Research · INV-01

Shadow AI in LATAM: 73% of Certified Organizations Run AI Without Oversight

Fernando Arrieta·January 14, 2026

Shadow AIISO 27001Generative AIOperational Risk

Overview

About this research

A survey of 140 organizations with active ISO 27001 certification across Argentina, Brazil, Colombia, Mexico, and Peru found that 73% have at least one generative AI tool in operational use without formal security function approval. The departments with the highest unauthorized adoption are Marketing (89%), Human Resources (71%), and Finance (54%). The most common tools are ChatGPT (direct use without corporate API), unlicensed Copilot, and language model automations embedded in spreadsheets. 61% of ISO 27001:2022 Annex A controls related to asset management and access control proved insufficient to detect these tools because they do not recognize AI assets as a category. Four primary data leakage vectors were identified: prompts containing confidential client data (42%), uploading internal documents to public AI platforms (38%), using AI to generate code with embedded sensitive data (12%), and automations sending data to external APIs without logging (8%). The remediation model developed classifies Shadow AI into three risk tiers and proposes controls compatible with ISO 27001 and ISO 42001 without restricting productivity.

Key findings

What the research found

Central questions answered with verifiable data from the study.

What share of employees use generative AI without authorization?

73% of surveyed organizations have unauthorized use; in Marketing it reaches 89%.

What data leakage vectors does Shadow AI create?

Four primary vectors: prompts with client data (42%), internal document uploads (38%), code with sensitive data (12%), unlogged external APIs (8%).

Which Annex A controls fail?

61% of asset management and access controls do not recognize AI assets as a category, making them ineffective for Shadow AI detection.

Methodology

How we conducted the research

Steps completed, sources consulted, and evidence collected during the study.

Normative and theoretical framework: ISO/IEC 27001:2022 (Annex A — access control, asset management, and communications security); ISO/IEC 42001:2023 (AI system inventory and governance); NIST AI RMF 1.0 (risk profile and GOVERN function); EU AI Act (2024/1689, Articles 4 and 6).

01Survey of 140 ISO 27001 certified organizations across 5 LATAM countries (survey + traffic analysis)

02Identification and classification of 23 AI tools in unauthorized use by department

03Analysis of 4 data leakage vectors with frequency quantification by type

04Effectiveness evaluation of 57 Annex A controls against AI assets

05Development of 3-tier risk remediation model with specific controls

Deliverables

Available deliverables

Documents with the full results of this research, adaptable to each organization’s context.

Full Shadow AI LATAM report — data from 140 organizations

AI tool risk matrix — 23 classified tools

Shadow AI remediation model — 3 tiers with ISO controls

Download Audit Material

Request the complete methodological package for research [INV-01]. Institutional use only.

Tratamiento de datos confidencial según ISO/IEC 27001

Related research

Complementary studies

Research that extends or contrasts the findings of this study.

ISO 42001 in Practice: Only 28% of Certified Organizations Manage AI EffectivelyINV-02 ISO 27001 + ISO 42001 Convergence: 37 Shared Controls and 40% Implementation SavingsINV-03 AI AuditSystem AI GovernanceSystem AI AuditSystem Information SecuritySystem

Share this research

Help circulate evidence-based governance.

Share on LinkedIn Share on X Share via email

Does this research apply to your organization?

If the question is institutional and has context, we can guide you on the next steps.

Start a conversation View all research

Cargando

Preparando la información solicitada…