How we arrived at $463M
Across 312 enterprises we modeled expected loss from three scenarios: regulatory fines from AI-assisted GDPR/HIPAA violations, IP theft via exposed source code and roadmaps, and litigation from privileged legal content leaked to public LLMs. Median annualized expected loss per firm: $1.48M.
The distribution is not what you expect
Risk is not concentrated at outliers. The 50th-percentile firm carries $800K of annualized expected shadow-AI loss. Only 8% of firms have zero material exposure. This is not a big-company problem — we see the same risk density at 2,000-person firms as at 50,000-person enterprises.
Board liability is real
In three of the eight AI-related regulatory actions we tracked in Q1 2026, regulators cited the absence of an AI tool inventory as evidence of negligent oversight. That is a governance failure, not just a security failure, and boards are starting to understand the distinction.
The five highest-exposure data categories
M&A and deal documents, source code and architecture diagrams, patient and health records, attorney-client privileged communications, and employee PII. All five appear regularly in prompts submitted to public LLMs — we see them in anonymized telemetry from opt-in research customers.
The 60-day program
Discovery in week 1. Sanctioned-list policy in week 2. Inline DLP on the top five tools by week 4. Board reporting template by week 6. Full audit capability by week 8. Firms that run this program reduce expected loss exposure by more than 80%.