Most mid-market companies start their AI strategy conversation with a presentation, a committee, and a list of tools to evaluate. What rarely comes up is the more immediate question: what are employees already using? By the time the first steering committee convenes, there is a reasonable chance that client names, financial figures, and internal documents are sitting in the conversation history of a free ChatGPT account, a personal Claude session, or whatever AI tool someone on the team discovered and found useful months ago.
Here is what to do about it.
What shadow AI actually is
Shadow AI is the use of AI tools that have not been reviewed, approved, or provisioned by the organization. The term follows the same logic as unsanctioned software adoption from the cloud era: employees find useful tools and adopt them without waiting for formal approval, and the adoption outpaces whatever governance process the organization has in place, if one exists at all.
What makes shadow AI different from earlier patterns of unsanctioned software is the nature of what gets exposed. When someone used a personal file-sharing account to send a document, the risk was largely contained to that file. When someone uses a free AI account to draft an email or summarize a meeting, the interaction can include sensitive context the employee did not consciously flag as confidential: a client name embedded in a sample, internal financial figures used as background, a personnel situation framed in passing.
Most employees doing this are not acting carelessly. They are solving a real problem with available tools because their organization has not given them a better option. The problem is not intent. The problem is that the organization has no visibility into what is moving across those sessions, no way to contain an incident if one occurs, and no policy that clearly establishes what is and is not acceptable. That is the starting condition at most mid-market companies today.
Why mid-market companies carry more of this risk
Large enterprises typically have controls that give them at least some visibility into unsanctioned software adoption: Cloud Access Security Broker tooling, Data Loss Prevention policies, a dedicated security function that monitors SaaS traffic patterns, and a compliance team that notices when something falls outside the approved stack. Small businesses have fewer of those controls but also a smaller surface area of sensitive data.
The mid-market sits between both. A 200-person company typically has complex client relationships, sensitive financial data, proprietary processes, and employee information, all of which can find their way into an AI conversation. That same company likely has a lean or nonexistent security function, no formal CASB deployment, and a culture of self-sufficiency where the fastest way to solve a problem is to find whatever tool gets the job done.
That culture is an asset in most contexts. In this one, it creates a gap. Employees are resourceful, AI tools are free and genuinely useful, and the path of least resistance is a personal account. The mid-market organization ends up with all the productivity behavior and none of the administrative visibility, data governance, or policy infrastructure that would let it manage what is actually happening. Without intervention, shadow AI at this scale is not an edge case. It is the default operating state.
What detection actually looks like in practice
The most direct way to understand how much shadow AI is in your organization is to ask. A short, no-blame survey asking employees what tools they currently use for work tasks, including AI tools they found on their own, typically surfaces more than any technical scan. Employees who are solving real problems with available tools will generally tell you if the framing is practical rather than punitive. Frame it as an inventory exercise, not an audit, and the response rate will be useful.
Technical detection adds specificity but has real limits. If your organization uses Microsoft Defender for Cloud Apps or a similar network visibility tool, you can see that traffic went to chat.openai.com or claude.ai, and you can see the volume and frequency. What you cannot see from a network log is the content. Unless your organization deploys an endpoint agent or a forward proxy configured to inspect encrypted traffic, the content of those sessions is opaque and will remain so.
That distinction matters for how you frame the problem. Finding out that employees are using AI is a governance question and a relatively quick one to answer. Finding out what specific data moved through those sessions is a different, more invasive undertaking. Starting with the survey gives you the behavioral picture. Network data, if available, confirms usage patterns. Together they tell you what you are actually dealing with before you decide how to respond.
Why a blanket ban almost always backfires
When leaders discover shadow AI in their organization, the first instinct is often to shut it down: block the domains, send a policy memo, and consider the problem addressed. This almost never works and in most cases makes the situation harder to manage.
A blocked corporate network domain tells employees that ChatGPT is unavailable at the office. It does not remove their phones. It does not stop them from working at home or at a coffee shop. The actual result is that usage continues, but now it is entirely invisible to the organization. A blocked domain is not a solved problem. It is a problem that moved out of sight.
| Approach | What employees do | Data exposure | Enforcement reality | Net result |
|---|---|---|---|---|
| Blanket ban | Use AI on personal devices and phones | Continues, invisible to the org | Impossible to enforce off-network | Problem hidden, not solved |
| No policy (status quo) | Use whatever is available, no guidance | Continues, invisible to the org | Nothing to enforce | Same outcome as a ban |
| Sanctioned tool + clear policy | Use the approved tool for most tasks | Contained in-tenant, admin visibility | Realistic, because employees have a usable option | Controlled, visible, manageable |
The gap between a blanket ban and a sanctioned alternative is not a policy gap or an enforcement gap. It is a visibility and control gap. The organization that deploys an approved AI tool and communicates a clear policy can see what is happening, respond to incidents, and actually get compliance because employees have a real option they are willing to use.
Give your team a sanctioned alternative that actually works
The alternative to banning is not permitting everything. It is giving employees a good-enough enterprise AI option and making the approved path easier than the workaround.
The enterprise-tier options have matured. Microsoft 365 Copilot integrates directly into the Microsoft 365 applications most mid-market companies already use and keeps all prompts and responses within the Microsoft service boundary. Claude for Work, Anthropic's business offering, provides comparable data handling commitments with no model training on organizational data by default. Google's Workspace AI features offer similar controls for Google-centric environments. Any of these is meaningfully better than a free consumer account from a data governance standpoint.
What "sanctioned" means in practice comes down to three things: data handling commitments the organization can verify, no model training on company data by default, and administrative controls that give someone in the organization actual oversight of what is happening. A consumer account has none of these. An enterprise account has all three.
The right tool depends on your existing software stack, your budget, and what problems employees were actually trying to solve with shadow AI. If employees were summarizing documents and drafting emails, an existing Microsoft 365 license tier may already cover it. If the use cases are broader, the answer might look different. The AI readiness section on the Seven Roots site is a reasonable place to start before committing to a tool decision.
Writing a policy your team will actually follow
An AI acceptable use policy does not need to be long. It needs to be clear. The core elements are straightforward: which tools are approved, what categories of data are off-limits for any AI session (client information, personnel records, financial data that has not been made public), and what the consequence is for using unapproved tools with sensitive data.
What derails most AI policies is tone. A policy framed as a prohibition creates the impression that the organization is blocking something useful, which typically produces quiet noncompliance. A policy framed around protecting the organization and the employee, with a plain-language explanation of why personal AI accounts carry risk and a sanctioned option that actually works, produces meaningfully higher adoption. People follow policies they understand and that treat them as adults.
Enforcement in this area is mostly voluntary, and the organization should be honest about that. A policy that relies entirely on network controls will fail the moment someone works from home. What holds the line is employees who understand the risk and have a usable alternative. The combination of a clear policy, a working tool, and regular reinforcement in onboarding and team communication is more effective than any technical control alone.
For leaders still working through what their AI governance approach should look like, Heartwood offers on-demand advisory from a panel trained on practical technology leadership. It is a useful place to think through specific decisions before committing to a direction.
Common questions about shadow AI
How do we find out who's already using AI?
Start with a direct employee survey. Ask what tools people use for work tasks and include AI tools explicitly in the question. Most employees will tell you if the framing is matter-of-fact rather than accusatory. If you have Microsoft Defender for Cloud Apps or similar network visibility tooling, that data can confirm usage patterns by showing traffic to known AI service domains. The survey gives you the behavioral picture; network data, if available, adds volume and frequency. Together they tell you what you are dealing with before you decide how to respond.
Should we ban personal AI accounts?
In most cases, no. A blanket ban on personal AI accounts does not stop the usage; it moves the usage to phones and personal devices where the organization has zero visibility. The actual data exposure continues; the organization just loses its ability to see it. The more effective approach is to deploy a sanctioned enterprise AI tool, communicate clearly why personal accounts carry risk, and make the approved path easy enough that employees prefer it. That combination produces actual behavior change where a ban typically produces workarounds.
Can we tell what employees are pasting into ChatGPT?
Network-level monitoring can show you that traffic went to a known AI service domain. It cannot show you the content of those sessions without a more invasive technical configuration, typically an HTTPS-inspecting forward proxy or an endpoint agent. Deploying that kind of monitoring raises its own employee relations and legal questions. For most mid-market companies, the practical answer is: you cannot see the content of past sessions, which is part of why moving forward with a sanctioned alternative matters more than trying to audit what already happened.
What's the legal exposure if client data leaks this way?
The exposure depends on what data was shared and what agreements govern it. Client confidentiality clauses, non-disclosure agreements, and data processing addenda are typically written without AI tools in mind, which means sending client data through a personal AI account may violate the letter of those agreements whether or not any actual harm results. Regulated industries, including healthcare and financial services, add a layer of compliance exposure on top of contractual risk. The argument that an employee acted independently provides limited protection if the organization had no policy and no sanctioned alternative in place.
If we ban it, will they just use it on their phones?
Yes, and that is not a hypothetical. It is the expected outcome of a ban that does not come with a sanctioned alternative. Employees who have found AI genuinely useful will not stop because the corporate network blocks it. They will use their phones, their home internet, or a coffee shop connection, and the usage will become entirely invisible to the organization. The only realistic way to keep sensitive data off personal AI accounts is to give employees an enterprise-grade option they are willing to use on the approved platform.
One technology decision a month, taken apart.
The decision brief: one technology decision a month, taken apart. No spam, unsubscribe anytime.
Working through the same questions? Let's compare notes.
The AI and agentic space is moving faster than any playbook, and the best thinking in it happens in the open. We are glad to connect, trade notes, and compare approaches. We also take on a small number of select advisory engagements where the fit is right.
Connect with Seven RootsNot sure what you need yet? Ask the panel.
Heartwood is an AI advisory panel for mid-market executives who need on-demand technology strategy guidance. Start with your toughest question.
Try Heartwood free