Over Half of British Employees Are Currently Using ‘Unapproved’ AI Tools at Work, KnowBe4 Research Finds

LEEDS, England--(BUSINESS WIRE)--KnowBe4, the global leader in digital workforce security, securing both AI agents and humans, has today revealed the UK-specific findings of its latest research report: From Agentic Risk to Human Wins. The research found that UK organisations are increasingly concerned about employees using unapproved software and AI tools, with 58% of decision makers citing it as their top human-related cyber risk. The concern is well founded: 55% of employees admit to using unapproved tools, while 1 in 10 knowingly entered sensitive information into AI platforms despite understanding the risks.

The research features insights from 80 decision makers and 300 employees in the UK. Respondents represent organisations with 250 or more employees and span both private and public sectors among a wide range of industries such as information technology, healthcare, consumer services and others.

Confidence Deficit

Employees are consistently less confident in their ability to identify cyber threats than cyber decision makers think they are. The deficit is particularly pronounced for deepfake video or audio impersonation, which 81% of decision makers believe employees could identify, compared with only 66% of employees themselves.

Both decision makers and employees are most confident in their ability to spot phishing emails (98% of decision makers are confident that their employees could identify a phishing email, compared to 95% of employees themselves). In the UK, the top human-related cyber risk indicators that organisations measure most frequently is phishing reporting rates (44%), which perhaps shows why awareness around phishing for users is so prevalent for employees.

Traditional threats still cause concern for employees

In the UK, according to employees, the top cause of human-related cyber risk in their organisation is phishing or impersonation emails (56%). Only 40% of decision makers noted that this is a main cause, ranking third below sensitive data shared with AI tools (46%) and AI tools/agents taking actions without human oversight (43%).

Decision makers seem to be more concerned about emerging threats, like AI usage, yet only 16% of decision makers say they’re currently effective in managing the safe use of AI tools and AI agents.

AI Poses Growing Concern for British Decision Makers

Almost half (49%) of decision makers said that managing the safe use of AI tools and AI agents is one of their top concerns. In fact, 46% of decision makers said they have specific targets for improving the safe use of AI agents in day-to-day workflows over the next 12 months.

This is critical, as almost one in five (19%) of decision makers said that AI tools/AI agents take actions autonomously in multiple workflows with limited human oversight. Of those respondents who said their organisation uses AI tools/agents in workflows today, 85% say ‘improvement is needed’ to ensure AI tools/agents operate within the organisation’s security policies and approved risk limits.

High Workloads and Pressure Causes Cyber Risk

Another of the biggest perceived threats to British organisations in the next 12 months is high workloads and fatigue, with 38% of decision makers noting that high workloads or time pressures are likely to contribute to cyber related mistakes made by employees. This rise in pressure coincides with rising expectations to embrace and use AI as a productivity tool.

Nearly half of employees (47%) acknowledged that time pressure or distraction can lead to security mistakes even when they know the safe action to take. Whereas 93% of decision makers said that employees often know the right thing to do when facing cyber threats but may act differently under pressure. The findings suggest that security failures are less about knowledge gaps and more about behavioural responses under pressure, with the recognition that stress and distraction often override good security judgement.

Regulations and Organisational Guardrails

When it comes to existing regulations, 84% say that regulatory reporting requirements are the primary driver of how quickly cybersecurity incidents are escalated and reported within their organisation. Additionally, 85% of decision makers say that the Cyber Security and Resilience Bill will play a significant role in how they manage human-related cyber risk. This is highlighted by the fact that 39% of decision makers say that risks from third-party organisations/suppliers is one of the biggest drivers of human-related cyber risk within their organisation. The supply chain is one of the biggest focuses of the upcoming bill.

“Undeniably, AI tools and agents are reshaping the workplace, but organisations can’t afford to overlook the human element of cybersecurity,” said Javvad Malik, lead CISO advisor at KnowBe4. “Our research shows that while UK businesses are embracing AI to drive productivity, many employees are still under pressure, using unapproved tools and regularly facing (and fearing) sophisticated threats such as deepfakes and phishing. Building a strong security culture, especially one that prioritises education, behavioural support and safe AI adoption, will be critical to reducing human-related cyber risk in the years ahead.”

The Global report can be found here and the UK insights here.

About KnowBe4

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15-years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense. More info at knowbe4.com.

Follow KnowBe4 on LinkedIn and X.