A Pennsylvania community bank recently disclosed a data exposure incident after an employee entered nonpublic customer information into an unauthorized generative artificial intelligence (AI) application. The information included highly sensitive personal data, such as customer names, Social Security numbers, and dates of birth.
According to reports, the bank was able to contact the application vendor and successfully remove the information before it was incorporated into the vendor’s AI training models. The bank subsequently filed a voluntary disclosure with the Securities and Exchange Commission (SEC) on May 7, 2026.
The incident illustrates how a single employee action can trigger multiple regulatory and compliance obligations.
In this case, the exposure resulted in SEC disclosure requirements, notification obligations to the bank’s prudential regulator, and customer notification requirements under the Gramm-Leach-Bliley Act (GLBA).
While data breaches are often associated with cyberattacks, stolen credentials, or network intrusions, this incident stemmed from an employee’s use of an unsanctioned AI tool. Industry experts point to this growing phenomenon—commonly referred to as “shadow AI”—as an emerging operational risk for organizations across all sectors.
In a LinkedIn post, AI governance specialist Jesse Kerr noted that the incident was not the result of a traditional security failure. Instead, it highlighted a lack of organizational visibility into how employees are using AI tools in their day-to-day work. Because the employee was authorized to access the customer information but used an unauthorized application, the organization had limited oversight into where the data was transmitted and stored.
The Growing Challenge of Shadow AI
As generative AI tools become increasingly accessible, many employees are turning to them to improve efficiency and productivity. However, this trend has created new risks for organizations that lack clear governance frameworks.
Research from WalkMe found that 78% of employees use AI tools that are not approved or provided by their employers. At the same time, a report from McKinsey & Company suggests that business leaders may be significantly underestimating the extent of AI adoption within their organizations. While executives estimated that only 4% of employees regularly use generative AI for at least a third of their work, employee surveys indicated the actual figure was closer to 12%.
The financial impact of unmanaged AI use is also becoming more apparent. IBM’s 2025 Cost of a Data Breach Report identified shadow AI as one of the leading contributors to costly data breaches. The report found that 63% of organizations that experienced breaches lacked formal AI governance policies, while 97% lacked sufficient access controls over active AI systems.
Experts caution that most employees are not intentionally creating risk when they adopt new AI tools.
Rather, they are often seeking ways to streamline tasks and improve performance. The challenge for organizations is balancing innovation with appropriate safeguards.
Developing a clear AI governance framework is becoming increasingly important. Effective programs typically include policies outlining approved AI tools, restrictions on entering sensitive or regulated information into public platforms, employee training, and ongoing monitoring of AI usage across the organization.
As organizations continue to embrace AI technologies, the Pennsylvania bank incident serves as a reminder that some of the greatest risks may not come from external threats, but from well-intentioned employees using tools that fall outside established oversight and security controls.
Author: Jennifer Evancic
Jennifer.Evancic@ResourceManagement.com
Jennifer Evancic is a third-party auditor valued by creditors and large organizations for her knowledge in call monitoring within the collections industry. With meticulous attention to detail and a firm grasp of regulatory requirements, she ensures compliance with clients’ criteria and state and federal regulations.
Jennifer audits collections calls, ensuring they meet client-specific criteria and comply with regulations, providing valuable insights and maintaining industry standards.
Beyond her auditing responsibilities, Jennifer takes the lead in organizing and facilitating monthly call calibrations. These sessions serve as a collaborative forum where clients and their vendors come together to discuss call monitoring results and address any findings or areas for improvement. Jennifer’s guidance fosters open communication and ensures alignment between clients and vendors, driving continuous improvement in collections practices.
Jennifer stays up-to-date with compliance and industry best practices by participating regularly in peer meetings, regulatory updates and industry webinars. This keeps her informed about emerging issues and ensures she remains a knowledgeable leader in collections compliance.
