What cyber security topics do Mark Hayward's books cover?

Mark Hayward's 130+ books cover a wide range of cyber security topics including Identity & Access Management (IAM), Incident Response, Wireless Security, IoT Security, OSINT, Governance & Policy, SOC2 Certification, PCI DSS compliance, the Cyber Assessment Framework, and AI standards like ISO 42001.

What formats are the cyber security books available in?

All books are available on Amazon in Kindle eBook format (with many on Kindle Unlimited), paperback, and hardcover editions. Digital versions offer instant download, while physical copies ship worldwide through Amazon.

Are these books suitable for beginners in cyber security?

Yes! The collection includes books for all skill levels. 'Cyber Security for Beginners' is the recommended starting point. From there, readers can progress through intermediate and advanced titles covering specialised topics like ethical hacking, threat detection, and enterprise security.

Mark Hayward is a UK-based cyber security expert with over 23 years of experience and a veteran of the UK Armed Forces. He has served both independently and within prominent organisations, providing cyber security services to local and central government departments. He is the author of 130+ published books on cyber security.

Can I purchase these books outside the United States?

Absolutely. All books are available worldwide through Amazon. Kindle eBooks can be downloaded instantly from any country, and physical copies (paperback and hardcover) ship globally through Amazon's international delivery network.

What is Shadow AI? | Mark Hayward Cyber Security Blog

## The AI Your Security Team Does Not Know About

You have almost certainly heard of Shadow IT — employees using personal devices, unapproved software, or cloud storage services like personal Google Drive for work purposes. Security teams have spent years trying to get this under control.

Now there is a new and significantly more complex version of the same problem: Shadow AI.

---

## What Is Shadow AI?

Shadow AI refers to the use of artificial intelligence tools, platforms, and models within an organisation without the knowledge, approval, or oversight of IT or security teams.

In practical terms, this means employees using tools like ChatGPT, Claude, Gemini, Copilot (non-enterprise versions), AI coding assistants, AI writing tools, AI image generators, and countless other AI-powered services — for work tasks — without going through any procurement, security review, or data governance process.

It is happening everywhere, at every level of organisations, right now.

---

## Why Is Shadow AI a Security Risk?

### 1. Data Exfiltration Through Prompts

When an employee pastes a confidential client contract into ChatGPT to get a summary, or feeds internal financial data into an AI tool to produce a report, that data leaves the organisation. Depending on the tool's terms of service and data retention policies, that information may be stored, used to train future models, or accessible to the tool provider.

Most employees have no idea this is happening. They see a helpful tool. They do not see a potential data leak.

### 2. No Visibility, No Control

Security teams cannot protect what they cannot see. Shadow AI creates blind spots in your data governance and data loss prevention (DLP) controls. Traditional DLP tools were not designed to intercept AI prompt submissions, and most are not yet capable of it.

### 3. Compliance Violations

Regulated industries — financial services, healthcare, legal, government — operate under strict data handling rules. GDPR, for example, governs where personal data can be processed and how it can be used. Sending personal data to an AI model hosted in a different jurisdiction, without a legal basis for that transfer, is a potential GDPR violation — regardless of whether the employee intended to cause harm.

### 4. Intellectual Property Exposure

Trade secrets, product roadmaps, source code, merger discussions — these are the kinds of assets that have appeared in AI prompts. In some cases, AI tool providers have confirmed that submitted data may be used to improve their models. Your competitive advantage could quietly become training data.

### 5. AI-Generated Misinformation in Business Processes

Shadow AI creates a second risk layer beyond data exposure: employees making decisions based on AI-generated outputs that have not been validated, reviewed, or fact-checked. Incorrect AI outputs embedded in official documents, reports, or decisions without any oversight can lead to significant operational or legal consequences.

---

## How Widespread Is It?

Research consistently shows that the majority of employees who use AI tools at work do so without IT authorisation. In a 2025 survey by Microsoft, 78% of AI users admitted to bringing their own AI tools to work. A separate study found that over half of all employees had pasted work-related data into a public AI model in the previous three months.

The scale of Shadow AI is not a fringe problem. It is the norm.

---

## Why Is It So Difficult to Stop?

Several factors make Shadow AI particularly challenging to control:

**The tools are free and accessible.** Anyone can create a free account with a major AI provider and start using it within minutes.

**The benefits are real and immediate.** Employees using AI tools are often genuinely more productive. That creates internal resistance to restrictions.

**Management may be using them too.** Shadow AI is not confined to junior staff. Senior leaders, consultants, and executives are often among the heaviest users of unsanctioned AI tools.

**The landscape changes too fast.** New AI tools emerge weekly. A policy written today may not account for tools that exist in six months.

---

## What Can Organisations Do?

### 1. Acknowledge the Reality

The first step is accepting that Shadow AI is already happening inside your organisation. Attempting to ban AI entirely is both impractical and counterproductive. Employees will find ways around blanket bans and will simply become less transparent about their usage.

### 2. Create a Clear AI Acceptable Use Policy

Develop and communicate a clear policy that defines:

- Which AI tools are approved for work use

- What categories of data may and may not be shared with AI tools

- What the process is for requesting approval of a new AI tool

- What the consequences are for policy violations

### 3. Deploy Approved Alternatives

The most effective way to reduce Shadow AI is to provide employees with approved, enterprise-grade AI tools that offer the data protections they need. Microsoft 365 Copilot, Google Workspace's AI features, and enterprise tiers of major AI providers typically include contractual data protections, regional data processing, and admin controls that consumer versions do not.

### 4. Extend DLP Controls

Work with your security vendor to extend data loss prevention capabilities to cover AI tool usage where possible. Browser-based DLP controls can block or alert on data being submitted to known AI tool domains.

### 5. Train Staff on AI Data Risks

Awareness training specific to AI is now essential. Employees need to understand, in plain terms, the risks of sharing sensitive data with AI tools — not because AI is inherently dangerous, but because without the right controls, the data leaves your control.

### 6. Build an AI Governance Framework

Align your AI governance with emerging standards. The EU AI Act, ISO 42001 (the international standard for AI management systems), and NIST's AI Risk Management Framework all provide structured approaches to governing AI use across an organisation.

---

## Shadow AI and Agentic AI: The Next Wave

As AI systems become more autonomous — capable of taking actions on your behalf, accessing systems, sending emails, making bookings — the risks of uncontrolled AI use escalate significantly. An employee granting an unapproved agentic AI tool access to their email, calendar, or internal systems creates an attack surface that traditional security controls were never designed to handle.

Shadow AI today is primarily a data governance risk. Shadow agentic AI tomorrow could be a full system compromise risk.

---

## The Bottom Line

Shadow AI is not a future risk. It is a present one. Every day your organisation does not have a clear AI governance policy in place is another day employees are making their own decisions about where your data goes — with the best of intentions and no awareness of the risks.

The answer is not to fear AI or ban it wholesale. The answer is to govern it — quickly, clearly, and pragmatically. Build the guardrails, provide the approved tools, and train your people. That is how you get the productivity benefits of AI without handing away your data, your compliance standing, or your security posture in the process.