A U.S. bank has disclosed a security lapse in which customer data was shared with an unauthorised artificial intelligence application, raising fresh concerns about the risks of employees using unsanctioned software tools in regulated industries.
A U.S. bank has come forward with a data security disclosure after it was found that customer information had been transmitted to an unauthorised AI software application, according to a report by TechCrunch published on 12 May 2026.
The bank attributed the incident to an employee or employees using an AI tool that had not been approved by the institution's technology or compliance teams — a practice commonly known as 'shadow IT.' The institution did not immediately clarify how many customers were affected, what type of data was involved, or which AI application was responsible.
Shadow IT in the Age of Generative AI
The incident reflects a growing challenge facing banks and other regulated industries as consumer-facing AI tools become increasingly powerful and accessible. Employees frequently turn to third-party AI applications to boost productivity, often without formal approval from their employers' IT or legal departments.
Financial institutions are subject to strict data privacy and security regulations, including rules enforced by the Federal Financial Institutions Examination Council (FFIEC) and, depending on the institution's size and structure, oversight from the Office of the Comptroller of the Currency (OCC) or the Federal Reserve. Sharing customer financial data with an external platform without proper data-handling agreements in place may constitute a regulatory breach, in addition to any reputational harm.
Cybersecurity experts have long warned that the rapid proliferation of generative AI tools — many of which process and potentially retain user-submitted data — creates significant risk when used without organisational controls. Data entered into some AI platforms may be used to train future models or stored on servers outside a company's control.
Disclosure Without Full Detail
The bank's disclosure, while notable for its candour, was sparse on specifics. It is not yet clear whether the data exposure resulted in any misuse of customer information, whether regulators have been formally notified, or what remediation steps have been taken beyond identifying the unauthorised app.
Banks in the United States are generally required to notify affected customers and relevant regulators within specific timeframes following a data breach or security incident, depending on applicable state and federal law.
The incident is likely to intensify scrutiny on how financial institutions manage employee use of AI tools, and may prompt calls for clearer industry-wide guidance on permissible software use.
Analysis
Why This Matters
- Regulatory exposure: Banks operating under federal and state financial regulations face serious consequences for mishandling customer data, including fines, mandatory audits, and reputational damage that can erode customer trust.
- A widening problem: This disclosure is unlikely to be an isolated case — security researchers and compliance professionals widely believe shadow AI use is pervasive across corporate environments, with most incidents going unreported.
- Policy pressure: The incident may accelerate demands from regulators and lawmakers for formal AI governance frameworks specifically tailored to financial services.
Background
The rise of generative AI tools such as ChatGPT, Google Gemini, and numerous specialised productivity apps has fundamentally changed how employees interact with technology at work. Since late 2022, these tools have moved from niche curiosity to mainstream workplace utility at remarkable speed.
However, most major AI platforms are built around a model where user-submitted data may be processed on external servers, and in some cases retained for model improvement. This directly conflicts with the data-handling obligations of banks, healthcare providers, and other regulated entities, which are required to maintain strict control over where and how customer data is stored and processed.
Regulators in the U.S. and globally have begun issuing guidance on AI use in financial services, but comprehensive, binding rules remain a work in progress. In the interim, individual institutions have been left to set their own internal policies — with enforcement varying widely.
Key Perspectives
The Bank: By disclosing the incident, the institution demonstrates some commitment to transparency, though the limited detail in its statement leaves open questions about the full scope of harm and what systemic failures allowed the breach to occur.
Customers: Individuals whose data was shared with an external AI platform have a legitimate interest in knowing what information was involved, how it may have been used, and what risks — if any — they now face. Sparse disclosures make informed decision-making difficult.
Critics and Regulators: Consumer advocates and cybersecurity professionals are likely to argue that the incident exposes the inadequacy of self-regulation in this space, and that binding rules governing AI use in financial institutions are overdue. The incident may become a reference point in ongoing regulatory debates.
What to Watch
- Regulatory response: Whether the OCC, FFIEC, or state-level regulators formally investigate the bank or issue new guidance in response to the disclosure.
- Full scope of the breach: Additional details about the number of customers affected, the nature of the data shared, and which AI application was involved — information that may emerge through regulatory filings or litigation.
- Industry-wide policy shifts: Whether other financial institutions accelerate the rollout of formal AI governance policies or employee training programmes in response to this disclosure.