Shadow AI: Why Indian Firms Must 'Fight AI with AI' On average 10 % of an enterprise's 66 GenAI applications are classified as high-risk, Palo Alto Networks report

As generative AI (GenAI) adoption accelerates across India and the Asia-Pacific region, organisations are increasingly caught between the promise of innovation and the peril of growing security threats. A recent report by Palo Alto Networks "State of Generative AI 2025", highlights that on average 10 per cent of an enterprise's 66 GenAI applications are classified as high-risk.

In India, the top three most-used GenAI applications by volume were Grammarly (32.56 per cent), Microsoft Power Apps (19.98 per cent)), and Microsoft Copilot (16.37 per cent). While these tools are enabling a new wave of productivity, the report warns that unsanctioned use and poor oversight have significantly widened the cybersecurity attack surface.

"Organisations must balance innovation with strong governance, adopting security architectures that account for AI's unique risks from shadow AI and data leakage to the more complex threats posed by agentic AI models," said Tom Scully, Director and Principal Architect for Government and Critical Industries, Asia Pacific & Japan, at Palo Alto Networks.

One of the most alarming concerns is the rise of "Shadow AI" — the unauthorised or unsanctioned use of GenAI tools by employees. These tools, often outside the purview of IT and security teams, create blind spots in data visibility and increase the likelihood of breaches.

Amit Jaju, Senior Managing Director at Ankura Consulting, noted that the global cybersecurity community ranks shadow AI among the top five emerging risks, assigning it a severity rating of 7.8 out of 10. "With 36 per cent of employees using unapproved AI tools and nearly half of organisations unable to fully secure them, industries face critical threats such as data leaks like Samsung's source code incident or unauthorised processing of personal data," he warned.

He further emphasised that sectors like financial services and healthcare are especially vulnerable due to stringent regulatory mandates such as India's Digital Personal Data Protection (DPDP) Act and the EU's AI Act.

Fight AI with AI

India's ambition to lead the global AI race is clearly reflected in its 2025 Union Budget, which earmarks INR 500 crore to set up a Centre of Excellence in AI for education. But even as policy and investment pave the way forward, the digital threat landscape is also shifting rapidly. Cyber attackers are increasingly turning to AI to launch faster, more targeted, and more complex cyberattacks.

In this new reality, the only effective way to counter AI-fuelled threats is with AI-powered defences. "It's like hacking, you have ethical and unethical versions. Similarly, AI can be used for both good and bad. The tech itself is not the problem," said Tushar Dhawan, Partner at Plus91Labs.

Swapna Bapat, Vice President & Managing Director, India and SAARC at Palo Alto Networks, added, "India is one of GenAI's biggest adopters. In a country where work happens in multiple languages and at massive scale, it's no surprise that writing, coding, and conversational AI are leading use cases. But the pace of adoption has outstripped governance. Many organisations don't realise how deeply GenAI is already embedded in their workflows. The priority now isn't whether to use these tools, but how to secure them without slowing people down."