Most UK employees are now using unapproved AI tools at work every week, according to new Microsoft research, raising fresh questions about security, privacy, and corporate control over artificial intelligence.

What Microsoft Found

Microsoft’s latest UK study reports that 71 per cent of employees have used unapproved consumer AI tools at work, and 51 per cent continue to do so weekly. The research, conducted by Censuswide in October 2025, highlights a growing trend known as “Shadow AI”, i.e., the use of artificial intelligence tools not sanctioned by employers. The (October 2025) Censuswide survey took account of the views of 2,003 UK employees, aged 18 and over. The sample included workers from financial services, retail, education, healthcare, and other sectors, with at least 500 respondents each from large businesses and public sector organisations.

Typical Uses of Shadow AI

According to Microsoft’s study, typical uses of Shadow AI include drafting or replying to workplace communications (49 per cent), preparing reports and presentations (40 per cent), and even carrying out finance-related tasks (22 per cent). Many employees say they turn to these tools because they are familiar or easy to access, with 41 per cent admitting they use the same tools they rely on in their personal lives. Another 28 per cent said their employer simply doesn’t provide an approved alternative.

Limited Awareness of the Risks

It seems that according to the study, awareness of the risks remains limited, which is a key part of the problem. For example, only 32 per cent of respondents said they were concerned about the privacy of customer or company data they enter into AI tools, while 29 per cent expressed concern about the potential impact on their organisation’s IT security.

As Darren Hardman, CEO of Microsoft UK & Ireland, says: “UK workers are embracing AI like never before, unlocking new levels of productivity and creativity. But enthusiasm alone isn’t enough,” and that “Businesses must ensure the AI tools in use are built for the workplace, not just the living room.”

Why It So Much Matters Now

The research reflects a wider cultural change in how employees are using artificial intelligence (AI) to handle everyday tasks. For example, Microsoft estimates that generative AI tools and assistants are now actually saving workers an average of 7.75 hours per week. Extrapolated across the UK economy, that equates to around 12.1 billion hours a year, or approximately £208 billion worth of time saved (according to analysis by Dr Chris Brauer of Goldsmiths, University of London).

That potential productivity boost most likely explains much of the enthusiasm around generative AI. However, it also highlights why workers are bypassing official channels. For example, when the tools provided by employers feel restrictive, employees often reach for whatever gets the job done fastest, even if that means using consumer platforms that fall outside company governance and data protection frameworks.

What Is ‘Shadow AI’?

The term “Shadow AI” is borrowed from “shadow IT”, which is a long-standing issue where employees use unapproved hardware or software without authorisation. In this case, it refers to staff using consumer AI tools such as public chatbots or online assistants to support work tasks. One potential problem with this is that these platforms often store or learn from user input, which may include company or customer data, creating potential security and compliance problems.

Organisations that allow this kind of behaviour to go unchecked, therefore, risk breaching UK data protection laws, regulatory obligations, or intellectual property rights (not to mention giving away company secrets). The British Computer Society (BCS) and other professional bodies have previously warned that shadow AI could expose firms to data leaks, non-compliance, and reputational harm if sensitive material is entered into consumer models.

The Real Risks for Businesses

The main security concern is data leakage, i.e., where employees enter sensitive company information into AI tools that may store or process data outside of approved systems. This could include confidential documents, client details, or financial data. Once that information leaves the organisation’s control, it may be impossible to delete or track, potentially breaching data protection law or confidentiality agreements.

Another issue that’s often overlooked by businesses is attack surface expansion. For example, the more third-party AI tools are used, the greater the number of external systems handling company information. This increases the likelihood of phishing, prompt injection attacks, and other forms of misuse. Also, there is the problem of auditability. When AI tools operate outside an organisation’s infrastructure, they leave no record of what data was used or how it was processed, making compliance monitoring almost impossible.

Earlier this year, a report by Ivanti found that nearly half of office workers were using AI tools that were not provided by their employer, and almost one-third admitted keeping it secret. Some employees even said they used unapproved AI to gain an “edge” at work, while others feared their company might ban it altogether. The study echoed Microsoft’s findings that even sensitive data, such as customer financial information, is being fed into public models.

Why Employees Still Do It

Despite the risks, many employees say they basically rely on consumer AI because it helps them manage workloads and meet rising productivity expectations. Microsoft’s study also found that attitudes towards AI have become far more positive over the course of 2025. For example, 57 per cent of employees now describe themselves as optimistic, excited or confident about AI (up from 34 per cent in January). Also of note, it seems the proportion of workers saying they “don’t know where to start with AI” has dropped from 44 per cent to 36 per cent, while more employees say they understand how their company uses the technology.

For many, the motivation is actually practical rather than rebellious. For example, AI chatbots help draft content, summarise notes, create reports and presentations, or even analyse spreadsheets. When deadlines are tight and workloads are high, these capabilities can make a tangible difference, especially if the employer’s own tools are limited or slow to adopt new technology.

A Balanced View

While much of the discussion has focused on the dangers of shadow AI, some experts suggest it can also be a useful indicator of where innovation is happening inside a business. For example, at the Gartner Security and Risk Management Summit in London, analysts Christine Lee and Leigh McMullen argued that rather than trying to eliminate shadow AI entirely, companies could benefit by identifying which tools employees are already finding valuable. With the right governance and security controls, those tools could be formally adopted or integrated into approved workflows.

In this sense, shadow AI can act as an early warning system for unmet needs. If, for example, marketing teams are using public generative AI tools to create campaign content, that may reveal a gap in internal creative resources or digital support. Security teams could then review those external tools, assess the risks, and replace them with enterprise-grade equivalents that meet the same needs safely.

Gartner’s approach reflects a growing recognition that employees are often ahead of policy when it comes to technology adoption. Turning shadow AI into an opportunity for collaboration, rather than conflict, could help businesses strike a balance between innovation and security.

What Organisations Can Do Next

Analysts and security experts are urging employers to start by improving visibility. That means identifying which AI tools are already being used across the organisation, and for what purposes. With this in mind, many companies are now running staff surveys or using software discovery tools to build a clearer picture of how generative AI is being adopted.

Once the extent of use is known, companies can then focus on education. Clear, accessible policies are essential, i.e., explaining in plain English what kinds of data can be entered into AI tools, what cannot, and why. Training should emphasise the risks of using consumer AI platforms, particularly when handling client, financial, or personal information.

Enterprise Grade Safer

The final step is to offer secure alternatives. Enterprise-grade AI assistants, such as those integrated into Microsoft 365 or other workplace systems, are designed to protect sensitive data and maintain compliance. These tools include encryption, access controls, audit logs, and data-loss prevention measures that consumer apps typically lack. As Microsoft’s Darren Hardman put it: “Only enterprise-grade AI delivers the functionality employees want, wrapped in the privacy and security every organisation demands.”

Where Shadow AI Is Most Common

Microsoft’s data shows that shadow AI use is most prevalent among employees in IT and telecoms, sales, media and marketing, architecture and engineering, and finance and insurance. This is likely to be because these are industries where high workloads, creative output, or data handling make AI assistants especially appealing. As confidence grows and tools become more sophisticated, use across sectors is expected to increase further.

Shaping Culture

The Microsoft research suggests this trend is already reshaping workplace culture. For example, more employees now see AI as an essential part of their organisation’s success strategy, a figure that has more than doubled from 18 per cent in January to 39 per cent in October. Globally, Microsoft’s Work Trend Index reports that 82 per cent of business leaders view 2025 as a turning point for AI strategy, with nearly half already using AI agents to automate workflows.

What Does This Mean For Your Business?

The rise of shadow AI appears to present UK businesses with a clear crossroads between risk and reward. Employees are demonstrating that AI can deliver genuine productivity gains, but their widespread use of unapproved tools exposes gaps in governance and digital readiness. For many organisations, this is not simply a security issue but a sign that workplace innovation is moving faster than policy.

In practical terms, the Microsoft findings suggest that companies which fail to provide secure, accessible AI tools will continue to see staff seek out consumer alternatives. That makes the issue as much about culture and leadership as it is about technology. Building trust through transparency, and ensuring employees understand how and why AI is being managed, will be critical to balancing productivity with protection.

For IT leaders, the challenge now lies in developing frameworks that enable safe experimentation without undermining compliance. That means investing in enterprise-grade AI infrastructure, tightening oversight of data use, and introducing training that connects security policy with real-world tasks. Businesses that achieve this balance will be able to harness AI’s benefits while maintaining control over how it is deployed.

The implications extend beyond individual firms. For example, regulators, industry bodies, and even customers have a stake in how securely AI is used in the workplace. As more sensitive data flows through AI systems, the pressure will grow for clear accountability and transparent governance. The Microsoft findings make it clear that AI adoption in the UK is no longer confined to innovation teams or pilot projects; it is now embedded in everyday work. How organisations respond will determine whether this new era of AI-driven productivity strengthens trust and competitiveness, or exposes deeper vulnerabilities in the digital workplace.

The UK government has written to chief executives across the country urging them to keep physical, offline copies of their cyber contingency and business continuity plans, as the number of severe cyber attacks continues to rise.

Why The Government Is Acting Now

The move follows a sharp increase in what officials call “nationally significant” cyber incidents. In its latest annual review, the National Cyber Security Centre (NCSC) reported handling 429 cyber incidents over the past year, of which 204 were classed as nationally significant, more than double the previous year’s total of 89. Eighteen of those were categorised as “highly significant”, marking a 50 per cent rise.

These figures highlight a growing problem for UK organisations. Attacks on major companies have recently disrupted production lines, logistics operations, and supply chains. The government says this shows how cyber threats now pose not only a security risk but also a direct threat to jobs and the wider economy.

Cyber Resilience Should Be A Board Level Priority

Technology Secretary Liz Kendall, Chancellor Rachel Reeves, Business Secretary Peter Kyle, Security Minister Dan Jarvis, and the heads of both the NCSC and the National Crime Agency have jointly signed letters to business leaders, including all FTSE 350 companies. The message is that cyber resilience must become a board-level priority, and organisations must be ready to operate without IT systems for extended periods if necessary.

What The Letter Tells CEOs To Do

The letter from the government essentially makes three key points/recommendations to company leaders, which are:

1. It says they should treat cyber resilience as a governance issue and align with the government’s new Cyber Governance Code of Practice.

2. It recommends that all organisations sign up to the NCSC’s Early Warning service, which alerts firms to potential vulnerabilities or active threats.

3. It advises implementing the Cyber Essentials scheme, both within their own operations and throughout their supply chains.

Crucially, the letter also stresses the importance of keeping copies of critical plans “accessible offline or in hard copy”, including details of how to communicate and coordinate during an IT failure. This is actually part of a wider government effort to embed what the NCSC calls “resilience engineering”, which can basically be described as an approach that focuses on anticipating, absorbing, recovering from, and adapting to cyber attacks.

The Logic Behind Paper Copies

Although it may sound strange in what is increasingly a digital world, the advice to hold printed plans is intended to be a practical response to one of the key realities of modern cyber incidents. For example, when ransomware or destructive malware locks or wipes digital systems, even backups stored in the cloud can become inaccessible. In those situations, an organisation needs something it can rely on immediately, i.e., contact lists, instructions, and decision trees that are available without power, network access, or authentication.

The NCSC’s annual review explains that organisations should have “plans for how they would continue to operate without their IT, and rebuild that IT at pace, were an attack to get through.” Storing that information offline ensures that teams can still coordinate a response even if email, messaging, or identity systems have been taken down.

From Prevention To Resilience

The government’s letter reflects a wider change in strategy from simply preventing attacks to building the ability to withstand them. For example, the NCSC now encourages what it calls resilience engineering, i.e., designing systems and processes that can recover quickly after disruption.

That includes maintaining immutable backups that cannot be encrypted or tampered with, segmenting networks to prevent attacks spreading, testing recovery procedures, and running scenario exercises that simulate complete loss of IT. This approach assumes that no organisation can be completely immune to attack, so readiness and rapid recovery become essential.

Warnings From The NCSC

In its latest report, the NCSC said cyber security had become “a matter of business survival and national resilience.” The agency noted that half the incidents it managed in the past year met the top three severity categories, which cover impacts to government, essential services, or large sections of the public and economy.

The NCSC is urging organisations to make themselves as hard a target as possible, warning that hesitation in improving resilience leaves them exposed. It is also promoting its Cyber Action Toolkit for smaller firms, which provides simple step-by-step measures to improve security and response capabilities.

Support From The Security Industry

Cybersecurity professionals appear to have broadly supported the government’s message, saying it reflects lessons learned from recent incidents where businesses lost access to key systems for weeks. Industry experts have described the advice as practical rather than symbolic, noting that while printed plans may seem old-fashioned, they can be vital when digital tools fail.

The concept of treating cyber security like health and safety, something every employee understands as part of everyday working life, has gained traction in recent years. The government’s call reinforces this by urging boards to build resilience into core operations rather than treating it as an optional add-on.

Preparation

For larger companies, the message essentially means that cyber risk must now be reported and discussed at board level, with directors accountable for ensuring readiness. That includes confirming who would take charge in an emergency, how to communicate without email, and where physical copies of key documents are stored.

For smaller firms, the focus is more on preparation. For example, the NCSC’s free services, including the Early Warning system and Cyber Essentials certification, are designed to reduce the burden of building basic protection. Having physical backup plans does not replace digital defences, but it ensures that even in the worst-case scenario, there is a clear process for keeping the business running.

The government also highlights the benefits of requiring suppliers to meet similar standards, as supply chain weaknesses can often be exploited by attackers. Making resilience part of procurement policies helps reduce the risk of disruption spreading between organisations.

The Advantage of Offline Contingency Plans

A key advantage of offline contingency plans is that they allow teams to act immediately when systems go down. For example, staff can access emergency contacts, escalate issues, and follow recovery steps without waiting for IT access to return. In critical industries, such as healthcare, manufacturing, and logistics, those minutes or hours can make the difference between a temporary disruption and a complete operational shutdown.

Organisations that follow the NCSC’s guidance can also expect tangible benefits. The agency notes that companies meeting Cyber Essentials standards are significantly less likely to make cyber insurance claims. Better planning also tends to reduce recovery times and financial losses.

Challenges And Concerns

Although there is broad support for the government’s recommendations, there are (inevitably) some practical and logistical challenges. For example, paper copies need to be updated regularly to reflect new systems and staff changes, and they must be stored securely to prevent sensitive information from being accessed or lost. Some companies have also expressed concern about the administrative burden of maintaining both digital and physical documentation.

Others question whether a focus on manual fallbacks could distract from investment in prevention. However, security experts argue that resilience and defence are complementary, i.e., both are necessary, and neither alone is sufficient.

For small and medium-sized enterprises, limited resources remain a concern. Even with free government tools, implementing and maintaining robust resilience measures can take time and expertise. Nonetheless, the government’s stance is that preparedness is no longer optional, given the rising frequency and severity of attacks.

The Bigger Picture

Ministers have said that further steps will follow, including continued promotion of the Cyber Governance Code of Practice and potential new requirements under the forthcoming Cyber Security and Resilience Bill.

The letters sent this month highlight a clear change in tone, to one where cyber resilience is no longer being treated as an IT issue, but as a matter of national and economic security. For UK businesses, the message is simply that if the screens go dark, the organisation should still be able to function, and that begins with having the right plans on paper.

What Does This Mean For Your Business?

The government’s intervention could be said to mark a notable moment in how cyber risk is now being framed, i.e., as a question of continuity and national resilience rather than purely technical defence. The decision to write directly to company chiefs shows the extent to which cyber attacks have moved from the IT department to the boardroom, becoming an operational, financial, and reputational issue that demands visible leadership. The emphasis on hardcopy plans might appear unusual in a digital economy, yet it underlines an uncomfortable truth, which is that digital systems are not invincible and that planning for their failure is now a core part of responsible management.

For UK businesses, this change could prove both challenging and beneficial. For example, it requires time, training, and discipline to maintain offline contingency plans and rehearse manual processes, but it also forces a clearer understanding of dependencies and critical operations. Those already investing in resilience may find themselves better protected from both financial losses and prolonged service disruption. Smaller firms, meanwhile, stand to gain from the free support and practical guidance now being promoted by the NCSC, which aims to bring consistent standards across the economy.

The wider implications reach beyond business. For government and regulators, the campaign is part of a long-term effort to build systemic strength in the face of increasingly complex attacks. For insurers and investors, it offers a signal that resilience planning is becoming a measurable component of good governance. For the public, it reinforces the expectation that essential services, from food distribution to healthcare, should be able to keep operating even when technology fails.

The government’s advice accepts that no cyber defence is perfect, but that preparedness can dramatically limit the impact. By putting resilience on paper as well as on screen, the UK’s leadership is attempting to bridge the gap between digital ambition and practical survivability. If businesses take that message seriously, the result may be a more stable and dependable digital economy, and one that can withstand not just the next attack, but the inevitable disruptions still to come.

Google has introduced Recovery Contacts, a new way for users to regain access to a locked Google Account by asking trusted friends or family members to confirm their identity.

What Google Has Announced

Google says Recovery Contacts is “a new option that lets users choose trusted friends or family members to help if they ever get locked out of their Google Account.” It is designed for situations where standard recovery routes, such as SMS codes or a passkey on a lost phone, are not available. The feature is rolling out now and can be set up at g.co/recovery-contacts for eligible personal accounts.

How Recovery Contacts Works

In terms of how it’s supposed to work, Google says users nominate people they trust as recovery contacts in the Security & sign-in section of their Google Account. If a user becomes locked out, they can select one of those contacts during the recovery flow and tap “Get number.” Google then shows a code that expires after 15 minutes. The user shares that code with their contact, who will see three options on their device and must choose the one that matches. If the correct number is selected, Google says it treats that as a strong signal of legitimate identity and proceeds with account recovery. Recovery contacts cannot see any data or access the user’s account at any stage.

Limits, Timing and Eligibility

Google says several safeguards have been put in place to prevent misuse. For example, up to 10 recovery contacts can be added, and each person must accept the invitation before being included. After acceptance, there is a seven-day waiting period before that contact becomes active for recovery. If someone declines, the user must wait four days before sending another invite. When a recovery contact is used, the code received is valid for only 15 minutes, meaning both parties must act promptly. Google notes that child accounts, Advanced Protection accounts, and Google Workspace accounts cannot add recovery contacts, although those same accounts can still serve as a contact for someone else. A single person can act as a recovery contact for up to 25 different primary accounts.

Why Is Google Doing This Now?

Account recovery has long been one of the most stressful aspects of online account management and many users lose access when their phone number changes or a device with a passkey is lost. Google says the goal is to “strengthen account recovery and ensure access when it matters most.” The company has been steadily building towards a password-free future through technologies such as passkeys, and Recovery Contacts adds another layer of reassurance.

The move actually forms part of a wider package of privacy and security updates announced in mid-October, which also includes “Sign in with Mobile Number” for Android, spam link detection in Google Messages, and a “Key Verifier” for confirming encrypted chats. These collectively aim to reduce both account lockouts and the success rate of scams targeting Android users.

A New Type of Recovery

Traditionally, account recovery has relied on “something you have” such as a phone, or “something you know” such as a password. The difference with Recovery Contacts is that it introduces “someone you trust” into the process, i.e., it formalises what many people already do informally when locked out, which is turning to a friend for help. Google describes it as “a simple, secure way to turn to people you trust when other recovery options aren’t available.”

The Practical Benefits

For everyday users, Recovery Contacts should provide a safety net against permanent lockout from accounts holding vital information such as photos, documents and personal messages. The short validity of the recovery code makes it difficult for attackers to intercept, and the multiple-choice verification on the contact’s device prevents accidental approval of a fraudulent request.

For Android users, the linked “Sign in with Mobile Number” feature adds another useful safeguard in that it identifies all accounts linked with a particular phone number and allows verification using the previous device’s lock-screen passcode or pattern. This feature is being rolled out globally.

Who Can Use It and When

Recovery Contacts are rolling out now, though not every account will see the feature immediately. Google advises users to check eligibility through their account settings. Personal accounts are the primary focus, while Google Workspace and Advanced Protection users remain excluded. Workspace environments typically use hardware keys and administrator-managed recovery processes, which are considered more appropriate for professional use.

Business Users

For small businesses and sole traders using personal Google Accounts, Recovery Contacts could offer a straightforward but effective layer of protection. For example, losing access to a main account could halt operations if email and documents are tied to it, potentially costing time and money. Adding trusted family members or colleagues could, therefore, prevent prolonged downtime.

However, for organisations using Google Workspace, there is currently no change. Workspace recovery processes remain under administrator control, built around strict security policies that do not permit social recovery mechanisms. The seven-day activation delay after adding a contact also means businesses should prepare in advance rather than waiting until an issue arises.

Competitors and Industry Context

Apple actually introduced a similar system for iCloud users back in 2021, allowing trusted contacts to verify identity for Apple ID recovery. Meta also experimented with “trusted contacts” for Facebook accounts, although that feature was later discontinued. By adopting a comparable model, Google is bringing its ecosystem closer in line with other major platforms while maintaining a strong emphasis on user privacy.

Industry analysts note that this reflects a broader trend toward combining human trust with technical verification. While passkeys and biometrics have strengthened access control, human-assisted recovery provides a fallback that purely technological solutions cannot always guarantee.

Security Considerations and Criticisms

Cybersecurity experts, however, caution that introducing a human element can open new avenues for manipulation. For example, social engineering, where attackers trick people into taking harmful actions, remains a major risk. A fraudster could attempt to pressure a recovery contact into approving a request within the 15-minute window.

That said, Google has added several protections to counter this. For example, the contact must choose the correct number from three randomised options, making it harder to fake a legitimate request. Temporary security holds may also trigger if suspicious activity is detected, giving the account owner time to intervene. The mandatory waiting periods between invitations and activations slow down potential large-scale exploitation attempts.

Security specialists recommend selecting contacts carefully and ensuring those individuals understand the verification process. Any unexpected recovery request should be confirmed through another communication channel before approval.

A Broader Anti-Scam Backdrop

Recovery Contacts appears to sit within Google’s wider effort to limit scams and unauthorised access across its services. Alongside the new recovery feature, the company has expanded phishing and spam protections in Google Messages, adding link warnings and QR-based encryption verification. It has also launched “Be Scam Ready,” an interactive game designed to help people recognise fraudulent tactics before falling victim to them.

What Google Says

In announcing the feature, Google Product Manager Claire Forszt and Group Product Manager Sriram Karra said, “It’s a simple, secure way to turn to people you trust when other recovery options aren’t available.” They also emphasised that recovery contacts “will not have access to your account or any of your personal information,” presenting the feature as another step toward “a password-free future” where account access remains reliable even if devices are lost.

The Key Takeaway for Users

In terms of the key takeaway from Google’s announcement of this feature, individuals with personal Google Accounts are basically being encouraged to set up Recovery Contacts in advance to avoid disruption later. Adding at least two trusted people, ideally those easy to reach quickly, can provide an effective safeguard if account access is lost. Users should also ensure their recovery phone numbers and email addresses are up to date and enable passkeys for secure sign-in wherever possible.

For business users, particularly those on Workspace, existing enterprise recovery policies remain the standard route. That said, Recovery Contacts reflects how identity verification is evolving toward a trust-based model. As accounts become increasingly linked to devices and biometrics, social recovery may soon become a common feature across all major digital ecosystems.

What Does This Mean For Your Business?

The introduction of Recovery Contacts highlights how identity management is now expanding beyond devices and credentials to include human trust as part of digital security. By creating a formal mechanism for involving trusted individuals in account recovery, Google is addressing one of the most frustrating weak points in its ecosystem: the difficulty of regaining access when every technical safeguard fails. This may also signal that major platforms are beginning to view social verification as a legitimate part of cybersecurity, not simply an emergency workaround.

For UK businesses, the change could have mixed implications. For example, sole traders and micro-businesses that still depend on personal Google Accounts gain an extra safety net that could prevent costly downtime if an account is locked. Larger organisations using Workspace, on the other hand, will see little change for now, as enterprise-grade recovery remains tied to administrative controls and hardware security keys. However, as account recovery becomes more reliable for individuals, it could also encourage stronger adoption of passkeys and multi-factor authentication across small firms that have previously avoided them for fear of being locked out.

The move will likely put pressure on other technology providers to strengthen their recovery options while maintaining user privacy. Apple’s earlier adoption of a similar approach shows that users expect this kind of fallback, and Google’s rollout makes it effectively mainstream. For cybersecurity professionals, it raises fresh questions about how to balance convenience and human trust without increasing the risk of manipulation. While the layered protections Google has built in should deter most opportunistic attacks, the feature still depends on the judgement and caution of the chosen contact.

In a broader sense, Recovery Contacts shows that security design is becoming more people-centred. The addition of human trust to the authentication process reflects an acknowledgment that no digital system can ever be entirely self-sufficient. For users, it introduces a practical, transparent safeguard that may one day be as familiar as password resets or two-factor codes. For Google, it reinforces its role as a standard-setter in account protection and signals a future where human support becomes a built-in part of online identity recovery rather than an afterthought.

Researchers have discovered a new Android attack called “Pixnapping” that can secretly steal sensitive on-screen data, including two-factor authentication (2FA) codes, private messages, and financial information.

Developed by a team at Carnegie Mellon University, the attack exploits Android APIs and a GPU hardware side channel known as GPU.zip to capture pixels from other apps. In tests, a malicious app stole a 2FA code from Google Authenticator in under 30 seconds without permissions or visible signs.

The flaw affects recent Google and Samsung phones, including the Pixel 6–9 and Galaxy S25, running Android 13 to 16. Research lead Riccardo Paccagnella described it as “a fundamental violation of Android’s security model.” Google has logged the issue as CVE-2025-48561 and issued partial fixes, though researchers say Android remains vulnerable.

Experts advise users and businesses to keep devices updated, avoid untrusted apps, and limit the display of sensitive data until a full patch is released.

Texas is becoming America’s top destination for technology companies, but the same policies attracting them are driving an energy boom that threatens to undo key environmental gains.

What Is Driving The Move?

Over the past five years, Texas has led the United States in corporate relocations. For example, as research from CBRE shows, since 2018, 465 company headquarters have moved states, with 209 choosing Texas. Firms ranging from Oracle and Hewlett Packard Enterprise to Tesla and GAF Energy have made the jump, citing lower costs, fewer regulations, and access to talent.

Unlike California, Texas has no corporate or personal income tax, fewer environmental restrictions, and a comparatively low cost of living. The Dallas–Fort Worth region now ranks among the fastest-growing business hubs in the world, offering an international airport network and a deepening talent pool supported by major universities. For many technology companies struggling with California’s high energy prices and stricter labour laws, the switch appears to make economic sense.

The Case Of GAF Energy

One clear example came this month (October 2025) when GAF Energy, a solar shingle manufacturer, confirmed it would close its San Jose site and move operations to Georgetown, Texas, cutting 138 jobs in the Bay Area. The company said it was aligning its business with markets where solar is most compelling for builders and homeowners.

California’s recent cuts to solar subsidies and tightening regulation have made it harder for solar installers to maintain margins. Texas, by contrast, offers an expanding housing market, lower costs, and an open regulatory environment. The relocation follows similar moves by major names such as Oracle, Verily Life Sciences, Realtor.com, and Tesla, each seeking the same business-friendly advantages.

Energy, Power, And Expansion

Energy reliability and price are the key factors at the heart of Texas’s appeal. For example, the state produces more electricity than any other, driven by a mix of natural gas, wind, and increasingly, solar power. Data from the Electric Reliability Council of Texas (ERCOT) shows electricity demand could almost double by 2034, with half of all new industrial demand expected to come from data centres.

These facilities, which host servers for artificial intelligence (AI), cryptocurrency, and cloud computing, require enormous and continuous energy supplies. Texas is one of the few places capable of meeting this demand at scale. Its grid is largely self-contained, allowing developers to negotiate directly with utilities and local governments for new capacity.

For example, Cognigy, a Germany-based AI firm, announced earlier this year that it would relocate its US headquarters from San Francisco to Plano, north of Dallas, citing Texas’s business-friendly environment and access to talent. The company says it plans to grow its workforce to 200 within three years.

The Cost Of Growth

However, it should be noted here that the same power abundance that draws IT firms is driving a rapid buildout of fossil-fuel generation. For example, according to the Environmental Integrity Project, developers have announced 130 new natural gas power plants in Texas, capable of producing 58 gigawatts of electricity, which is enough to power more than 14 million homes.

If all are built, the clear downside is that they could emit 115 million metric tonnes of greenhouse gases each year, equivalent to the annual emissions of nearly 30 coal-fired plants or 27 million vehicles. Many of these projects are being approved under what campaigners call weakened permits, allowing construction to proceed more quickly but with fewer pollution controls.

Environmental groups argue that some applications are being approved in record time, sometimes within days of filing. They have urged the Environmental Protection Agency to intervene, warning that this pace risks breaching clean air standards.

The Trump Factor

It’s impossible to ignore the fact that President Donald Trump’s new energy policies are helping to drive this expansion. For example, in May 2025, he signed four executive orders aimed at dramatically increasing US nuclear capacity and accelerating fossil fuel permitting. One order instructs the Nuclear Regulatory Commission to cut licensing timelines to 18 months. Another sets a long-term goal of adding between 300 and 400 gigawatts of nuclear capacity by 2050.

Supporters argue that Trump’s plan will strengthen energy independence and support power-hungry sectors such as AI and manufacturing. Critics, however, note that it has come alongside funding cuts for renewables. Federal incentives for solar and wind have been reduced, while the Texas Energy Fund, backed by up to $7.2 billion in taxpayer loans and grants, excludes renewable projects from receiving support.

The Rise Of The “Trump Energy Campus”

Perhaps the most striking example of this change is Fermi America’s proposed “President Donald J. Trump Advanced Energy and Intelligence Campus” near Amarillo. The project, co-founded by former Energy Secretary Rick Perry, would combine four Westinghouse AP1000 nuclear reactors with one of the largest gas-fired plants in the country to power an 18 million square foot data centre.

Fermi claims the combined “hypergrid” could generate up to 11 gigawatts of electricity, roughly equal to the entire output of Manhattan. However, local residents and environmental groups are questioning how it will secure enough cooling water in a drought-prone area that receives only around 20 inches of rain per year.

Officials have suggested that treated wastewater from a nearby nuclear weapons facility could be used, though some farmers remain concerned about groundwater depletion. Others have noted that the site sits near a long-standing Superfund cleanup zone, raising questions about environmental safety and oversight.

Air Quality And Water Pressure

Beyond the carbon emissions, new power plants are expected to worsen local air quality. For example, gas facilities release nitrogen oxides, sulphur dioxide, and fine particulate matter that can trigger asthma and heart disease. Fourteen of the 54 planned sites are located in areas already failing to meet national air-quality standards for ozone and particulate matter.

Water scarcity is another well-documented and growing concern. For example, some large-scale data centres can use millions of litres of water per day for cooling. However, Texas has no statewide requirement for companies to report their consumption, making it difficult to track the full environmental impact of the sector’s expansion. Analysts warn that unchecked data-centre growth could strain local water supplies, particularly across central and western Texas.

A Balancing Act Between Growth And Sustainability

For now, it’s obvious why Texas is so appealing to the tech sector. Low taxes, vast land, and abundant power have created a pro-business environment that few other states can match. However, the state’s heavy reliance on gas-fired power and the water-intensive nature of data-centre development are creating a sustainability paradox.

ERCOT’s chief executive, Pablo Vegas, has publicly stated that treating renewables as a problem is misleading and that Texas’s long-term energy stability depends on keeping a balanced mix of energy sources. His comments reflect a wider recognition that growth built solely on fossil generation could expose the grid to both environmental and operational risk.

Why This Matters Beyond Texas

For UK and European businesses with operations or supply-chain links in the US, these developments matter. Texas’s growing dominance as a technology and manufacturing hub is reshaping the energy and sustainability landscape that underpins global digital infrastructure. The tension between low-cost growth and long-term environmental responsibility is likely to define how the next decade of US industrial policy unfolds.

What Does This Mean For Your Organisation?

What is happening in Texas is a clear example of the tension between economic opportunity and environmental responsibility. The state’s low costs, deregulated markets, and vast energy resources have created a magnet for technology investment, yet this same combination risks locking the region into higher emissions and heavier water use at a time when sustainability should be at the centre of long-term planning.

The growth of data centres and AI facilities will almost certainly strengthen Texas’s position as a global digital hub, but their reliance on fossil-fuel power could undermine both state and national climate targets. For UK companies supplying technology, engineering, or energy solutions into the US market, this presents both a challenge and an opportunity. Those offering cleaner technologies, efficient cooling systems, or renewable integration expertise may find growing demand as American firms face pressure to offset their environmental impact.

The state’s current approach also offers a wider lesson for policymakers and corporate leaders. Economic incentives alone cannot deliver a sustainable industrial future unless they are balanced with transparency, environmental safeguards, and credible emissions reductions. If Texas manages to align its economic momentum with clean energy growth, it could become a model for responsible expansion. If it fails, it risks becoming a cautionary tale of unchecked development driven by short-term gains.

For investors, regulators, and businesses alike, the outcome will be significant. The decisions being made in Texas today will shape the carbon footprint of the next generation of global technology infrastructure, influencing where companies build, how they power their operations, and how international partners view the sustainability of America’s digital economy.