Shadow AI is already inside your business

Your controller pasted last month's payroll data into ChatGPT to build an overview for the board meeting.

Your salespeople are using Gemini on a personal account to polish quotes before they go out.

Your customer service lead let a GPT read through the entire complaint archive looking for patterns.

None of them asked you first.

That's what people mean by shadow AI: employees using AI tools on their own, without IT or leadership knowing, often with data that wasn't supposed to leave the building.

The numbers vary, but in most SMBs I talk to it's widespread. The ones who think it isn't happening usually haven't asked.

The interesting part is why it happens.

It isn't because employees are reckless. It's because the job demands it, and the official tools are either missing, not turned on, or too heavy to actually use. So they find their own way.

That's human — and it also says quite a lot about how little friction today's AI tools have compared to the IT projects of the last twenty years.

As the managing director of a 30-person company, you've effectively got two bad choices and one good one.

The first bad choice is pretending it isn't happening. The data keeps leaking, and you're the last to find out — probably the day your auditor asks a question.

And it isn't just a data security question. When an employee pastes customer data or personal information into ChatGPT on a personal account, the company — as data controller — has likely breached GDPR. No data processing agreement with the provider, no documented legal basis, often a US-based provider on top.

Datatilsynet (the Norwegian Data Protection Authority) has been clear on this. The employee isn't the one who gets the fine — the company is.

The second bad choice is banning it. That doesn't work. People use their phones on the way home from work. You've only moved the problem out of sight — and at the same time you've said no to the productivity gain AI does give on simple, boring tasks.

The third choice is to govern it. It sounds dry, but for an SMB it's surprisingly simple:

• ▸Use what you already pay for. If you're on Microsoft 365, you probably have Copilot available. That keeps the data inside your own tenant instead of on a personal account. Same with Google Workspace and Gemini. Not always the best tool for every task, but the safest starting point.
• ▸Write a simple policy. Not a twenty-page document. One page that says what's fine (drafts, summaries, translation), what isn't (customer data, payroll, tenders, anything under NDA), and which tools are recommended. That policy is worth more than nothing, and it costs you one afternoon.
• ▸Name one person who owns it. In a 30-person company that doesn't have to be an IT lead — it can be you, or whoever in the company is already playing the most with these tools. The point is that someone's responsible for updating the policy and answering questions.

The question you need to ask isn't "should we let AI into the business".

That ship has sailed.

The question is whether you want to know what's actually happening in your own company, or whether you'd rather leave it to employees to figure out alone — with the data security that implies.

Start with Copilot or Gemini if you already have them. Write a simple policy. Name one person.

Most of the risk is gone within a week.