Intent Is Not a Security Control
A new study from BCG and Columbia Business School found a 51-percentage-point gap between executives and individual contributors on whether employees feel informed about their organization's AI strategy. Leadership thinks the message landed. Employees largely haven't heard it.
The commentary this data has generated focuses almost entirely on the change management implications — better communication, clearer policies, stronger training programs. Get alignment right, and the risk goes down. It's a reasonable argument. It's also the wrong unit of analysis for a CISO.
What that framing misses is the question a security leader should be asking: if 51% of the workforce is effectively operating outside your AI governance framework, what is actually leaving your environment right now, and does it matter that nobody meant for it to?
The Incident You Can't Blame Anyone For
Picture a mid-level finance analyst at a company with a thoughtful AI policy. She's heard of the policy. She doesn't think she's violating it. She's using an AI tool to summarize a quarterly earnings draft before it goes to legal review — not to exfiltrate anything, not because she's careless, but because it saves her two hours and she has a deadline.
The tool she's using isn't on anyone's approved list. It runs through a browser on her corporate laptop. The prompt she submits includes deal terms, revenue projections, and a reference to an acquisition that hasn't been announced. The session logs on a third-party server in a jurisdiction your legal team has never considered. She closes the tab and gets back to work.
No malicious intent. No insider threat. No policy violation she was aware of. And somewhere outside your perimeter, sensitive pre-announcement financial data now exists in a system you don't control.
This is the incident that doesn't show up in most threat models, because the threat model was built around intent.
Why Intent-Based Security Fails AI
Traditional insider risk frameworks were largely built to answer one question: is this person trying to hurt us? Behavioral indicators, access anomalies, HR flags, and data movement patterns were all designed to surface the outlier — the disgruntled employee, the departing executive copying files before their last day, the compromised account behaving suspiciously.
That framework assumes a meaningful difference between the malicious actor and the well-meaning one. For most threat categories, that distinction matters. For AI-driven data exposure, it largely doesn't.
The data that leaves through an unauthorized AI tool looks the same whether it was sent deliberately or accidentally. The third-party server doesn't care about the employee's motivation. The sensitive document summarized by a personal AI account doesn't get less sensitive because the person who uploaded it had good intentions. And when the exposure surfaces — in a competitor's pitch, in a regulatory inquiry, in a breach notification — the intent of the person who caused it is a footnote, not a defense.
Most security teams are still building their AI governance response around the assumption that informed employees make safe choices. The industry has a name for what happens when they don't — shadow AI — but the label has a way of making the problem sound more intentional than it usually is. It conjures an image of employees deliberately sneaking around policy. The reality is closer to the finance analyst above: someone doing their job, using a tool that works, with no particular awareness that anything is wrong. The 51-point alignment gap tells you something important: a substantial portion of your workforce isn't informed. But the deeper issue is that even perfectly informed employees make choices that create risk, because the tools are frictionless, the value is immediate, and the risk is invisible to them in the moment.
Informed consent is not a data loss prevention strategy.
The Visibility Problem Underneath the Alignment Problem
Here's what makes this hard: the access controls most organizations rely on were designed for a pre-AI world where the risk surface was defined by applications and network paths. Proxy filters, URL categorization, SaaS access policies — these tools work when the threat is a known application on a managed network path.
AI changes the geometry. An employee using a browser-based AI tool on a corporate device over a home network bypasses proxy inspection entirely. A tool accessed through a personal account on a company machine doesn't register as an enterprise application. Sanctioned tools used in unsanctioned ways — pasting in data that shouldn't be there, using a personal workspace instead of the corporate tenant — fall outside the scope of access control policies that can only see whether the connection was allowed, not what traveled through it.
The result is a gap between what your policy says and what you can actually see. Most organizations today have an AI governance document and almost no endpoint visibility into whether that document maps to reality. They're governing an abstraction of AI usage, not AI usage itself.
What Closing That Gap Requires
The intent-irrelevant frame points directly at what needs to change. If you can't rely on employee intent to keep sensitive data out of unauthorized AI tools, and you can't rely on network-layer controls to catch everything that moves, you need visibility at the point where the decision happens: the endpoint.
Endpoint-native AI governance means watching what's actually running on corporate devices, seeing which AI tools are active, and detecting when sensitive data is moving into them — regardless of network path, regardless of whether the tool is sanctioned or not, and before the data has left the environment. It shifts the control surface from access to behavior, and from intent to outcome.
That shift matters because it changes the question from "did our policy work?" to "what actually happened?" For a CISO, those are very different questions. The first one has a 51-point gap in the answer. The second one doesn't require alignment at all — it requires instrumentation.
InnerActiv is built for the second question. Our platform delivers endpoint-native visibility into AI tool activity across your environment — covering sanctioned deployments, shadow AI, and everything in between, without proxy dependencies or pre-configured extensions. When sensitive data moves toward an AI tool it shouldn't reach, you see it in time to act. Not in the post-incident report. Not in the audit finding. Before it's someone else's data problem.
Your employees don't have to mean any harm for your data to be at risk. Your security stack should be built around that reality.
