A Critical Risk Reminder: OpenAI’s Security Breach and Shadow AI

OpenAI recently confirmed that two employee devices in its corporate environment were impacted as part of the TanStack npm supply chain attack.

According to OpenAI, the security breach involved activity consistent with malware behaviour, including unauthorised access and credential-focused exfiltration activity in a limited subset of internal source code repositories accessible to the impacted employees.

Importantly, OpenAI stated that it found no evidence that user data was accessed, production systems or intellectual property were compromised, or that its software was altered. However, the incident still highlights a modern critical risk for organisations: the potential scale of exposure when security incidents occur in AI platforms.

This is where Shadow AI becomes a material concern.

What is Shadow AI?

Shadow AI is a subset of Shadow IT — the use of unapproved/unknown systems and services — but applied specifically to artificial intelligence technologies.

While Shadow IT has historically been an underestimated risk, sometimes acknowledged but rarely prioritised, the emergence of AI fundamentally changes the equation.

The Risk Multiplier Effect

Unlike traditional Shadow IT, Shadow AI is not limited to a rogue user, unapproved application, or isolated department. AI is frictionless, highly accessible, and increasingly embedded into the tools people already use. It encourages unstructured interaction and autonomous action, inviting users to input large volumes of contextual information or delegate actions.

It is this data‑consumptive nature of AI, combined with its accessibility, that materially amplifies the risk. Low‑friction, common AI tools such as ChatGPT are designed to process context — often in large volumes and at significant scale — which may include confidential documents, client data, source code, internal strategies, financial information, or regulated data.

As a result, the potential exposure profile of unmanaged AI usage can exceed traditional technology risk in both scale and uncertainty, particularly when outside approved governance, monitoring, and data controls.

This is the critical point: a third-party security breach and unmanaged AI usage are each serious risks on their own. When paired together, they can create an exposure scenario that is extremely difficult — and potentially impossible — for an organisation to quantify.

The Takeaway

This incident reinforces the importance of robust third‑party risk management as organisations increasingly rely on external systems and services. However, the risk demanding immediate attention today is Shadow AI.

Organisations need to understand which AI tools are being used, what data is being shared, and whether sufficient governance, monitoring, access controls, and data protections are in place.

AI usage is continually accelerating, and as recent security incidents continue to show, so is the potential for data exposure. Shadow AI is no longer a theoretical risk. It is a current and urgent control gap that organisations should be addressing now.

For strategic guidance or further enquiries, please don’t hesitate to contact us.