Shadow AI Lands on the SEC’s Radar

“Shadow AI” may well be the coolest-sounding corporate risk factor you will ever hear of—one that would work nicely on the spine of a Tom Clancy novel. In reality, though, the risk is more routine and pervasive than it is exotic. And as the recent experience of a regional bank in Pennsylvania shows, it’s a material one worth reading up on.

As Wilson Sonsini describes it, shadow AI is the “growing practice of employees independently using large language models and other AI tools without organizational approval or security review.” Whereas most cyber threats come from malicious outsiders, shadow AI has more benign roots: employees looking for a shortcut. With shadow AI, that is, the call is coming from inside the house—or, well, the office.

On May 5, 2026, Community Bank, a subsidiary of CB Financial Services, discovered that an employee had used an unauthorized AI application to process non-public customer information, including names, Social Security numbers, and dates of birth. Andrew Hoog of Board Cybersecurity aptly called that data “a full identity-theft starter kit.” Two days later the company determined the incident was material, and on May 11 it filed a Form 8-K under Item 1.05. As Wilson Sonsini notes, this was the first-ever 1.05 filing triggered by insider AI misuse rather than an external attack.

CB Financial’s materiality determination was quite a nuanced one. While CB determined the incident material enough to warrant a 1.05 filing, in the same filing it said the incident was not expected to have a material impact on the company’s financial condition or operations. There was no system disruption, interrupted customer access, or hit to the balance sheet. The materiality call rested entirely on the volume and sensitivity of the exposed data. That makes the filing an outlier: of 153 cybersecurity-related 8-Ks in Hoog’s dataset, CB was unique in expressly disclaiming financial impact while still being filed under Item 1.05. The lesson for other registrants is that an incident may not require a financial loss to clear the materiality bar.

This appears to be a widespread threat. KPMG’s Q1 2026 AI Pulse survey found 44% of leaders cite cybersecurity and employee misuse as the hardest AI challenge through 2030. For boards of banks in particular, the headaches that can accompany the discovery of shadow AI usage are considerable: state breach-notification laws, the GLBA Safeguards Rule, federal banking guidance, NYDFS-style requirements, plus shareholder-litigation risk if the board is seen to have failed in its oversight responsibilities. The timeline is unforgiving, too, with the four-business-day clock starting at the materiality determination. A board’s first encounter with shadow AI-related risks could be documented in a public filing within a week. Wilson Sonsini’s advice: inventory where AI lives in your organization, operate AI governance and cybersecurity as a single program, write an acceptable-use policy with teeth, and run AI-specific tabletop exercises.

This fits a trend we’ve tracked. Our August 2025 report found “Cybersecurity, Data Privacy, and Information Technology” was the most-cited category of AI risk in 10-Ks, up roughly 91% year over year. Our April 2026 report, meanwhile, cited CrowdStrike’s observation of an 89% jump in attacks by AI-enabled adversaries––illustrating that AI-related risks can also originate from external sources.

Most appropriately, our September 2025 governance report flagged the call for board-level AI oversight committees, which are exactly the bodies built to catch this new but not entirely exotic threat.

For public companies, “shadow AI” is increasingly being viewed as a governance, cybersecurity and disclosure issue, not merely a technological issue. And while “shadow AI” may sound like a niche technology term, the underlying risk is both widespread and progressively relevant.

—

Don’t just read about the trends — leverage them. Explore Intelligize+ AI™ with a free trial and unlock the tools professionals rely on every day.