There is a particular kind of conversation happening in organisations right now that nobody quite wants to look at directly. It happens between a member of staff and a chatbot, late in the afternoon, when a deadline is closing in, and the policy guidance feels distant, and the AI feels helpful in a way that no colleague currently is. By the end of that conversation, customer data had crossed an organisational boundary that the person, on any reasonable reflection, would not have crossed. They did not mean to leak anything. They were just trying to get the work done.

This is the new behavioural attack surface, and we are catastrophically underprepared for it.

For two decades, the cybersecurity profession has built itself around the idea that the human is a vulnerability to be patched, monitored, or trained. We have grown comfortable with phishing simulations, awareness videos, and the annual training ritual. The vocabulary is familiar. The metrics are familiar. We know what good looks like, even if good is mostly a feeling rather than a measurement. Then, large language models fell into the hands of every employee with an internet connection, and the entire model of human cyber risk shifted beneath us in about 18 months.

What is genuinely novel here is not the data exposure. Data has always leaked. What is novel is the relational dynamic. Users form a working relationship with these systems in minutes, not weeks, and that relationship has properties that no security awareness programme has ever had to account for.

The Trust Compression Problem

When a new colleague joins a team, trust accrues slowly. There are calibration moments, small tests, and observations of competence and discretion. Over months, a person learns what to share, with whom, and in what register. The cognitive machinery for this is ancient and well-studied. We are extraordinarily good at it.

Generative AI compresses this entire process into a handful of exchanges. The system is fluent, patient, attentive, and produces output that meets the surface markers of expertise. Within a single working session, users are transferring trust to the system at a rate that no human relationship could sustain, and they are doing so without the social friction that would normally cause them to pause and consider what they are revealing.

This is not a failure of judgment. It is the ordinary operation of social cognition in an environment that was never built for it. The user is not being foolish. They are being human in front of a system that exploits surface-level trustworthiness cues without the underlying constraints.

Anchoring, Automation Bias, and the Quiet Failure Modes

Once that relational frame is established, several well-documented cognitive patterns take over and start doing damage in ways that are nearly invisible until something goes wrong.

Users anchor on early outputs. The first answer the system produces becomes the reference point against which all subsequent thinking is measured, even when that answer is wrong. The behavioural science literature on anchoring is thirty years old, but we have not previously had to think about it in the context of an information source that produces confident-sounding output continuously and on demand.

Automation bias compounds this. When a system presents a recommendation with no visible uncertainty, the cognitive load of disagreement falls on the user, and that load is rarely paid. The system becomes the default, and human judgment becomes the deviation that requires justification. Aviation safety researchers have known about this pattern since the 1990s. It applies just as cleanly to an analyst checking a draft against a chatbot's output as it does to a pilot checking a flight management system.

Then there is overdisclosure, which is the most behaviourally interesting of the lot. People tell chatbots things they would never tell a colleague. They paste in client names, internal financials, draft contracts, performance review text, and customer complaints with personal data still attached. Ask them why, and they will struggle to articulate it. The answer, when you dig into it, is that the chatbot does not feel like a social actor in the moments that matter. It feels like a tool. Tools do not gossip. Tools do not judge. The social inhibition that would normally prevent disclosure is not engaged because the system does not present as a recipient in the way a colleague does.

This is the crux of the behavioural attack surface. The user is operating with the wrong mental model of what they are speaking to, and that model is being reinforced every time the interaction goes well.

Shadow AI is a Compliance Problem in Disguise

Most organisational responses to this have started in the wrong place. The default approach has been to treat shadow AI as a data-loss prevention problem. Detect the egress. Block the domains. Flag the transfers. Generate the dashboard. This is technical work that organisations know how to do, and it produces metrics that boards know how to read.

It does not solve the actual problem.

Detecting the leak tells you that something has gone wrong. It does not tell you why the person made the choice they made, and without that, every intervention you build will be downstream of the behaviour you are trying to change. You will block one tool, and the user will find another. You will train them on policy, and the policy will not survive contact with the next deadline. You will issue an acceptable use document, and it will sit unread in the same intranet folder as every previous one.

Shadow AI is fundamentally a behavioural compliance problem. People are making choices, repeatedly and at scale, that are sensible within their immediate working context but damaging from the perspective of organisational risk. The interesting question is not how the leak happened. The interesting question is what the person was trying to accomplish, what alternatives they considered, what their perception of organisational sanction was, and what social and capability factors led them to the AI rather than to a sanctioned path.

This is the territory where COM-B becomes useful. Capability, opportunity, and motivation all sit upstream of the moment of disclosure, and they are all addressable if you understand them. The user reaches for the chatbot because they have the capability to use it, the opportunity is one click away, and their motivation is rooted in workload pressure that the organisation has not addressed otherwise. Block the tool, and you have removed the opportunity. The motivation and the capability gap remain. Both will route around your block within days.

Intervening Upstream

The work that matters is upstream of the behaviour. It looks something like this.

Understand the actual use cases driving shadow AI in your organisation in detail, from the users' perspective. Not what they tell you in a survey, what they actually do at three o'clock on a Thursday afternoon when they are behind on a deliverable. The behavioural specifics matter. Generic interventions will not reach them.

Provide sanctioned alternatives that are at least as frictionless as the unsanctioned ones. Friction is not a security control. Friction is a redirection mechanism. If your sanctioned path is harder than the shadow path, users will choose the shadow path, and you will have lost before you started.

Recalibrate the trust model. Users need a working mental model of what these systems are, what they are not, and what disclosure to them actually entails. This is not awareness content. It is a conceptual recalibration, and it needs to be embedded in the moments where decisions get made, not in an annual training module that sits adjacent to those moments.

Build the social infrastructure that makes good behaviour visible. Security Champions networks, peer norms, and observable examples of how respected colleagues use AI well. The behavioural literature is clear that injunctive norms, what we ought to do, are weaker than descriptive norms, what people like us actually do. If the organisational descriptive norm is that everyone uses ChatGPT for everything and nobody talks about it, no policy will overcome that.

Measure what matters. Not the count of blocked transfers. The change in behavioural intention, the shift in perceived organisational sanction, and the movement in self-reported confidence about what is and is not appropriate. These are measurable. They are just not the measurements the security industry has built itself around.

The Reframe

The arrival of generative AI inside organisations has not created a new technical problem so much as it has revealed the limits of the technical framing that the security profession has been working within. The attack surface is now partly cognitive and partly relational, and neither domain responds well to the controls we have spent twenty years refining.

The interesting work is not detecting the leak. The interesting work is understanding why people made the choice they did, and intervening upstream so they don't have to make it again.

That requires a different kind of capability inside the security function. It requires people who can think behaviourally, who can run diagnostic work to understand actual usage patterns, and who can design interventions that operate at the level of motivation, capability, and opportunity rather than at the level of access controls. It requires security teams to take human behaviour as seriously as they take infrastructure.

The organisations that figure this out first will not be the ones with the best DLP. They will be the ones who understood that the new attack surface was always going to be the one they had been least equipped to defend, and who built the capability to defend it properly before the next class of system arrived.