Here's a quick way to gauge how exposed your company is to AI right now. Ask your managers how many tools their teams have built or adopted in the last year that never went through IT. Not the sanctioned software with a contract and a login — the spreadsheets wired up to ChatGPT, the little scripts someone wrote to clean up dispatch data, the pricing tool a salesperson keeps on their laptop.
For most operators, the honest answer is some version of "more than we'd like to admit." And the numbers back that up.
80%
of office workers now use AI at work in some form
IBM, 2025
22%
rely solely on the tools their employer actually provided
IBM, 2025
~44%
admit to using AI against company policy, often with sensitive data
KPMG, 2025
The pattern you're not seeing
We see the same thing inside growing contractors and PE-backed platforms again and again. Someone capable and motivated builds something genuinely useful on their own. A field-ops lead automates a report that used to eat half a day. A salesperson stands up a pipeline tool and quietly iterates on it for months. It works. People start depending on it.
The trouble isn't that the tool is bad. The trouble is that nobody else knows it exists. Company data is sitting in a personal account. There's no version history, no backup, no second set of eyes. If that person leaves, the tool leaves with them. And because it was never reviewed, you have no idea whether customer information just walked out the door through a free chatbot's training data.
Why bans backfire
The instinct, once a leader sees this, is to shut it down. Block the sites. Send the memo. It feels responsible. It almost never works.
People reach for these tools because the tools make their jobs easier, and that motivation doesn't disappear when you send an email about it. What disappears is their willingness to tell you. A ban doesn't end shadow AI. It drives it onto phones, home laptops, and personal logins, where you have even less visibility than before. You've traded a problem you can see for one you can't.
A policy that says "don't use AI" mostly teaches your best people not to mention that they're using AI. The activity stays. The reporting stops.
Build the safe lane
The better move is to give people somewhere sanctioned to do the thing they're already doing. You don't need a governance committee or a six-month rollout to start. Three things cover most of the risk:
A sanctioned place to work
Provide an enterprise AI account and a shared environment where people can build, instead of leaving them to improvise on personal tools. The cost of a few licenses is trivial next to the cost of one data leak.
A few simple guardrails
Block external hosting of company data. Gate who can connect to live systems. Make the rules short enough that people actually remember them, instead of a 40-page policy nobody reads.
A request-and-train path
Give people an obvious way to say "I want to build something" and get a little help doing it safely. When the sanctioned path is easier than the workaround, people take it.
Notice that none of this is about controlling people. It's about making the safe option the convenient one. That's the whole game.
A readiness signal, not a problem
Here's the reframe worth sitting with. When your team is quietly building AI tools without being asked to, that isn't a discipline problem. It's information. It's telling you the organization is ready to move faster than its current setup allows, and that people will find a way to do it with or without you.
Treat it that way. Find out what's already being built, who's building it, and what data it touches. Most of the time you'll come away impressed by what people put together on their own — and grateful you found out before it became a headline instead of a footnote.
Key Takeaways
- Most companies have more ungoverned AI tools than they realize — built by good people trying to move faster.
- Banning AI doesn't stop the behavior; it pushes it onto personal devices where you lose all visibility.
- Three moves cover most of the risk: a sanctioned environment, a few simple guardrails, and an easy request-and-train path.
- Shadow AI is a readiness signal. Audit what's already being built before you decide how to respond.