Let me ask you a slightly uncomfortable question.
Do you know which AI tools your team is using at work… and what they’re putting into them?
Most business owners I speak to think they do. And then we dig a little deeper.
Generative AI tools like ChatGPT and Gemini have slipped into everyday work incredibly fast. They’re great for productivity. Drafting emails. Summarising documents. Brainstorming ideas. Solving problems faster.
The trouble is, they’ve arrived so quickly that governance hasn’t kept up.
A recent report looked at how businesses are using GenAI, and the findings are eye-opening.
AI usage in organisations has surged. The number of users tripled in just a year.
People aren’t just trying it out either. They’re relying on it. Prompt usage has exploded, with some organisations sending tens of thousands of prompts every month.
At the very top end, usage runs into the millions.
On the surface, that sounds like efficiency.
Underneath, it’s something else entirely.
Nearly half of people using AI tools at work are doing so through personal accounts or unsanctioned apps.
This is called “shadow AI”. It means staff are uploading text, files, and data into systems the business doesn’t control, can’t see, and can’t audit.
That’s where the risk creeps in.
When someone pastes information into an AI tool, they’re not only asking a question. They’re sharing data.
Sometimes that data includes customer details, internal documents, pricing information, intellectual property, or even login credentials. Often without you realising it.
According to the report, incidents involving sensitive data being sent to AI tools have doubled in the last year. The average organisation now sees hundreds of these incidents every single month.
And because personal AI apps sit outside company controls, they’ve become a significant insider risk. Not malicious insiders, necessarily. Well-meaning people trying to get their job done faster.
This is where many businesses get caught out. They assume AI risk looks like hacking from the outside.
It can look like an employee copying and pasting the wrong thing into the wrong box, at the wrong time.
There’s also a compliance angle here.
If you operate in a regulated environment, or handle sensitive customer data, uncontrolled AI use can put you in breach of your own policies, or someone else’s regulations, without anyone noticing until it’s too late.
The warning is blunt: As sensitive information flows freely into unapproved AI ecosystems, data governance becomes harder and harder to maintain.
At the same time, attackers are getting smarter, using AI themselves to analyse leaked data and tailor more convincing attacks.
So what’s the answer?
It’s not banning AI. That ship has sailed. And it’s not pretending it’s harmless either.
The real answer is governance.
That means deciding which AI tools are approved for work use. Being clear about what can and cannot be shared with them. Putting visibility and controls in place so data doesn’t quietly drift where it shouldn’t. And making sure your team understands the risks, not in a scary way, but in a practical, grown-up one.
AI is already part of how work gets done. Ignoring it doesn’t make it safer. Governing it does.
We can help you put the right policies in place and educate your team on the risks of AI. Get in touch.