For the best reading experience, open this document on a desktop browser.
Download PDFThis case study analyzes the May 2026 CB Financial Services SEC filing, the first recorded instance of a material cybersecurity incident attributed to “Shadow AI.” The incident occurred when an employee, acting in good faith, input sensitive customer PII into an unauthorized AI application to streamline a routine task.1
Although no system breach or operational disruption occurred, the company deemed the data exposure material, triggering mandatory regulatory disclosure. The analysis uses the ARISE Framework™ to identify that the incident was a governance failure rather than a technical one. It argues that while the company’s incident response was disciplined, critical gaps existed in upstream prevention and detection—specifically regarding acceptable-use policies, AI system inventory, and technical endpoint enforcement.1
The study concludes that organizations must move beyond reactive incident management by implementing proactive AI governance, including codified policies, data-mapping, and real-time behavioral monitoring, to prevent “Shadow AI” from becoming a disclosure event.1
Ready to Implement ARISE?
Speak with an advisor or access the full framework at ariseframework.com.