AI & Algorithmic Governance

Shadow AI in LATAM: 73% of Certified Organizations Run AI Without Oversight

public

A survey of 140 organizations with active ISO 27001 certification across Argentina, Brazil, Colombia, Mexico, and Peru found that 73% have at least one generative AI tool in operational use without formal security function approval. The departments with the highest unauthorized adoption are Marketing (89%), Human Resources (71%), and Finance (54%). The most common tools are ChatGPT (direct use without corporate API), unlicensed Copilot, and language model automations embedded in spreadsheets. 61% of ISO 27001:2022 Annex A controls related to asset management and access control proved insufficient to detect these tools because they do not recognize AI assets as a category. Four primary data leakage vectors were identified: prompts containing confidential client data (42%), uploading internal documents to public AI platforms (38%), using AI to generate code with embedded sensitive data (12%), and automations sending data to external APIs without logging (8%). The remediation model developed classifies Shadow AI into three risk tiers and proposes controls compatible with ISO 27001 and ISO 42001 without restricting productivity.

Field evidence

AI keynoteAI keynote
Risk analysisRisk analysis
Findings presentationFindings presentation

Key Questions

  • What share of employees use generative AI without authorization? — 73% of surveyed organizations have unauthorized use; in Marketing it reaches 89%.
  • What data leakage vectors does Shadow AI create? — Four primary vectors: prompts with client data (42%), internal document uploads (38%), code with sensitive data (12%), unlogged external APIs (8%).
  • Which Annex A controls fail? — 61% of asset management and access controls do not recognize AI assets as a category, making them ineffective for Shadow AI detection.

Methodology

Normative framework

ISO/IEC 27001:2022 (Annex A — access control, asset management, and communications security); ISO/IEC 42001:2023 (AI system inventory and governance); NIST AI RMF 1.0 (risk profile and GOVERN function); EU AI Act (2024/1689, Articles 4 and 6).

Research protocol

Survey of 140 ISO 27001 certified organizations across 5 LATAM countries (survey + traffic analysis). Identification and classification of 23 AI tools in unauthorized use by department. Analysis of 4 data leakage vectors with frequency quantification by type. Effectiveness evaluation of 57 Annex A controls against AI assets. Development of 3-tier risk remediation model with specific controls.

Related Services

ISO 42001 — AI ManagementIntegrated GRC

Want to apply these findings?

Schedule an assessment and we'll turn data into concrete action.

Schedule assessment