AI Governance · Risk Management
Right now, people in your business are using AI tools you have not approved, on data you cannot control, with no policy in place to manage the exposure. That is shadow AI — and it is probably happening at scale.
Shadow AI is what happens when employees use AI tools — ChatGPT, Claude, Gemini, Copilot, Midjourney, and hundreds of others — without any organisational knowledge, authorisation, or governance framework in place.
It is the AI equivalent of shadow IT: the personal Dropbox account someone uses to move files, the WhatsApp group that replaces the approved project management tool. Except the consequences are potentially far more serious, because AI tools do not just store data — they process it, learn from it (in the case of free-tier services), and generate outputs that may be indistinguishable from official business advice.
The typical shadow AI scenario looks like this: a marketing manager pastes a client brief into ChatGPT to speed up copywriting. A finance analyst feeds a spreadsheet of supplier contracts into an AI model to extract key terms. A solicitor's paralegal uses a free AI tool to draft sections of a legal memo. None of these actions are malicious. In fact, they are all completely understandable — the employee is trying to do their job better. But each one creates a risk that the business has not assessed, consented to, or mitigated.
ChatGPT's free tier is genuinely good. There is no friction. Employees do not need IT approval, a budget code, or a training day. The value is immediate. Of course they use it.
In most SMEs, procuring and deploying an approved enterprise AI tool takes weeks or months. Employees do not wait. They find their own solution, and by the time the approved tool arrives, habits are already formed.
Most businesses have not written an AI use policy. If there is no rule against it, and it makes the work easier, why would an employee think twice? The absence of governance is itself a governance failure.
In many organisations, senior leaders are the first to adopt AI tools informally. This creates implicit permission. If the CEO is using an AI assistant without a data processing agreement, it is unrealistic to expect junior staff to behave differently.
Employees who have found an AI tool that saves them hours per week are unlikely to report it for fear that the tool will be banned — and they will be expected to produce the same output in more time.
Most employees genuinely do not know that pasting client data into a free AI service is a potential GDPR violation. The risk education has simply not happened because the broader AI governance conversation has not happened.
When an employee inputs personal data — names, contact details, financial information, health data — into a free AI tool, that data is processed by a third party. Under UK GDPR, you need a lawful basis for that processing, a data processing agreement with the tool provider, and in many cases an updated privacy notice. Free-tier AI services typically do not provide the DPAs required for legitimate business processing of personal data. The ICO has already signalled that AI-related data breaches are a priority enforcement area.
If you are a professional services firm — legal, financial, accountancy, consulting — your duty of client confidentiality is non-negotiable. The moment client information enters an unauthorised AI tool, you have potentially breached that duty, regardless of whether the information is ever actually seen by a third party. The breach is the act of processing, not the consequence.
Businesses operating in regulated sectors — financial services, healthcare, legal — may have sector-specific obligations that shadow AI directly violates. FCA-regulated firms, for example, have obligations around data governance that shadow AI use can contravene. This is not a theoretical risk: regulators are actively examining how AI fits within existing compliance frameworks.
AI tools trained on your proprietary data — strategies, processes, client lists, pricing models — may use that information to improve their models or generate outputs for other users. Even where this is not the explicit mechanism, the legal exposure around IP and trade secrets entering third-party AI systems is unresolved and potentially significant.
If a claim arises and your insurer discovers that the relevant advice, document, or analysis was generated by an unsanctioned AI tool outside your quality and compliance framework, they may have grounds to contest the claim. This is an emerging and underappreciated risk.
Each of these risks exists in isolation. Combined with a culture of unreported AI use, no policy, no training, and no audit trail, they create a compounding exposure that grows with every month you do not address it. The businesses most exposed are often the ones most actively using AI — because their culture encourages adoption but has not yet built the governance to match.
Detection is not about surveillance or punishing employees. It is about establishing an honest baseline so you know what you are actually governing. Here are the four most practical approaches for a UK SME:
A simple anonymous survey asking which AI tools staff use, how often, and for what types of task will typically reveal 3–5 times more usage than you expect. Frame it as a capability-discovery exercise, not an audit — you will get far more honest responses.
With appropriate legal basis and employee notice, your IT team or provider can review network traffic for connections to known AI service domains (openai.com, anthropic.com, gemini.google.com, etc.). Browser history reviews — again, with proper legal basis — can supplement this. In a business context, this is permissible under UK employment law provided policies are in place and employees have been notified.
Walk through the five or ten highest-value repeatable processes in your business and ask: where could AI plausibly be inserted here? Where there is an obvious opportunity, there is a reasonable chance someone has already taken it. Focus your investigation there.
AI-generated content has recognisable patterns — particularly in written output. A review of recent reports, client communications, or internal documents can identify probable AI use. This is not definitive, but it can flag areas for deeper investigation.
Assume shadow AI is already happening. Commission an honest audit using the detection methods above. The goal is a complete picture of current tool use, not a compliance exercise. Communicate to staff that the aim is to support them better, not to penalise.
Your AI use policy needs to define: which tools are approved, for which purposes and data classifications, what is prohibited, how outputs must be reviewed, and who is responsible for governance. It does not need to be a hundred-page document. A clear, two-page policy that people will actually read is worth more than an exhaustive document no one opens. See our AI Governance Blueprint for a starting framework.
People use shadow AI because there is no approved alternative. If you ban the tools without providing a better one, you push the behaviour underground. The solution is to provide a governed, enterprise-grade AI environment — one where employees can access AI capability without the data risk. This is precisely what Claude built for your business provides.
Policy and tools without training will fail. People need to understand why the risks are real, not just be told rules exist. This means practical training on AI capabilities, limitations, and responsible use — not a one-hour video module from 2023. Training should be role-specific: what the finance team needs to know is different from what the marketing team needs to know.
Shadow AI is not a problem you solve once. New tools emerge every month. Staff turn over. The policy needs a review cycle. Governance needs an owner. And your leadership team needs enough AI literacy to make informed decisions about what to approve and what to prohibit. This is not an IT function — it is a leadership accountability.
Shadow AI refers to the use of AI tools — such as personal ChatGPT, Claude, or Gemini accounts — by employees for work purposes without the knowledge, authorisation, or oversight of their organisation. It mirrors the older concept of shadow IT but introduces unique risks around data training, confidentiality, and regulatory compliance.
Shadow AI is not inherently illegal, but it frequently creates GDPR violations. When employees input personal data, client information, or commercially sensitive content into free-tier AI tools, that data may be used to train the model. This constitutes unlawful processing under UK GDPR if no data processing agreement is in place and no legitimate basis exists.
Surveys consistently show that 40–60% of employees in knowledge-work roles are using AI tools their employer has not sanctioned. The majority do so because sanctioned tools either don't exist, are too slow to procure, or are seen as less capable than the free tools they can access immediately.
Detection approaches include: reviewing browser history and network traffic logs for known AI domains; surveying staff anonymously about their tool use; analysing productivity anomalies that suggest AI-assisted output; and conducting a process audit to identify where AI could plausibly be used in existing workflows.
An AI governance policy defines which tools employees are permitted to use, for what purposes, with what data classifications, and under what oversight. Any UK SME with more than 10 employees actively using AI — or likely to be doing so without oversight — needs one. It is also a prerequisite for ISO 42001 alignment and a signal of responsible AI culture to clients and regulators.
Yes. If an employee uses an unsanctioned AI tool to generate client-facing advice and that advice is wrong, your insurer may challenge a claim on the grounds that the output was not produced within your documented quality and compliance processes. This is an emerging risk that most SME leadership teams have not yet factored in.
The Ignite AI Governance Blueprint gives you the policy framework, data classification approach, and governance structure to eliminate shadow AI risk — built for UK SMEs, not enterprise legal teams.