Cybersecurity in Brazil: why reacting is no longer enough in the era of Shadow AI

October is International Cybersecurity Awareness Month. The date exists because the figures continue to demand attention, and those for 2024 and 2025 are particularly hard to ignore.

In the first quarter of 2024, Brazilian organizations recorded an increase of approximately 38% in cyberattacks compared to the previous year. In parallel, 73% of companies in the country have already been victims of ransomware, the type of attack that blocks systems, exposes confidential data and demands a ransom to release access. The average cost of a data breach in Brazil reached R$7.2 million in 2025, up 6.5% on the previous year. And 32% of managers interviewed in recent surveys reported breaches associated with the use of artificial intelligence without adequate control.

There is a paradox in this scenario. Brazil is the second country in the Americas in terms of cybersecurity maturity, according to a report by the International Telecommunications Union. But maturity in the ranking has not prevented the volume and sophistication of attacks from continuing to grow. Defenses advance. Attacks are moving faster.

The new risk from within: what is Shadow AI?

There is a lot of talk about external threats. The vector that increasingly worries experts, however, lies within the organizations themselves.

Shadow AI is the use of artificial intelligence tools by employees or business areas without approval, without supervision and outside of IT and security governance. It goes beyond traditional Shadow IT because the potential risk is proportionally greater: generative models processing sensitive data on third-party servers, prompts with strategic information feeding systems without auditing, and business decisions being made based on outputs that no security area has validated.

"If I, as CISO, am integrated into the use of AI but without having defined the limits, controls, governance and monitoring, I could be voluntarily or involuntarily creating tomorrow's attack within my own organization," warns Gabriel Loschi, CISO at Foursys.

The scenario is more common than it seems. Almost 75% of Brazilian companies say they plan to apply AI and machine learning to digital security. But planning controlled use and tolerating uncontrolled use are completely different things, and the latter is happening on a silent scale.

Three warnings for those leading security today

Visibility is not control. Having metrics showing an increase in attacks doesn't mean that the organization sees or blocks everything. It may just mean that noise is growing while part of the risk remains invisible. If Shadow AI governance is not structured, there is a surface of exposure that the dashboard simply doesn't show.

AI without guardrails becomes vulnerability. Using artificial intelligence for defense is necessary. Not using it is already a risk. But putting AI into operation without data security, testing, privacy and compliance controls in place turns the tool into a vector for the next incident. A concrete example: a marketing team that uses generative tools without curation to develop campaigns could be exposing competitive differentials that a competitor accesses before launch.

Governance, culture and third parties are the points of greatest failure. The HLB 2024 report indicates that 37% of organizations have suffered breaches through third parties, and 20% are unsure about the level of security of their partners. In the context of Shadow AI, this external risk is amplified: AI platforms and services that have not undergone a corporate security assessment create loopholes that don't always show up in conventional audits.

What to do in practice: an objective guide for security managers

The transition from a reactive stance to a proactive approach requires concrete actions. Some of the most urgent:

• Map the actual use of AI in the organization. This includes marketing, HR, sales, production and any area that may be using tools without formal IT approval. The inventory needs to exist before any policy.
• Establish clear policies by data type and context. Sensitive data can only be processed in approved environments, with logs, auditing and a defined data owner. Generative models need environment segregation. Prompt injection and data output controls need to be in place.
• Integrate AI into the operational security architecture. SIEM, XDR, logs and incident response need to talk to defensive AI tools. Treating AI only as a business project is a mistake that eventually has a cost.
• Evaluate suppliers that offer or use AI. Privacy, data transfer, sovereignty and compliance risks need to be in the evaluation matrix for partners and suppliers.
• Build a culture of AI awareness. Employees need to understand that using ChatGPT or any generative tool with corporate data without guidance is not modernization, it's active exposure.

The true indicator of maturity

Effective cybersecurity today is not only measured by the ability not to be attacked. Any sufficiently exposed organization will be targeted at some point. The relevant indicator is something else: the ability to recover quickly, with established governance and with learning incorporated into the process.

Brazil is advancing in security maturity. But it is advancing at a pace that has yet to keep pace with the sophistication of the threats. And the next big risk vector is probably already operating inside organizations, silently, in the form of an AI tool that nobody has approved.

This post was based on an opinion piece published on Crypto ID by Gabriel Loschi, CISO at Foursys, on the occasion of International Cybersecurity Awareness Month.