A federal cybersecurity disclosure shows what governance looks like when the AI inside the firewall is invisible to the people accountable for it.

A regional bank in Pennsylvania disclosed to its shareholders, through a filing with the Securities and Exchange Commission, that one of the bank’s employees used an unauthorized AI to access non-public customer information, including names, dates of birth, and social security numbers. Community Bank disclosed the incident on form 8-K, filed on May 11. through its holding company, CB Financial Services Inc. The filing, made under SEC’s Item 1.05 rule for material cybersecurity incidents, said the bank deemed the incident material “due to the volume and sensitive nature of the non-public information at issue.” 

The bank has not disclosed which unauthorized AI tool was involved or provided details on how the shadow AI tool accessed non-public customer information, saying only that an investigation is ongoing. The incident is likely to be investigated by state and federal bank regulators, and at least one class-action lawsuit is threatened, 

Item 1.05 is a requirement imposed by the SEC’s 2023 Final Rule on “Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure.” It requires public companies to file Form 8-K to disclose a material cybersecurity incident within four business days from the date on which the registrant determines that the incident is considered material.  The disclosure stated that it became aware of the incident on May 5, 2026, and realized it was material on May 7, 2026. 

The real risks of Shadow AI

The incident is part of a growing trend in which enterprises are learning that their employees are using AI tools that have not been vetted or approved by the organization. Shadow AI often assumes the access permissions of the employee who set it up, granting the AI access to all the internal databases the employee could access. Sometimes, it can accumulate even broader access as it operates across the network, including access to databases containing trade secrets, sensitive financial data, IP, and, as in the case of Community Bank, sensitive personal information of customers. 

On May 5, I presented to the National Association of Corporate Directors on What Boards of Directors Are Actually Asking About AI Risk. Shadow AI was a top cybersecurity and privacy concern for those corporate directors, and the reason was visibility. Without visibility into the AI tools and agents on their enterprise networks and clouds, they are unable to exert governance (as apparently happened at Community Bank). I took a poll of the board member audience, and the AI visibility gap was clear: 70% of attendees had an AI policy in place, but 67% were not performing AI discovery, and 74% were not maintaining a manifest of AI usage across their organization. Policy without visibility is not governance. It is paperwork.  

Banks and other organizations are learning just how much Shadow AI is within their firewalls — sometimes the hard way. Most organizations lack visibility not only into the shadow AI inside their walls, but into the activity and access of the AI tools they have formally approved. You cannot govern what you cannot see, and you cannot document what you never knew was running. The question this filing puts to every board and risk committee is straightforward. If a regulator asked tomorrow what AI is operating inside your organization, what data it can reach, and where that data goes, would you be able to answer?