Your Secure and Responsible Technology Partner

Case Study — July 2026

For the best reading experience, open this document on a desktop browser.

Download PDF
About This Issue

This case study analyzes the May 2026 CB Financial Services SEC filing, the first recorded instance of a material cybersecurity incident attributed to “Shadow AI.” The incident occurred when an employee, acting in good faith, input sensitive customer PII into an unauthorized AI application to streamline a routine task.1

Although no system breach or operational disruption occurred, the company deemed the data exposure material, triggering mandatory regulatory disclosure. The analysis uses the ARISE Framework™ to identify that the incident was a governance failure rather than a technical one. It argues that while the company’s incident response was disciplined, critical gaps existed in upstream prevention and detection—specifically regarding acceptable-use policies, AI system inventory, and technical endpoint enforcement.1

The study concludes that organizations must move beyond reactive incident management by implementing proactive AI governance, including codified policies, data-mapping, and real-time behavioral monitoring, to prevent “Shadow AI” from becoming a disclosure event.1

Publisher
Assessed Intelligence

Ready to Implement ARISE?

Speak with an advisor or access the full framework at ariseframework.com.