Your team already uses AI. A shadow AI policy is how you find out.
Employees are pasting work into personal ChatGPT accounts right now, because it makes their day easier. A ban won't stop it: KPMG found banned companies leak more, not less. Here's the shadow AI policy that brings it into the light.
In short
A shadow AI policy is the set of guardrails that brings the AI use your team already hides into the open: approved company accounts, a short list of data that never leaves, review before AI work ships, and clear ownership of AI output. It beats a ban, and the evidence is blunt. In KPMG's 2025 global study, 67% of employees at companies that banned generative AI uploaded sensitive company information into public AI tools anyway, double the rate at companies with no policy at all. IBM puts the price of staying blind at $670,000 in added breach costs where shadow AI use runs high. Pair the policy with training and revisit it quarterly, because the tools move faster than policy cycles.
Shadow AI is the default state
Somewhere in your company today, an employee pasted a customer email, a draft contract, or a chunk of your financials into a personal ChatGPT account. Not out of malice. The tool made a tedious task fast, nobody said they couldn't, and the work was due. That's shadow AI, and if you haven't written a shadow AI policy, it isn't a risk you might face someday. It's how your company operates right now.
The numbers back this up. Microsoft and LinkedIn's 2024 Work Trend Index found that 75% of knowledge workers already use generative AI at work, and 78% of those users bring their own tools rather than waiting for the company to provide one. At small and mid-sized companies it's 80%. Worse for visibility: 52% are reluctant to admit using AI on their most important work, and a 2025 KPMG and University of Melbourne study spanning 47 countries found 57% of employees have hidden their AI use or passed off AI output as their own. Asking around the office tells you almost nothing.
The problem isn't that people use AI. The problem is where the decisions get made. With no policy, every employee is making a data-governance call alone, in the moment, under deadline pressure, in the worst possible venue: a free consumer account where the terms of service were never read and the input may feed someone else's model. In the same KPMG study, 48% of employees admitted they had already put company information, financials, sales data, customer records, into public AI tools. Your most diligent people are improvising answers to questions your legal team has never even discussed.
Leaders often tell me their team 'isn't really using AI yet.' What they have is a visibility problem, not a usage problem. The honest starting point for any manager leading a team through AI is to assume usage is already widespread and proceed from there.
of AI users bring their own AI tools to work (Microsoft & LinkedIn)
of employees have put company information into public AI tools (KPMG)
of employees at companies that banned generative AI uploaded sensitive data anyway (KPMG)
added average breach cost when shadow AI is heavily involved (IBM)
Sources: Microsoft & LinkedIn 2024 Work Trend Index; KPMG & University of Melbourne, Trust, attitudes and use of AI, 2025; IBM Cost of a Data Breach Report 2025.
Why a ban is the worst shadow AI policy you can write
The reflex, especially after a scare, is to block the tools. It feels decisive, and the fear behind it is legitimate: IBM's Cost of a Data Breach Report 2025 found one in five breached organizations traced the incident to shadow AI, and organizations with heavy shadow AI use paid about $670,000 more per breach than those with little or none. When shadow AI was involved, customer personal data was compromised in 65% of incidents, well above the 53% global average. The data risk is real. The ban just doesn't reduce it.
KPMG's numbers on this are hard to argue with: at organizations that banned generative AI outright, 67% of employees reported uploading sensitive company information into public AI tools anyway, the highest rate of any policy environment they measured. Usage doesn't stop, it moves to personal phones and home laptops, where you have zero visibility, zero logs, and zero ability to coach. You keep all of the data risk and surrender all of the productivity upside. A ban converts a manageable governance problem into an invisible one.
The grown-up move is the opposite: treat the shadow AI policy as enablement. Good guardrails are what let you say yes faster. When people know which accounts to use, which data stays inside, and what gets reviewed before it ships, they stop guessing and start working. That matters because most people are guessing today: in the KPMG study, 56% of employees said they'd used AI at work without knowing whether it was allowed. You can generate a first draft of that policy in minutes and tune it to your business, which removes the most common excuse for not having one: nobody had time to write it.
One caution before you publish anything. A policy on its own changes documents, not behavior. KPMG found that even at organizations with a generative AI policy in place, over half of employees still put sensitive data into public tools. An untrained team with a signed acceptable-use policy is just a compliant version of the same risk: they still don't know what good usage looks like, they just know what's forbidden. Policy tells people where the lines are; training is what makes the work inside the lines actually improve. Ship them together.
The four moves of a working shadow AI policy
Common questions
What is shadow AI?
Shadow AI is employees using AI tools for work without their company's knowledge or approval, most often through personal accounts on consumer tools like ChatGPT. It emerges wherever AI saves people time and no sanctioned alternative exists, which makes it the default state at companies without a shadow AI policy rather than the exception.
How common is shadow AI at work?
Far more common than most leaders think. Microsoft and LinkedIn's Work Trend Index found 75% of knowledge workers use generative AI at work and 78% of them bring their own tools. KPMG's 2025 global study found 57% of employees hide their AI use and 48% have put company information into public AI tools. If you haven't measured it, assume it's happening on your team.
Should companies ban ChatGPT at work?
No. KPMG's 2025 study found 67% of employees at companies that banned generative AI uploaded sensitive data to public AI tools anyway, more than under any other policy. Bans push usage onto personal devices where you lose all visibility and keep all the data risk, while giving up the productivity gains. The stronger move is to provide company accounts, set clear data rules, and train the team to use AI well, so usage happens where you can see it and shape it.
What should a shadow AI policy include?
Four things: which tools and accounts are approved, which data never goes into AI (customer PII, financials, anything under NDA), a review-before-ship rule for AI-assisted work, and who owns AI output. Keep it short enough that people actually read it, and pair it with rollout and training, the way you'd sequence any workflow change in a transformation.
Put the guardrails in writing this week
Draft your acceptable-use policy in minutes, then give your team the skills to work inside it.
Written by
Adrián Ridner
Co-founder of Candova, founder of Study.com, and O'Reilly AI author
Adrián has spent two decades as a serial entrepreneur opening the doors to the life-changing impact of education. Before Candova, he founded and scaled Study.com into the largest platform for online college-credit courses, certification prep, and career-aligned degree pathways, helping millions of learners earn credentials for the modern workforce.