AI is already inside many organisations — whether it has been formally approved or not
- Stephen Oke

- 5 days ago
- 1 min read
Staff are using AI tools to summarise documents, draft emails, analyse data, write code, prepare presentations and solve day-to-day problems.
That is not necessarily a bad thing. The risk is when this happens in the shadows.
UK Government research suggests only 1 in 6 UK businesses formally use AI, yet Microsoft research found 71% of UK employees have used unapproved consumer AI tools at work. That gap is where “shadow AI” becomes a cyber and governance issue.
If an organisation does not provide clear guidance, people will still find ways to use the tools. But they may upload sensitive information, rely on unverified outputs, bypass normal approval processes or create records that nobody knows exist.
This is not just a technology issue. It is a governance issue.
The starting point should not be “ban AI” or “buy an AI security product”.
It should be:
What tools are people already using?
What data are they putting into them?
What are they relying on the output for?
Who has approved the use?
What guidance has been given?
AI can bring real benefits, but only if organisations understand how it is being used and set sensible boundaries.
As with much of cyber security, the first step is visibility.
You cannot govern what you cannot see.

