Are you aware of which AI tools your team uses at work, and what information they’re entering into them?
Most business owners think they do. Let’s take a closer look.
Generative AI tools like ChatGPT, Copilot and Gemini have quickly become a part of everyday work for many. They’re great at boosting productivity, drafting emails, summarising documents, and brainstorming ideas. Helping us solve problems faster.
The problem is, governance hasn’t been able to keep up with their rapid arrival.
A recent report looked at how businesses are using GenAI, and the findings are eye-opening.
Organisations are seeing a surge in AI adoption, with the number of users tripling in the past year.
People aren’t just trying it occasionally too. They’re relying on it. Prompt usage has increased significantly, with some organisations sending tens of thousands of prompts per month.
On the surface, it sounds like progress, but underneath it’s another story.
Nearly half of the people using AI at work are doing so through personal accounts or unapproved apps.
It’s called “shadow AI”. This is when staff upload text, files, and data into systems that the business doesn’t control, can’t see, and can’t audit.
This is where risk starts to come in.
When someone pastes information in to ask AI a question, they’re potentially sharing sensitive data.
Sometimes that data includes customer details, internal documents, pricing information, intellectual property, or even login credentials. Often without you realising it.
The report states that incidents of sensitive data being sent to AI tools has doubled in the last year. Organisations are now seeing hundreds of these incidents every month.
Personal AI apps sit outside company oversight and therefore pose a notable insider risk. These are not necessarily malicious insiders, but well-meaning employees looking to work more efficiently.
This is where most businesses overlook the risk. Thinking that AI threats come from outside hacks.
It could be that an employee pastes the wrong thing into the wrong box at the wrong time.
There’s also a compliance aspect to consider here.
When working in a regulated environment, or dealing with sensitive customer information, unchecked use of AI could put you in breach of your own policies, or external regulations, without anyone noticing until it’s too late.
The message is clear: When sensitive data is entered into unauthorised AI systems, it becomes increasingly difficult to maintain strong data governance.
Attackers are also aware of this and us AI themselves to analyse leaked data to create more convincing and tailored attacks.
So, what do we do?
You can’t ban it. That ship has sailed.
The real answer is governance.
Choose which AI tools are allowed, specify what data can be shared, implement controls to protect information, and ensure your team understands the risks.
AI is already a part of day-to-day work. Ignoring it won’t make it safer, but proper oversight can.
If you need assistance. We can help you get the right policies in place.
Leave a comment!