Contact
Call us

Shadow AI Is Already in Your Business. Here’s What to Do About It

Quick answer: Shadow AI is the use of unapproved consumer AI tools, like personal ChatGPT or Gemini accounts, by employees at work, without the business’s knowledge or any rules around what data can be shared. Microsoft’s UK research found that 71% of UK employees have used unapproved AI tools at work, and 51% do so weekly. The fix is not a ban. It’s an approved AI tool, a simple data-handling policy, and a 30-minute staff briefing.

If someone on your team used AI today, would you know which tool they used or which company data they pasted into it?

For most SME owners, the honest answer is no. This is the problem we call Shadow AI.

What is Shadow AI?

Shadow AI is when employees use consumer AI tools at work that the business hasn’t approved, secured, or even noticed. It’s the AI equivalent of staff signing up for random free software with their personal email, except this time, the “software” is something they might be pasting customer lists, contracts, or financial figures into.

Microsoft’s UK research on workplace AI use puts numbers on it:

  • 71% of UK employees have used unapproved consumer AI tools at work
  • 51% use them weekly
  • 22% use them for finance-related tasks

That last figure is the sleeper risk. AI helping to draft an email is one thing. AI being handed customer financial details is another.

Shadow AI statistics - 71% of UK employees use unapproved AI tools at work

Why do employees use unapproved AI tools?

Not because they’re reckless. The research found two main reasons:

  • 41% use the same tools in their personal life, so it’s natural to reach for them at work
  • 28% say their company simply doesn’t provide a work-approved alternative

In other words, Shadow AI is usually a leadership gap, not a staff problem. Your team is trying to work faster than the business has allowed for. That’s actually a positive signal; employees using AI report saving an average of 7.75 hours per week on admin tasks. The goal is to capture that upside safely, not switch it off.

What are the risks of Shadow AI for a small business?

The core risks are:

  1. Data leakage. Consumer AI tools may use what you type to train future models. Customer data, employee data, pricing, and past contracts have been pasted into a personal ChatGPT account and are effectively out the door.
  2. Compliance exposure. If personal data is entered into an unapproved tool, you may face a UK GDPR issue and a difficult conversation with the ICO.
  3. No audit trail. If something goes wrong, you can’t see what was shared, when, or by whom.
  4. The awareness gap. Only 32% of employees in Microsoft’s research were concerned about the privacy of company or customer data entered into consumer AI tools. Most people genuinely don’t realise it’s a risk.

How do you stop Shadow AI? (Hint: don’t ban it)

Banning AI just drives it further into the shadows; people will use it on their phones instead. A sensible response has three parts:

1. Provide an approved option

For most SMEs on Microsoft 365, that’s Copilot Chat (included with Business Premium licensing) or Microsoft 365 Copilot. It sits inside your existing Microsoft security boundary, and your data isn’t used to train public models.

2. Publish simple data rules

We recommend a three-tier traffic light system that staff can actually remember:

  • 🟢 Green (OK): public information, generic templates, rewriting, brainstorming
  • 🟠 Amber (check first): internal process notes, non-sensitive numbers, policy drafts
  • 🔴 Red (never): customer data, employee data, pricing models, passwords, contracts, anything confidential
Traffic light data classification system for AI usage - green amber red

3. Make it easy to ask

Give people a channel to ask, “Is this OK?” without getting told off. Culture beats policy documents every time.

A 7-day Shadow AI mini-audit for SMEs

If you want a practical starting point this week:

  • Days 1-2: Ask managers what AI tools people are actually using (no blame)
  • Day 3: Pick and publish an approved toolset
  • Day 4: Publish the Green/Amber/Red rules
  • Day 5: Run a 30-minute staff session with Q&A
  • Days 6-7: Set up a simple “AI questions” channel and add AI to onboarding

You’ll reduce risk while keeping the productivity upside.

7-day Shadow AI mini-audit timeline for SMEs

The bottom line

AI is already in your business. You either provide a policy and guardrails, or you unthinkingly carry the risk. A simple policy and sensible platform choices are far cheaper than a data breach or a conversation with the ICO.

Bruce is running a free webinar on AI for SMEs on 25 June. Register here to join live.

Download our free AI usage policy template

A one-page policy you can adapt for your business in under 15 minutes. No jargon, no fluff.



We will send you the template straight away. You can unsubscribe at any time.

Frequently asked questions

What is Shadow AI in simple terms?

Shadow AI is when staff use AI tools at work that the business hasn’t approved or secured, typically personal ChatGPT, Gemini, or similar accounts, often pasting in company information without realising the risk.

Is it illegal for employees to use ChatGPT at work?

No, it’s not illegal in itself. But if employees enter personal data (customer or staff details) into a consumer AI tool, your business could breach UK GDPR. The legal risk sits with the business, not the employee.

Should my business ban ChatGPT and other AI tools?

Generally no. Ban AI on work machines and staff simply switch to their personal phones, which then become an unmonitored conduit between your company data and consumer AI tools, with zero visibility for you. It’s more effective to provide an approved tool, set clear data rules, and train staff on what can and can’t be shared.

What’s the safest AI tool for a small business to use?

For businesses already on Microsoft 365, Copilot Chat or Microsoft 365 Copilot is usually the safest starting point, because it operates within your existing Microsoft security and compliance boundaries, and your prompts aren’t used to train public models. Businesses that want their teams to use multiple AI models (Claude, Gemini, ChatGPT) safely are increasingly looking at AI gateways, a single controlled, logged route through which all AI traffic passes.

How do I write an AI usage policy for my business?

Keep it to one page: name the approved tools, set out what data is Green, Amber, and Red to share, explain that AI output must be checked by a human before use, and tell staff where to ask questions. A policy nobody reads is no policy at all.

How common is Shadow AI in the UK?

Very. Microsoft’s UK research found 71% of employees have used unapproved AI tools at work, and analysts at Gartner predict that 40% of enterprises will experience Shadow AI-related security incidents by 2030.

Bruce Skinner is CEO of Alto, a proactive IT and cybersecurity partner for UK SMEs. If you’d like help choosing an approved AI platform or writing an AI usage policy your team will actually follow, get in touch.

Recent case studies

Cloud Machine Management

Cloud Machine Management

We worked with Aberdeen oil service company, Unity Well to migrate the management of their devices from on-site infrastructure to Microsoft’s cloud based Azure Active…
Read more
Sharepoint Data Migration

Sharepoint Data Migration

We completed a data migration project for an Aberdeen engineering company, Caledonia Services. We migrated their corporate data from on-site infrastructure to cloud based storage…
Read more

Discover Hidden Gaps in Your IT Security

✓ Takes 3 minutes ✓ No obligation ✓ Instant results
Get a comprehensive analysis of your IT infrastructure and security posture. See exactly where you're vulnerable and how much it's costing your business.
Start Your Free Assessment