While executive committees debate whether to adopt artificial intelligence, their teams already adopted it without permission. 84% of companies face risks associated with unauthorized AI tools, according to figures presented this week in Bogotá. The technical name is Shadow AI, and it reorders the conversation: the question is no longer whether your organization will use AI, but whether it will use it under governance or in the shadows.
The figure that reorders the agenda
Three numbers from the same report draw the full picture. AI-powered attacks now execute in under 30 minutes, where they used to take days. Organizations detect barely 35% to 40% of AI-driven threats. And according to Marsh, only 26% of companies quantify their cyber risk in financial terms. The attacker automated; the average defender still measures exposure with adjectives.
For the Latin American mid-market the issue is less abstract than for the large corporation. The mid-sized company does not have a forty-person SOC or a dedicated CISO. It has a technology manager who also runs the ERP, and employees pasting client data into public AI tools because it saves them an hour of work.
Shadow AI is not a discipline problem: it is a symptom of a vacuum
The instinctive reaction is to ban. It is also the most useless one: the banned tool gets used from the personal phone. Unauthorized AI use flourishes exactly where the organization offers no governed alternative. If the sales team uses a public chatbot to draft proposals, it is not rebellion: it is because nobody gave them an equivalent capability with controls.
Shadow AI is not eliminated with memos. It is eliminated with an official AI that is better than the clandestine one.
What separates governed adoption from accidental adoption
The difference is not in the language model: it is in the architecture around it. Governed adoption defines what data the models can touch, leaves traceability for every interaction, isolates sensitive information, and measures risk in currency, not adjectives. Companies that financially quantify their exposure significantly reduce the cost of breaches, according to the same Marsh report. Governance, which sounds like a brake, turns out to be the only sustainable accelerator. In regulated industries like financial services and healthcare, the AI that operates without governance most frequently operates on top of unstructured documents, patient files, compliance records, contracts, that were never designed to be AI inputs. That is the exact intersection DocIntel governs.
This is the standard under which we built our AI agent platform at LIFE·IN·CO. When we deployed document and customer data automation with Fiducoldex, the trust company of Colombia's Ministry of Commerce, the entry condition was operating under strict data governance policies: unified profiles with explicit access rules and traceability. In public funds audit with Grupo Blev & Garssa, every record processed by computer vision leaves verifiable evidence. The lesson from those deployments is direct: in regulated industries, AI only reaches production if governance travels inside the architecture, not as an annex.
What to monitor for the rest of 2026
Three fronts. First, regulation: Colombian sector supervisors are already watching AI use among their regulated entities, and the cost of informality will rise. Second, insurance: insurers are starting to ask about AI governance when quoting cyber policies, and the answer will move the premium. Third, talent: teams already know how to use AI; the organization that gives them a safe framework will capture that productivity instead of exporting it to public tools with its data inside.
AI adoption in the Latin American mid-market will happen either way. The only real decision for an executive committee in 2026 is whether it happens inside an architecture it can defend before a regulator, an insurer or a client. If your organization operates in a regulated industry, this conversation is worth having soon.