that integrate AI governance cross-functionally—with clear accountability across GRC and related teams—report better outcomes in nearly every area. In a separate Optro survey, when asked which AI-powered capabilities would be most valuable for compliance and risk teams, 71 percent selected agentic and automation technology. This suggests practitioners are eager to implement emerging AI-powered technologies such as autonomous agents. Optro's acquisition of Midship directly addresses this demand, deploying AI agents capable of automating up to 87 percent of manual controls tasks.

“AI sits on both sides of the risk coin—it will significantly increase the surface area of risk for all organizations, and at the same time, AI will be a critical component of the governance stack,” said Guru Sethupathy, GM of AI Governance at Optro. “That is why we believe smart AI Governance will be a differentiator, enabling speed and trust.”

To download the full report, visit Optro.ai.