Sting Software Shadow IT & Shadow AI Cybersecurity Intelligence banner highlighting Tracking Shadow IT, Shadow AI, and Emerging Cybersecurity Threats Impacting Enterprises

Recent Headlines

Digital illustration of a cyber hacker exploiting an unauthorized AI tool, symbolizing Shadow AI data breach risks at Community Bank.

Shadow AI Just Made SEC History

A Wake-Up Call for Every Organization

Community Bank (subsidiary of CB Financial Services, Inc.) just filed what experts are calling the first material cybersecurity 8-K triggered by unauthorized employee use of an AI tool.

Not a breach, not ransomware, not a sophisticated external attack.

Just an employee using unauthorized AI.

What Happened

On May 5, 2026, the bank discovered that non-public customer information had been processed through an unauthorized artificial intelligence-based software application. Among the data involved: customer names, Social Security numbers, and dates of birth—a full identity-theft starter kit.

Key facts from the SEC filing (Item 1.05, filed May 11, 2026):

  • No external breach.

  • No ransomware or disruption to operations, customer access, payment systems, or core IT infrastructure.

  • The company promptly secured the information, launched an internal investigation with external advisors, notified affected customers and regulators, and is strengthening controls.

  • Despite no expected material financial impact on operations, the volume and sensitive nature of the data made it material under SEC rules.

Why This Matters

This isn’t just another data incident—it’s a textbook Shadow AI case. Employees, trying to get work done faster, bypassed approved tools and fed sensitive customer data into an unsanctioned AI application. The bank treated it with the seriousness it deserved and disclosed it publicly.

“The bank treated it as material even without operational disruption due to the sensitivity and volume of the data. They launched a full investigation, notified customers and regulators, strengthened controls, and faced the inevitable costs and publicity hit. This opens the door to broader risks: HIPAA, GLBA, GDPR, privilege loss, insurance notifications, class actions, and more.”

This precedent shows that materiality can be driven purely by data sensitivity, even without confirmed misuse or operational harm. It’s a stark reminder that Shadow AI risks are real, immediate, and regulatory.

The Broader Shadow AI Threat

  • Employees are increasingly turning to consumer AI tools (ChatGPT, Gemini, etc.) for productivity gains.

  • Without proper governance, data flows out of your controlled environment into third-party models—often with terms of service your legal team never reviewed.

  • Regulators and boards are taking note. This filing underscores that AI governance must be integrated into cybersecurity and enterprise risk management programs.

Financial institutions face layered exposure under GLBA Safeguards, state breach laws, and banking guidance. Public companies now have a clear example of how quickly the SEC’s four-business-day disclosure clock can start ticking after a materiality determination.

How Sting Helps Prevent This

Our solution is designed precisely for these emerging risks. We help organizations:

  • Detect and block unauthorized AI tool usage.

  • Enforce data classification and prevent sensitive information from leaving approved environments.

  • Provide visibility, controls, and training to close the gap between policy and employee behavior.

Don’t wait for your own SEC filing or regulatory scrutiny. The era of “it’s just employees trying to work faster” ending in material disclosures is here.

Action Steps for Leaders:

  1. Inventory AI usage across your organization (authorized and shadow).

  2. Update acceptable use policies with clear AI guidelines.

  3. Deploy technical controls like DLP tailored for AI endpoints.

  4. Integrate Shadow AI scenarios into incident response plans and tabletop exercises.

  5. Evaluate governance maturity—most organizations are still in early stages.

Read the full 8-K filing here: SEC EDGAR

Stay ahead of Shadow AI. If you’re concerned about similar risks in your environment, reach out to our team and we’ll help you assess and strengthen your defenses.

Blue European Union flag with a circle of yellow stars surrounding the text "AI ACT". Used for blog article about the EU AI Act entering into force in August 2026.

The EU AI Act Deadline Is Approaching

What Procurement and IT Leaders Need to Know

With the key compliance date of August 2, 2026 now just around the corner, the EU Artificial Intelligence Act (EU AI Act) is transitioning from preparation to enforcement for many organizations.

This landmark regulation — the first comprehensive AI law by a major jurisdiction — introduces a risk-based framework designed to ensure AI systems are safe, transparent, and respectful of fundamental rights.

The Act categorizes AI applications into four levels:

  • Unacceptable Risk (Prohibited): Systems using manipulative or deceptive techniques, exploiting vulnerabilities (e.g., based on age or disability), social scoring, untargeted scraping for facial recognition databases, emotion recognition in workplaces or education (with limited exceptions), and certain real-time remote biometric identification by law enforcement.

  • High Risk: The bulk of regulated systems. These include AI used in:

    • Recruitment, promotion, and worker evaluation.

    • Education and vocational training (admissions, assessment).

    • Access to essential services (credit scoring, benefits allocation, insurance).

    • Critical infrastructure, law enforcement, migration/border control, and biometrics.

    Providers must implement a full compliance lifecycle: risk management system, high-quality data governance, technical documentation, logging/record-keeping, instructions for users, human oversight, accuracy/robustness/cybersecurity measures, and a quality management system. Many require conformity assessments.

  • Limited Risk: Primarily transparency obligations - users must be informed when interacting with AI (e.g., chatbots) or when content is AI-generated (deepfakes).

  • Minimal Risk: Largely unregulated (e.g., many consumer AI tools like spam filters or video game enhancements).

General-Purpose AI (GPAI) Models

Separate rules apply to foundational models like large language models. Providers must supply technical documentation, instructions for use, comply with copyright rules (including summaries of training data), and, for models posing systemic risks, conduct evaluations, adversarial testing, incident reporting, and cybersecurity protections.

Timeline Highlights

  • Already in force (phased earlier dates): Prohibitions, AI literacy requirements, and GPAI obligations.

  • August 2, 2026: Majority of rules apply, including most high-risk obligations and enforcement start.

  • Later dates (2027+) cover certain embedded systems and legacy GPAI models. Note that some delays or adjustments for high-risk enforcement have been discussed, but core preparation remains urgent.

Implications for Procurement and IT Contracts

For buyers and negotiators, the Act heightens the importance of vendor due diligence. Key actions include:

  • Reviewing contracts for AI compliance warranties, data governance, and audit rights.

  • Assessing Shadow AI risks in your organization.

  • Incorporating model contractual clauses or specific obligations for high-risk systems.

  • Building AI literacy across teams.

The EU AI Act is poised to set a global benchmark, influencing how organizations worldwide develop, procure, and deploy AI responsibly. Organizations that act now will be best positioned to turn compliance into a competitive advantage.

Sources and further reading: Official EU resources and analyses from artificialintelligenceact.eu.

Canvas LMS breach 2026 – Major Shadow IT disaster impacting 275 million users and thousands of universities worldwide.

The 2026 Canvas Data Breach

Lessons for Universities on Preventing the Next Shadow IT Disaster

In late April and early May 2026, one of the largest education-sector breaches in history hit Canvas, the widely used Learning Management System (LMS) from Instructure. 

A ransomware group known as ShinyHunters exploited vulnerabilities, causing widespread outages during finals season and stealing massive amounts of sensitive data - reportedly up to 3.65 terabytes affecting approximately 275 million users across nearly 9,000 institutions worldwide.

Exposed data included:

  • Student Names

  • Email Addresses

  • Student IDs

  • Billions of private messages between students and faculty

The attack disrupted coursework access for millions and highlighted how even established, “secure” vendor platforms can become major liability points.

The Real Impact on Universities

  • Phishing and identity theft targeting students/faculty using stolen credentials and personal info.

  • Regulatory and compliance headaches (FERPA, GDPR, state privacy laws).

  • Reputational damage and potential legal/financial obligations for institutions.

  • Heightened exposure to follow-on attacks leveraging the leaked data.

This incident is a textbook example of how third-party tools can introduce Shadow IT risks when users adopt them without full oversight.

3 Practical Steps Universities Can Take to Protect Themselves

Three targeted actions that directly address the gaps exposed by the Canvas breach and align with modern, proactive security strategies:

  • Implement Real-Time Shadow IT & Shadow AI Discovery and Blocking Traditional security tools only alert you after a breach or risky action has occurred. Deploy solutions that intercept risky tool adoption at the exact moment of intent - when an employee or student tries to sign up for a new app, upload data to an unapproved AI chatbot, or share sensitive information. This prevents unauthorized tools from creating legal, financial, or compliance obligations before they ever connect to your network.

  • Enforce Strict App and AI Usage Policies with Automated Controls Create and actively enforce clear policies around sanctioned vs. unsanctioned tools. Use technology that automatically detects and blocks attempts to use high-risk services (including AI tools that could leak student data). Regularly audit for Shadow IT usage across departments — especially in procurement, IT, and academic units that often adopt tools independently.

  • Adopt On-Premises or Zero-Trust Prevention Layers for Critical Data Flows Reduce reliance on external vendors by layering in secure, on-premises controls for monitoring and preventing data exfiltration. Focus on “pre-obligation” protection: catching risky actions (e.g., entering institutional credentials into new platforms or sharing data with unvetted AI) in real time rather than reacting after the fact. Combine this with ongoing vendor risk assessments and employee training on the dangers of convenience-driven tool adoption.