You Don’t Need to Ban AI. You Need a Shortlist.

Quick answer: Banning AI at work doesn’t work. Staff just move it onto their phones, where you have zero visibility. The fix is a short list of approved tools matched to actual tasks, a data rule that says what can never go near them, and the technical controls to make the list stick on company devices. A policy nobody enforces is just a suggestion.

You’ve picked your approved AI tools. You’ve published a data policy. Job done, right?

Not quite. A shortlist on a page is a good start. A shortlist nobody can bypass is a policy that actually works.

Pick the tool for the task, not the tool that’s trending

The businesses getting real value from AI right now aren’t the ones chasing every new launch. In a recent employer roundtable on workplace AI adoption, the pattern that came up again and again was simple. Match the tool to the task, and stick with a small set of tools you actually know well.

Copilot for teams already living inside Microsoft 365 (we cover how to use AI and Copilot safely in a separate post). Claude for close analysis work. Gemini for teams that already use Google by default. None of these choices was about brand loyalty. They were about which tool did that specific job well, without staff spending half their week evaluating whatever launched that month.

For an SME, that translates into a simple rule. Don’t try to give your team access to everything. Give them two or three tools that cover the tasks they actually do, and get good at using those.

Business choosing approved AI tools from a curated shortlist

The guardrail is the data, not the app

Here’s the part most businesses get backwards. The risk was never really about which AI app someone opens. It’s about what they type into it.

A well-built AI policy doesn’t need to ban personal AI accounts outright. Using a personal ChatGPT account to draft a LinkedIn post from public information is low risk. Using that same account to draft a client proposal with real figures in it is not. The tool is identical in both cases. The data is what changes the risk.

That’s why we recommend the same traffic light rule we cover in our AI usage policy template.

  • 🟢 Green (OK): public information, generic templates, brainstorming
  • 🟠 Amber (check first): internal notes, non-sensitive numbers, draft policy work
  • 🔴 Red (never): customer data, employee data, pricing, passwords, contracts, anything confidential

Staff can hold that rule in their head. A forty-page policy document, they can’t.

A shortlist without enforcement is just a suggestion

This is the bit most SMEs miss, and it’s the reason Shadow AI creeps back in even after a policy gets published.

You can approve Claude for your team, and someone will still sign up for a personal Claude account within a week. You can leave DeepSeek off the list entirely and someone will still install it, or try an AI note-taking app you’ve never heard of, because it looked useful on their phone. Publishing the list doesn’t stop any of that on its own.

On company-owned devices, you can actually make the shortlist stick using tools you likely already have in your IT stack.

Application allow listing tools like ThreatLocker let you control exactly which software and AI apps are permitted to run on a company machine, and block everything else by default, rather than trying to block every new tool as it appears.

Web content filtering and firewall rules let you block access to unapproved AI sites and categories at the network level, so an unapproved tool simply won’t load on a work connection.

Mobile application management and mobile device management, through platforms like Microsoft Intune, let you control what apps can be installed on company-owned phones and tablets, keeping the shortlist consistent across laptops and mobile devices alike.

Used together, these give you a genuine technical backstop behind the policy, not just a document staff are trusting to remember.

Technical enforcement controls protecting company devices with firewall and application allow listing

Be honest about the limits

None of this stops someone from using a personal AI tool on their own phone, on their own data plan, outside work hours. That was never a technical problem to solve. It’s a culture and awareness problem, and it’s exactly why the data rule matters more than the app rule. You can’t put a firewall around someone’s own phone. You can make sure they understand what should never be typed into any AI tool, company-approved or not.

One category worth watching

A newer type of AI tool is starting to appear, and it deserves caution rather than a green light just yet. Agentic AI browsers, the kind that can click through pages, fill in forms, and take actions on a website on a user’s behalf, are increasingly capable but carry a risk most SMEs haven’t had to think about before. A malicious or compromised web page can hide instructions inside its content that the AI reads and follows without the user ever seeing them, a technique known as prompt injection. Until the guardrails around this category mature, we’d treat these tools as red rather than adding them to an approved list, no matter how impressive the demo looks.

Building your own shortlist

Your list doesn’t need to be long. It needs to cover the tasks your team actually does, day to day: drafting, meeting notes, research, proofreading, presentation design, and nothing more exotic than that.

We’ve put together a starting template covering the categories most SMEs need: everyday writing assistants, voice and note-taking tools, AI-powered research, and design tools, each with a note on what it should and shouldn’t be used for. Add to it, remove from it, and make it yours.

Building an AI tools shortlist with policy checklist and team guidelines

The bottom line

A shortlist tells your team what’s allowed. Enforcement tells your business it’s actually happening. Do both, and you keep the productivity gains of AI without the risk of no one knowing what’s really being used.

Download our free Recommended AI Tools template

A ready-made shortlist covering the AI tools most SMEs need, with approved uses and account rules. Customise it for your business in minutes.



We’ll send you the template straight away. You can unsubscribe at any time.

Join our free webinar: “AI Is in Your Business Whether You Like It or Not”

Find out how to take control of AI in your workplace, with practical steps you can act on straight away.

Frequently asked questions

Do small businesses need to ban AI tools?

No. Banning AI tools at work pushes usage onto personal phones where the business has no visibility or control at all. The more effective approach is an approved shortlist paired with technical enforcement on company devices.

How many AI tools should a small business approve?

Two or three tools covering the tasks staff actually do is usually enough. A shortlist that maps to real tasks like drafting, meeting notes, and research works better than a long list of tools nobody has time to learn properly.

Should I choose Copilot, Claude, ChatGPT, or Gemini?

The right choice depends on the task rather than the brand. Copilot suits teams already running on Microsoft 365, Claude is often preferred for close analysis work, and Gemini fits teams already using Google Workspace.

How do you stop staff using unapproved AI tools on work laptops?

Application allow listing tools such as ThreatLocker can block any software or AI app that isn’t on an approved list by default, rather than trying to blacklist every new tool as it appears.

Can you block AI websites on a company network?

Yes. Web content filtering and firewall category rules can prevent unapproved AI sites from loading on a work connection, giving a technical backstop behind a written policy.

How do you control which AI apps are on company phones?

Mobile device management and mobile application management, through platforms like Microsoft Intune, let a business control which apps can be installed on company-owned phones and tablets.

Can you stop employees using personal AI accounts?

Not fully, and trying to block personal devices outright isn’t realistic. The safeguard that actually works is a clear rule about what data should never be typed into any AI tool, company-approved or personal.

What’s the difference between an AI usage policy and an AI tools list?

An AI usage policy sets the rules for what data is safe to share with AI tools. A tools shortlist names the specific approved apps allowed under those rules. A business needs both, and they should reference each other.

What data should never be entered into an AI tool?

Customer data, employee data, pricing information, passwords, and contract details should never go into a consumer AI tool. A simple green/amber/red system helps staff remember this without needing to read a long policy document.

Is Shadow AI a security risk for small businesses?

Yes. Shadow AI, meaning unapproved AI tools used without business oversight, creates data leakage risk, GDPR exposure, and no audit trail of what was shared or by whom.

Are AI browser agents safe for business use?

Not yet, for most small businesses. Agentic AI browsers that click through pages and take actions on a user’s behalf can be manipulated through prompt injection, where hidden instructions on a malicious webpage are followed by the AI without the user seeing them.

What is prompt injection?

Prompt injection is when hidden instructions embedded in content, such as a webpage, cause an AI tool to take an unintended action. It’s a growing concern for AI browser agents specifically, since they can click links and fill in forms based on what they read.

Bruce Skinner is CEO of Alto, a proactive IT and cybersecurity partner for UK SMEs. If you’d like help building an AI tools shortlist your team will actually stick to, get in touch.

Recent case studies

Cloud Machine Management

Cloud Machine Management

We worked with Aberdeen oil service company, Unity Well to migrate the management of their devices from on-site infrastructure to Microsoft’s cloud based Azure Active…
Read more
Sharepoint Data Migration

Sharepoint Data Migration

We completed a data migration project for an Aberdeen engineering company, Caledonia Services. We migrated their corporate data from on-site infrastructure to cloud based storage…
Read more

Discover Hidden Gaps in Your IT Security

✓ Takes 3 minutes ✓ No obligation ✓ Instant results
Get a comprehensive analysis of your IT infrastructure and security posture. See exactly where you're vulnerable and how much it's costing your business.