The Speed Gap Nobody Talked About
Somewhere in your office right now, an employee just pasted a client list into a free online chatbot to draft a follow-up email. Another one uploaded a contract to have it summarized. A third is feeding quarterly financial data into a text generator to produce a report. None of them asked permission. None of them thought twice about it.
According to data from Cyberhaven, 10.8% of knowledge workers have used ChatGPT in the workplace, and 8.6% have pasted company data into it.1 A LayerX Security report found that 77% of employees who use AI tools have pasted company data into public AI platforms.2 The average company leaks confidential material to ChatGPT hundreds of times per week.
The AI adoption gap is not coming. It is already here, and most business owners have no idea how wide it is.
What Actually Happens When Data Leaves
When an employee pastes information into a consumer AI tool, that data does not just disappear. It gets logged. It may be stored. In many cases, it may be used to train the underlying model. Once it enters the system, you have no control over where it goes, who sees it, or how it gets used six months later.
Cyberhaven’s analysis found that 27.4% of corporate data put into AI tools was sensitive in March 2024, up from 10.7% a year prior. The total volume of corporate data entering AI tools grew 485% year over year.3 The sensitive data includes source code, patient records, financial projections, contract language, and client lists. The stuff that, if it showed up in a competitor’s hands or a regulatory inquiry, would be difficult to explain.
This is not about employees being careless. Most of them are trying to be more productive. They see a tool that helps them write faster, think clearer, or analyze quicker. The problem is not the intent. The problem is that nobody gave them boundaries, and nobody on the IT side has any awareness of what is leaving the building.
Why Most IT Providers Are Not Stepping In
Here is the uncomfortable truth for business owners reading this: your IT provider probably does not have an answer for this yet. Many MSPs are still building their own internal AI strategies. They are focused on using AI for ticket automation, security monitoring, and service delivery. Guiding clients on responsible AI adoption across an entire workforce is a different service entirely.
Channel Insider’s 2026 guide for MSPs building AI strategies for SMBs put it plainly: most MSPs are still in the early stages of helping customers move past uncertainty and position AI as a secure, revenue-driving service rather than a source of risk or hype.4 In other words, the demand is ahead of the supply.
That gap is where shadow AI thrives. Employees adopt tools faster than providers can assess them. Faster than policies can be written. Faster than acceptable use agreements can be updated.
What a Responsible AI Posture Looks Like
The goal is not to ban AI. That does not work. Salesforce’s 2026 Workforce AI Survey found that 67% of employees use AI tools at work, but only 18% of organizations have formal AI security policies.5 You cannot put the genie back in the bottle, and trying to do so just drives usage further underground where nobody can see it happening.
The goal is to build a responsible adoption posture. That means three things.
First, know what is being used. You cannot govern what you cannot see. If your IT provider has not conducted an AI tool inventory or assessment across your environment, that is a reasonable starting question. Productiv’s 2026 analysis found that the average enterprise has 14 distinct AI tools in use, of which the IT team is aware of only four or five.6 The shadow footprint is always larger than the visible one.
Second, set clear boundaries. An acceptable use policy for AI does not need to be a 40-page document. It needs to answer basic questions: What types of data can be entered into AI tools? Which tools are approved? What happens when someone uses one that is not on the list? ISACA’s research shows that organizations with formal policies score measurably higher on AI maturity metrics than those without.7
Third, make it easy to do the right thing. If the approved path is harder than the shortcut, people will take the shortcut. Give employees tools that are vetted and safe. Show them why the free version of a consumer chatbot carries risks the enterprise version does not. Training works better than threats.
This is where most organizations fail. They write a policy, send it out in an email, and assume compliance will follow. It will not. Employees need context. They need to understand why the customer list they are about to paste into a chatbot is sensitive, not because a policy says so, but because they understand what could happen if that data ends up in a model training set that a competitor queries six months later. That conversation takes time. It is worth having.
What to Ask Your IT Provider
If your IT provider has not brought up AI governance, bring it up yourself. Here are the questions worth asking:
- Have you conducted an AI tool assessment across our environment? What are employees actually using?
- Do we have an acceptable use policy for AI tools, and when was it last reviewed?
- Are there data loss prevention controls that specifically address AI tool usage?
- What is your process for evaluating a new AI tool before our employees start using it?
- How do you monitor for data leaving our systems through AI platforms?
If your provider stares blankly at the first question, you have your answer. If they have a thoughtful response for all five, that is a different conversation.
The point is not to conduct an interrogation. It is to determine whether your provider has thought about this issue at all. A good provider will not have every answer on the spot but will have a process for getting them. A provider who dismisses the concern or tells you this is not a service they offer is telling you where they stand. You can decide if that matches the level of risk your business is carrying.
The Regulatory Clock Is Ticking
The EU AI Act is moving from policy to operational deadlines in 2026, with broader applicability phasing in.8 In the United States, Colorado’s requirements around high-risk AI and algorithmic discrimination are taking effect in 2026. Other states are following. The regulatory environment is not waiting for small businesses to catch up.
Even if your business is not directly subject to these regulations today, your clients or partners may be. Supply chain requirements flow downhill. If a larger company you work with starts requiring AI governance documentation from its vendors, you will need to have answers ready.
The NIST AI Risk Management guidance has become a common reference point for organizations evaluating AI risk. The U.S. National Institute of Standards and Technology published it as a voluntary resource, but it is increasingly referenced in regulatory guidance and contractual requirements. Your clients may start asking whether your practices align with it. Knowing the answer now is better than scrambling to produce documentation under a deadline later.9
Where This Leaves You
The real risk of shadow AI is not that an employee will paste something into a chatbot by accident, though that happens. The real risk is that sensitive data is flowing out of your business through channels nobody is monitoring, nobody has approved, and nobody can audit. When that data shows up somewhere it should not be, the question will not be “why did this employee make a mistake.” The question will be “why did the business have no awareness of what was happening.”
That is a question no business owner wants to answer in a breach notification letter, a regulatory inquiry, or a client conversation.
The tools are not going away. The employees are not going to stop using
Sources
1 Cyberhaven, “4% of Workers Have Pasted Company Data Into ChatGPT,” cyberhaven.com, 2026.
2 LayerX Security / LinkedIn, 2026.
3 Unio.digital, “ChatGPT Sensitive Data Statistics,” unio.digital.
4 Channel Insider, “The MSP Guide to Building an AI Strategy for SMBs in 2026,” channelinsider.com, 2026.
5 Red Team Partner, “Shadow AI: 67% of Employees Use AI Tools at Work, Only 18% of Companies Have AI Security Policies,” redteampartner.com, 2026.
6 Optro, “Shadow AI stats for 2026,” optro.ai.
7 Kiteworks, “AI Policy Gap: Why 25% of Firms Have No AI Rules,” kiteworks.com.
8 OneTrust, “Responsible AI in 2026: A 3-step Guide for Governance that Scales,” onetrust.com, 2026.
9 NIST, “AI Risk Management Framework,” nist.gov.
them. The only variable is whether the business gets ahead of this or waits for an incident to force the conversation.
