OT/IT Cybersecurity | AI Tools & Shadow IT | IT Support for Manufacturers Salt Lake City
Introduction
An engineer pastes a section of a proprietary CAD specification into ChatGPT to get a faster summary. A purchasing coordinator uses an AI tool to draft a supplier response that includes contract terms. A quality manager uploads a process document to an AI platform to generate a checklist — without realizing the platform stores uploaded content for model training. None of them think they're doing anything wrong. They're trying to be more efficient. But across your organization, sensitive production data, proprietary manufacturing files, and confidential supplier information may be flowing into systems you have never reviewed, approved, or secured. This is shadow IT — and AI tools are the fastest-growing category.
The Numbers Behind the Risk
A joint study by CybSafe and the National Cybersecurity Alliance found that 38% of employees share confidential data with AI tools without approval from their employer. A BlackFog study found that 49% of employees use AI tools that have not been reviewed or approved by their organization.
For a manufacturer, confidential data includes production specifications, CAD files, supplier contracts, pricing data, and proprietary process documentation. When that information is pasted into a consumer AI tool, it may be stored, analyzed, or exposed in a future breach. Your NDAs with suppliers and customers do not protect you from what your employees share with an AI platform's servers.
AI Hallucinations in a Manufacturing Context
Beyond data exposure, AI tools introduce a second risk: they generate confident, plausible-sounding output that is sometimes factually wrong. In a manufacturing context, this is not a minor inconvenience:
- An AI-generated summary of a CAD file that mischaracterizes a specification could propagate into a production order.
- An AI-drafted supplier response that cites incorrect contract terms could create a legal or commercial dispute.
- An AI-generated process checklist with a missing or invented step could affect product quality or safety.
The AI presents these errors with the same confident tone it uses for accurate output. Without a human review step, errors enter your production workflow quietly.
Shadow IT Is Not a New Problem — But AI Makes It Bigger
Shadow IT refers to software and tools used within an organization without IT's knowledge or approval. In manufacturing, it has historically appeared as unauthorized cloud storage for design files, personal email used for supplier communication, or messaging apps used to share production data. AI tools are the newest and fastest-growing category — and they're harder to detect because they often run in a browser with no installation footprint.
The risk is compounded in manufacturing environments where IP theft is a real and well-documented threat. Proprietary process documentation, tooling specifications, and CAD files represent significant competitive value. Shadow AI use creates new channels through which that value can be inadvertently exposed.
A Practical Framework for Managing AI in Your Operation
Define What Cannot Be Fed Into AI
Start with a clear, simple policy: no proprietary production data, CAD files, process specifications, supplier contracts, or pricing information may be entered into any AI tool that has not been reviewed and approved by IT. This single rule addresses the most significant IP and confidentiality risk. General tasks — drafting internal communications, summarizing publicly available information, generating template language — can use approved AI tools freely.
AI Drafts, Your Operations Team Approves
Any AI-generated content that will be used in a production context, sent to a supplier or customer, or entered into your ERP or QMS should be reviewed by a qualified team member before use. Treat AI output the way you would treat a draft from a new employee: useful starting point, requires verification.
Inventory and Approve the Tools Your Team Is Actually Using
Ask your team — engineering, purchasing, operations, quality — what AI tools they currently use. The answer will likely include tools your IT team has never heard of. Then work with your IT provider to evaluate which tools are appropriate, what data can be used with them, and whether any create IP or confidentiality risks that require policy controls or vendor agreements.
Frequently Asked Questions
Q: If an employee uses AI on their personal device, does that create a risk for our manufacturing operation?
Yes, if they're entering work-related data. The device ownership does not change the data ownership or the risk. Proprietary specifications or process data entered into an AI tool on a personal phone creates the same exposure as on a work computer. Your AI use policy needs to cover data, not just devices.
Q: We don't have particularly sensitive IP. Is this still a risk for us?
Most manufacturers underestimate the value of their operational data to competitors or adversaries. Production process documentation, tooling parameters, supplier relationships, and pricing structures all have commercial value. Additionally, even if IP exposure is not the primary concern, the accuracy risk from AI hallucinations in production workflows is relevant to any manufacturer.
Q: What's the difference between approved AI tools and consumer AI tools?
Approved AI tools are those your IT team has reviewed for data handling practices, contractual terms, and security controls. Some enterprise AI platforms offer data processing agreements, do not use your data for model training, and maintain security certifications. Consumer tools — free tiers of major AI chatbots, for example — typically do not offer these protections. The distinction matters for both IP protection and compliance purposes.
Get Control of AI Before It Controls Your Risk Profile
We work with Salt Lake City manufacturers to protect production systems and reduce operational downtime. If you want to inventory the AI tools your team is using, build an AI use policy for your operation, or evaluate approved tools that meet your security requirements, let's talk.
