Your team is already using AI. The question is whose.
Your people are using AI to write code, draft emails, summarize meetings, and clean up messy spreadsheets. That is happening today, with or without a policy, and most of it is actually useful. The open question is not whether they use AI. It is how much of that work runs through tools you have vetted and how much runs through personal or free accounts nobody told you about.
The numbers say the second pile is bigger than most leaders assume. About 78% of knowledge workers bring their own AI to work, and roughly 49% admit using AI tools without their employer's approval. Meanwhile only 40% of companies have bought official AI subscriptions, even though employees at more than 90% of organizations are actively using AI tools. The gap between "people using AI" and "AI we actually approved" is where the risk lives.
The problem was never the pasting. It's the tool you don't have a contract with.
The common worry is that an AI "learns" your secrets and leaks them somewhere. That is not the real exposure, and chasing it sends you in the wrong direction. The same keystrokes can be perfectly fine or a real problem, and the only thing that changes between the two is authorization.
Picture an engineer pasting a chunk of source code into an AI tool. If that tool is a sanctioned enterprise account, with a data processing agreement in place and model training turned off, the data stays inside a relationship you can stand behind. That is the tool working as intended. The risk is dramatically lower and, more importantly, it is governable. Now picture the same paste into a free personal account. The data has left the building to a third party you have no contract with, no audit log into, and no way to pull it back.
Both look identical from across the room. One is normal work; the other is an unauthorized transfer of company data to an outside party. Authorization is the whole difference.
And the data going into these tools is exactly the data you would least want to lose. The share of information employees feed into AI tools that counts as sensitive has tripled in a few years, from 10.7% to 39.7%. It is not vague "confidential stuff" either. The most common sensitive categories showing up in prompts are source code at 26.5%, legal documents at 22.3%, and merger and acquisition material at 12.6%.
We have a clear example of how this goes wrong. In 2023, Samsung engineers pasted semiconductor source code, defect detection algorithms, and internal meeting notes into consumer ChatGPT across three incidents in 20 days. The tool was not the mistake. The unapproved, consumer-tier tool was. The fix Samsung reached for was a company-wide ban, which is one way to react, and we will come back to why it is rarely the best one.
"Consumer" and "enterprise" are different products with the same logo
This is the mechanical heart of the whole topic, and most coverage skips it. The free or personal version and the business or enterprise version of the same brand are not the same product with a bigger price tag. They are legally different products that happen to share a logo.
The consumer tiers generally default to using your prompts to improve the model, with no data processing agreement protecting your company. The business and enterprise tiers contractually exclude your data from training and ship with a DPA you can put in your vendor file. So "authorized" is not a vibe or a feeling that a tool is reputable. It is a specific question: which tier, and which account.
Here is how the major providers line up. Vendor terms change often, so treat this as a starting point, not gospel.
| Provider | Consumer default (free / personal) | Business or enterprise terms |
|---|---|---|
| OpenAI (ChatGPT) | Training on by default; you must opt out in settings | Business, Enterprise, and API: not used to train models by default; DPA available |
| Anthropic (Claude) | Training on under the September 2025 consumer terms unless you toggle it off | API and enterprise: excluded from training; short log retention |
| Google (Gemini) | Consumer data may be used for model improvement unless you opt out | Gemini for Workspace enterprise: covered by the Cloud DPA; not used to train base models |
| Microsoft (365 Copilot) | Consumer Copilot on a personal account: different terms | M365 Copilot on a work or school account: not used to train the foundation models; data stays in your tenant |
There is a catch that trips up companies that think they have already solved this. Buying an enterprise license does not help if your people keep logging in with personal accounts. About 32.3% of ChatGPT usage at enterprise companies runs through personal accounts, and free-tier use is the majority even where licenses exist: roughly 63.8% of ChatGPT users and 75% of Claude users at enterprise companies are on non-enterprise plans. The license sits unused while the work happens on someone's logged-in personal account.
The unapproved tool can be the attack path, not just a leak
Pasting data is the obvious risk, but there are two blindspots beyond the chat window that matter just as much.
The first is connected tools. AI apps often ask to link into your Google or Microsoft accounts through an OAuth grant, which is the "allow this app to access your account" prompt you have clicked a hundred times. An unsanctioned app wired into your environment is not just reading data; it is a standing door into your accounts. About 51% of employees have connected AI tools to other work systems without IT approval.
This is not hypothetical. In early 2026, an incident at Vercel traced back to an employee who signed up for a consumer AI productivity tool called Context.ai using their corporate Google Workspace credentials, without IT approval. The employee granted that tool broad "allow all" permissions. Attackers then breached Context.ai's own infrastructure and stole the OAuth tokens of its consumer users, including that employee's. With the stolen token, they pivoted into Vercel's environment and accessed environment variables such as API keys and credentials. The unapproved tool was not a place data leaked into. It was the path in.
The second blindspot is AI features baked into software you already own. Microsoft 365 Copilot, Gemini in Workspace, Notion AI, and Slack AI can all process company data, sometimes turned on by default, often without anyone running a security review first. The enterprise versions usually come with solid data terms, but those need to be confirmed and the features need to appear in your inventory. If you are reviewing the AI features inside your Microsoft 365 setup, our walkthrough of the Microsoft 365 settings most growing companies never turn on is a good place to start, since Copilot is one more switch to account for there.
Where unapproved AI lands on your compliance program
For most of our readers, two frameworks make this concrete: SOC 2 and the privacy laws (GDPR and CCPA). An AI tool that is not in your vendor inventory is a hole in the controls you have promised customers and auditors you have.
This is the "beyond the checkbox" problem in a new outfit. A SOC 2 report scoped before generative AI existed says nothing about the free ChatGPT account an employee opened last month. The audit confirmed you follow your own vendor rules; it never looked at the vendor you did not know you had. Linford & Co, a SOC 2 audit firm, reads the vendor management criterion (CC9.1) as directly implicated by shadow AI, because an AI tool processing your data is a vendor you are supposed to identify and assess. That is their analysis, and worth weighing; whether any single undeclared tool would actually qualify an audit opinion depends on materiality and your auditor, so do not assume shadow AI automatically fails your SOC 2.
On privacy law the obligation is more clear-cut. Under GDPR Article 28, you need a signed data processing agreement before a third party processes personal data on your behalf. A consumer AI account has no such agreement, so personal data going into one is a gap by definition. CCPA carries a parallel duty to disclose your service providers, and an undeclared AI tool is not on that list.
The cost is measurable. IBM's 2025 research found that shadow AI added about $670,000 to the average breach cost, and 97% of organizations that suffered an AI-related breach lacked proper AI access controls. The same study found 63% of breached organizations either lack an AI governance policy or are still building one. And these tools are not quick to find: separate research puts the median time to detect an unauthorized AI tool at 403 days. More than a year is a long time to be carrying a gap you have already certified you do not have.
What to do about it without banning AI
A ban feels decisive, but it mostly converts visible usage into invisible usage. People who cannot use a sanctioned tool route around the ban, and now you have lost the one thing you had going for you, which was the ability to see what is happening. The goal is not to stop AI. It is to turn unauthorized usage into authorized usage. Here is the sequence we recommend.
- Get visibility into what is actually in use. You cannot govern what you cannot see. Pull AI tool traffic from browser logs, SaaS management tooling, or your collaboration security data, and write down what your people are really using, not what you assume.
- Publish a one-page acceptable-use policy. Name the approved tools and spell out the prohibited use cases, like putting customer data, financials, or source code into a personal account. One page people will actually read beats a ten-page document nobody opens.
- Provision the enterprise tier of what they already use. If the team lives in free ChatGPT, give them ChatGPT Business. If they use Gemini, turn on Gemini for Workspace with the DPA in place. Remove the reason to go rogue.
- Put AI tools in vendor management. Any AI tool touching company data belongs in your vendor inventory with a risk assessment and a signed DPA, or confirmed enterprise terms that do the same job. This is the exact SOC 2 and GDPR gap an auditor or regulator is looking for.
- Run a short training, not a scare campaign. Teach the consumer-versus-enterprise distinction and the "use the company account" rule. Then audit the AI features already baked into your stack and confirm their enterprise terms.
One caveat. If you handle regulated data such as healthcare or payment information, some tools warrant a firm prohibition rather than just governance, because the consequence of a single bad paste is too high to manage with a policy alone. For most general business data, though, a governed list beats a ban every time.
The honest version
Shadow AI is not a story about employees doing something reckless or about AI being dangerous. It is a story about authorization. The same paste is fine in a tool you have a contract with and a problem in one you do not, and the work is simply making the approved path the easy one. Visibility, a real policy, the enterprise tier of what people already use, and those tools in your vendor file. That is the whole job.
Govern the tools and AI features you already own
Collaboration Security & Management
Security and management for Microsoft 365 or Google Workspace. We set security baselines, review sharing and access controls, and either work alongside your IT team or handle day-to-day administration.
Put AI into vendor management and your SOC 2 program
Governance, Risk & Compliance
Compliance program management through Drata, managed by Security Overview. We map SOC 2, ISO 27001, PCI DSS, CCPA/CPRA, GDPR, and related requirements to controls, evidence, owners, and audit support.
If you'd like us to map which AI tools your team is actually using, sort the approved from the unapproved, and get them into your compliance program, book a discovery call and we'll walk it with you.