Shadow AI Lurks in Most German Corporate Networks as EU AI Act Training Requirements Go Unheeded
11.06.2026 - 06:07:43 | boerse-global.de
Fewer than one in four German companies control which artificial-intelligence systems access their core infrastructure, while more than three-quarters have discovered unauthorized "shadow AI" applications running inside their networks. The findings come from a Saviynt study of 100 IT security officers and land just as the EU AI Act begins to bite – and as executives face personal liability for non-compliance.
A Bitkom survey published this year showed that 43 percent of German firms still offer no AI training for employees, even though Article 4 of the EU AI Act has required them to foster AI competence since February 2025. Starting in August, national regulators will assume sweeping supervisory powers, and the law's general provisions become binding from August 2026. High-risk AI systems have until December 2027 to achieve full compliance.
The gap between awareness and action is stark. While 93 percent of surveyed security managers confirmed that AI tools already reach their organization's critical systems, only 25 percent govern that access through clear policies. Without discipline, experts warn, the legal exposure for directors and officers grows sharply. Under German corporate law, executives who violate their duty of legality face personal liability; directors-and-officers insurance typically does not cover deliberate breaches.
To help firms navigate the risk categories and produce audit-ready documentation, the IT services company q.beyond AG launched a dedicated compliance service on June 9. The pressure is being felt beyond AI: the Digital Operational Resilience Act (DORA), mandatory since January 2025, is driving banks and insurers to embed resilience permanently into operations. At a Vienna conference on June 10, TRICEPT AG demonstrated how its RIMAGO governance platform could turn DORA from a one-off project into a continuous process.
Other vendors are racing to fill compliance gaps. Validato provides automated background checks and sanctions-list monitoring tailored to financial supervisors in Germany, Austria, Switzerland and Luxembourg, as well as DORA and the anti-money-laundering directive AMLD6. For classic quality and security certifications, DICIS AG reports that digital assistants cut time and cost by more than 80 percent for ISO 9001 and ISO 27001; the company says it has already guided over 400 clients through the process. Meanwhile, GreenDot and osapiens are building an integrated platform to handle the EU Packaging and Packaging Waste Regulation (PPWR) by replacing manual supplier data collection with AI-driven workflows.
Cybersecurity remains a parallel headache. The NIS2 directive requires firms to conduct regular impact analyses that weigh industry, size and criticality, to establish reporting points with Germany's Federal Office for Information Security (BSI), and to secure supply chains. The auditing standard IDW S 16 further demands systematic quantification of risks.
Without robust identity and access controls, experts say, the growing web of regulations will trap unwary executives. The Saviynt data underscores the problem: 76 percent of companies have discovered shadow AI on their networks. The call from compliance specialists is for zero-trust principles applied to every digital identity – before the first supervisory fine arrives.
