Shadow AI and Security Gaps Put German Firms at Risk of EU AI Act Penalties Up to €35 Million
11.06.2026 - 00:32:10 | boerse-global.de
German companies are racing to get a handle on their artificial intelligence tools as the EU AI Act becomes enforceable from August 2026, with strict fines looming and evidence that many organisations have lost track of how employees use the technology. A new study reveals that 82 percent of surveyed businesses experienced a rise in AI-powered attacks over the past twelve months, while only 34 percent maintain an inventory of their AI models.
The problem of "Shadow AI" is widespread: 56 percent of employees use embedded AI features in third-party tools without informing their IT departments. According to research from Lookout and ZK Research, nearly 60 percent of mobile AI data traffic remains invisible to companies, with 52 percent of all AI usage occurring on smartphones and tablets. The consequences are severe — 45 percent of all AI-generated programs contain critical vulnerabilities.
Access by AI agents to core enterprise systems such as SAP or Salesforce was confirmed in 93 percent of organisations, yet only one in four has clear policies governing that access. These gaps threaten compliance with the EU AI Act, which gives national authorities official supervisory powers starting 2 August 2026.
As the EU AI Act forces companies to document and track their AI tools, the same principle applies to workplace hazards: proper risk documentation is essential to avoid penalties and protect your team. Many employers overlook gaps in their safety paperwork until an incident occurs. A free toolkit with 41 ready-to-use templates helps you manage occupational risks efficiently and stay compliant. Download the free Risk Assessment Toolkit
The workplace safety association BG ETEM (Berufsgenossenschaft Energie Textil Elektro Medienerzeugnisse) highlights the positive potential of AI in occupational protection, noting that the technology can detect hazards faster, improve instruction processes, and reduce paperwork. Through its "Meine BG ETEM" portal, the association already offers AI-powered information to members, and a digital assistant for risk assessments is under development. However, BG ETEM stresses that all AI results must be reviewed by qualified professionals — the goal is support, not replacement.
Under the EU AI Act, a national AI safety institute will be established, initially operating virtually with involvement from the BSI (Federal Office for Information Security) and the Federal Network Agency (Bundesnetzagentur), which will serve as the central supervisory authority. Companies are required under Article 4 to promote AI competence among employees — yet 43 percent currently offer no training at all.
The penalties are steep: violations can bring fines of up to €35 million or 7 percent of annual global turnover. In human resources contexts, specific transparency obligations come into force in August, with fines reaching €15 million.
The market is already adapting. Hamburg has submitted a Bundesrat initiative to reform data protection supervision, aiming for single points of contact for cross-border companies and reduced bureaucracy. Technology providers are moving quickly: q.beyond AG launched a risk assessment and documentation service aligned with EU requirements. Forcepoint integrated an interface for the Claude Enterprise AI model to improve protection of confidential data and enable auditable proof. Meanwhile, DICIS AG reports that digitalisation can cut the effort and cost of quality management systems by more than 80 percent, using an AI assistant to guide users through standards such as ISO 9001 or ISO 27001.
