Your team is already pasting client data into ChatGPT. Here's what to do this week.
by Sid
Let's start with the uncomfortable part: this is almost certainly already happening in your organization. Surveys consistently find that most employees paste company information into AI tools, and the large majority do it through personal accounts you don't control and can't see. Client names. Contract text. Financials. Patient details. Source code.
This is "shadow AI," and the instinct to respond by banning it is the one mistake that guarantees it continues — just further underground. Here's the calm version of what to actually do, in order, starting this week and before you spend anything on tooling.
Step 1: Find out, without blame
You can't manage what you can't see. Spend a week genuinely understanding what's happening — not to catch anyone, but to map reality. Which tools are in use? For what tasks? What kind of data is going into them?
The tone matters enormously. If people think they'll be punished, they'll hide it, and you'll be securing a fiction. Frame it honestly: "People are using these tools because they're useful. We want to make that safe, not stop it." You'll learn more in a week of amnesty than a year of policy.
Step 2: Separate the data, not the tools
The problem was never "AI tools." It's "sensitive data going somewhere you don't control." Those are different problems, and conflating them leads to bad bans.
Draw one clear line: what data is fine to put into a public AI tool (general questions, public information, non-sensitive drafting) and what absolutely is not (anything client-identifying, anything regulated, anything that's your competitive IP). Most teams have never been told where this line is, so they improvise — usually generously.
Step 3: Write the one-page policy people will actually read
Not a 14-page document that goes in a drawer. One page, plain language, that any employee can read in three minutes and remember:
- Here are the AI tools we approve, and what they're for.
- Here's the data you must never put into a public AI tool.
- Here's what to do when you're not sure (with a real name to ask).
- Here's why — so it reads as protection, not bureaucracy.
A policy people understand and follow beats a perfect one they ignore. Optimize for the former.
Step 4: Give them a safe alternative
This is the step most companies skip, and it's why their policies fail. If you take away the convenient tool and offer nothing in its place, people go back to the personal account — they just stop telling you.
The fix is to provide a sanctioned option: an approved tool with a proper business agreement, or — when the data is sensitive enough to warrant it — a private setup where the AI runs on infrastructure you control and nothing leaves your boundary. People follow the safe path when it's also the easy path. Make the right thing the convenient thing.
Step 5: Know where you stand legally
Under DPDP in India, GDPR in the EU and UK, and the sector rules you may answer to, "an employee pasted personal data into an AI tool" can be a reportable event. You don't need to become a compliance lawyer this week, but you do need to know your exposure: what data you hold, what rules apply, and what counts as an incident. That knowledge changes how urgently you treat steps 1–4.
The mindset shift
Shadow AI isn't an IT problem to be locked down. It's a signal that your people have found something genuinely useful and are reaching for it faster than your governance can keep up. The job isn't to slow them down. It's to give them a safe road that's at least as fast as the unsafe one they're already on.
If you'd like an outside read on where your data is actually going today, that's exactly what our free AI Exposure Check is — 30 minutes, and you'll know more about your real risk than most organizations ever do. When the answer calls for it, our Private & Secure AI work is the safe road in step 4.
Want this kind of build — and the honest version of what might break in yours?
Read more