Nearly one in three employees is actively undermining their company’s AI strategy. Among Gen Z workers, that figure rises to 44%. The CalypsoAI Insider AI Threat Report — a Censuswide survey of 1,002 US office workers — found 52% willing to break AI policy for tools that make their jobs easier. Microsoft Cyber Pulse data puts active undermining at 29%: employees who have crossed from willingness into action, using unsanctioned tools, routing around content controls, submitting proprietary data to consumer AI.
When nearly one in three employees routes around your AI policy, you have a governance problem. The same employees bypassing chatbot restrictions today are the most likely to deploy unauthorised autonomous agents tomorrow — where the stakes are qualitatively higher. This article explains what the 29% figure actually means, why Gen Z leads it, and how the WEF bounded autonomy framework offers a practical response to the agentic governance gap.
What Does It Mean That 29% of Employees Are Actively Undermining Their Company’s AI Strategy?
This isn’t passive non-compliance. The 29% are working around policy deliberately — using personal ChatGPT accounts, routing around sanctioned tools, submitting proprietary data to consumer AI, deploying AI in ways the organisation has explicitly prohibited.
CalypsoAI’s data makes it concrete: 28% have submitted proprietary company information to AI to complete a task. 87% work at organisations with an AI policy. More than half are willing to break it. The 29% unsanctioned-agent-use figure comes from Microsoft Cyber Pulse data. Both data sets are well-supported and point in the same direction.
Then there’s the C-suite problem. Sixty-seven per cent of executives say they’d use AI even if it breaks company rules — the highest rate of any role, against 52% overall. “Senior leaders should set the standard,” said CalypsoAI CEO Donnchadh Casey, “yet many are leading the risky behaviour.” When leadership models circumvention, it stops being deviance and starts being culture.
💡 Shadow AI is unsanctioned AI tool use outside IT visibility — the AI-era equivalent of shadow IT, but qualitatively riskier because these systems reason over proprietary data and can take automated actions.
Why Is the 44% Gen Z Figure a Change Management Signal, Not a Workforce Quality Problem?
The 44% figure does not mean Gen Z workers are less compliant. It means AI policy is failing to reach the cohort most likely to adopt AI quickly.
Gallup and the Walton Family Foundation found one in six young workers used AI despite explicit employer prohibition. Gen Z has grown up selecting their own tools. Workplace restrictions without a visible rationale don’t feel like safety measures — they feel like arbitrary barriers.
High adoption, high anxiety, high willingness to route around unexplained rules. If the cohort most likely to benefit from AI is the cohort most likely to circumvent policy, enforcement is not the answer. Redesigning how policy communicates its rationale is.
What Is the Governance and Trust Failure Behind the Sabotage Signal?
When a significant share of employees bypass policy, the policy is not communicating its rationale. That is the root issue.
Forty-eight per cent of security employees said their AI policy was unclear, so they used AI as they saw fit. Justin St-Maurice of Info-Tech Research Group identified the underlying mechanism: “Shadow AI has become the new shadow IT. Employees are using unsanctioned tools because AI delivers two things they actually feel: cognitive offload takes the drudge work off their plates, and cognitive augmentation helps them think, write, and analyse faster.” Blocking the tool without offering an alternative is not a governance strategy. It’s just friction.
The structural response is structured enablement: a sanctioned AI gateway with prompt logging, sensitive field redaction, and plain-language rules employees can actually remember. That is the governance and trust crisis behind the sabotage signal explained in full — and it is one dimension of the broader agentic governance gap that needs to scale, because the 29% problem looks very different when the tools are autonomous agents.
How Does the Workforce Behaviour That Produces the 29% Figure Escalate When the Tools Are Autonomous Agents?
A chatbot policy violation is bounded to one session. An autonomous agent is not.
When employees who bypass chatbot restrictions deploy unauthorised agents, the risk profile changes completely. Persistence: shadow agents run indefinitely, outside business hours, without anyone watching. Elevated permissions: agents inherit the deploying employee’s access footprint. Cascading compromise: agents spanning multiple applications propagate failures across every connected system.
Okta reports 88% of organisations have experienced AI agent security incidents. Shadow AI-related breaches average 223 per organisation per month — doubling year-over-year. The 29% who undermine strategy through chatbot workarounds are a significant share of the population generating the shadow agents this behaviour produces in practice.
What Is AI Literacy and Why Is the Capability Gap the Root Cause of Both Resistance and Agentic Risk?
The employee using an unsanctioned ChatGPT account and the employee deploying an unauthorised agent share a root cause: they don’t fully understand what the risks are.
An employee who understands why sanctioned tools exist has a rational basis for preferring them. An employee who only knows IT said “no” has none. Thirty-eight per cent of C-suite executives admit they don’t know what an AI agent is. Executives who can’t explain what agents do cannot write credible policy, communicate the rationale, or model compliant behaviour. All three are change management prerequisites.
Role-based AI training is the response. Function-specific risk education, not abstract compliance theatre.
What Is Memory Poisoning and Why Does It Become a Risk When Non-Technical Employees Deploy Agents?
Memory poisoning is when malicious content enters an AI agent’s memory store, causing it to behave incorrectly on every subsequent interaction — persistently, not just once.
Anthropic research demonstrated that as few as 250 malicious documents can successfully backdoor large language models. A single employee could inadvertently approach that threshold by connecting an agent to a supplier portal, public web page, or email inbox without understanding what that means.
The related risk is indirect prompt injection: malicious instructions embedded in content the agent reads cause it to execute commands without user approval. OWASP‘s Agentic Security Initiative identifies memory poisoning, tool misuse, and privilege compromise as the top agentic risks. HR and operations leaders don’t need to be security experts. They do need a working model of why non-technical agent deployment carries real risks — so when the policy says “don’t connect agents to external email,” it makes sense.
What Does Bounded Autonomy Mean as a Governance Framework That Employees Can Actually Engage With?
Bounded autonomy — from the WEF MINDS programme’s January 2026 white paper with Accenture — is the idea that AI agents should operate within explicitly defined, auditable, and revocable boundaries, with human oversight calibrated to task risk level.
Unlike a prohibition-based policy, bounded autonomy answers the questions employees are actually asking: what is the agent authorised to do, what is it not, and why? Transparency converts AI policy from arbitrary restriction into a governance commitment. That addresses the trust deficit at the root. See the WEF bounded autonomy framework as the trust response for the full MINDS framework detail.
Mid-market guidance. For 50–500 employee organisations, a one-page AI Acceptable Use Policy addendum covers the essentials: permitted AI tools, prohibited data categories, permitted agentic actions, approval requirements for high-risk tasks, and an escalation path for edge cases. A team all-hands with function-specific risk examples covers training. In organisations of this size, the most impactful signal is whoever leads AI governance actually modelling compliant behaviour. The 67% executive circumvention finding is a warning about what happens when it points the wrong way.
Least privilege is the operational expression: agents hold only the permissions needed for their current task, with short-lived credentials and comprehensive decision logging.
FAQ
What does “actively undermine AI strategy” mean in practice?
Deliberately working around policy: using personal ChatGPT accounts for work, routing around sanctioned tools, sharing restricted data with consumer models, deploying unauthorised agents, manipulating prompts to defeat content controls. This is not employees who simply aren’t using AI yet.
Is the 29% figure from CalypsoAI or another source?
CalypsoAI’s Insider AI Threat Report (Censuswide, n=1,002, June 2025) found 52% willing to break AI policy. The 29% unsanctioned-agent-use figure comes from Microsoft Cyber Pulse data. Both are well-supported across independent data points.
Why do executives break AI policy more than entry-level employees?
Sixty-seven per cent say they’d use AI even if it breaks company rules, against 52% overall. They face fewer consequences, have more authority to redefine what the rules mean, and are less likely to have received role-appropriate training. When executives model workarounds, policy becomes optional.
What is shadow AI and how is it different from shadow IT?
Shadow IT exposed files and messages. Shadow AI involves reasoning over proprietary data, generating decisions, and taking automated actions. An unauthorised tool leaking a spreadsheet is recoverable. An unauthorised agent acting on sensitive customer data is a different risk category altogether.
Can employees accidentally poison an AI agent’s memory without knowing?
Yes. Connecting an agent to a public website, supplier portal, or unvetted document repository may inadvertently introduce corrupting content. Anthropic’s research shows as few as 250 malicious documents are sufficient to persistently alter LLM behaviour.
What is indirect prompt injection and how does it affect agentic deployments?
Malicious instructions embedded in content an agent reads — a document, web page, or email — cause it to execute those instructions as if from a trusted user. An employee whose agent is connected to external email may inadvertently hand a hostile sender instructional access to that agent.
How does the WEF MINDS report define bounded autonomy?
Agents operating within predefined action spaces, with human oversight calibrated to risk and decision complexity — autonomy expands as trust builds. From the employee’s perspective: agents operate within boundaries that are explicit, auditable, and revocable.
What is the minimum viable AI governance update for a 50-person company?
A one-page AI Acceptable Use Policy addendum: permitted AI tools, prohibited data categories, permitted agentic actions, required approval thresholds, and an escalation path. Least privilege for deployed agents. Function-specific risk examples at a team all-hands for training.
Why is Gen Z more likely to circumvent AI policy than other cohorts?
They’ve normalised self-directed tool selection through app stores and consumer AI. Restrictions without visible rationale feel like arbitrary barriers. Gallup/Walton Family Foundation found one in six young workers used AI despite explicit prohibition.
How does AI literacy training reduce agentic risk?
Employees who understand what agents can access, what memory poisoning and indirect prompt injection are, and why sanctioned tools include specific guardrails have a rational basis for preferring governed options — and can self-govern in situations the policy didn’t cover.
