Your Client’s Employees Are Already Using AI
Sixty-seven percent of employees use AI tools at work. That is not a projection. That is not a forecast. That is a fact from Salesforce’s 2026 Workforce AI Survey, and it means the majority of your client’s workforce is using ChatGPT, Claude, Copilot, Grammarly, or some other AI tool right now, today, to do their jobs.
The problem is not that they are using AI. The problem is that nobody is managing it.
Only 18 percent of organizations have formal AI security policies. Eighty percent worry about data leaking through generative AI. Sixty percent have no strategy to address it. Those numbers come from Mimecast’s 2026 State of AI Security report, and they paint a clear picture: employees are adopting AI faster than anyone is governing it.
This is shadow AI. And it is the most immediate, most widespread, and most underestimated risk your clients face right now.
Why Shadow AI Is Worse Than Shadow IT
Shadow IT is an employee signing up for Dropbox or Slack without IT approval. The risk is contained inside that application. The data stays in the tool. It can be audited. It can be removed.
Shadow AI is different. When an employee pastes a client contract into ChatGPT, that data gets processed by a third-party model. It may be absorbed into training data. It may surface in responses to other users. It may be subject to subpoena. The employee was not trying to create a compliance violation. They were trying to get their work done. But the violation happened anyway.
The most cited example is Samsung. Engineers at Samsung Semiconductor pasted proprietary source code into ChatGPT to check for errors. The code became part of OpenAI’s training data. Samsung banned generative AI tools company-wide after the damage was done. That story is told in almost every AI governance presentation for a reason. It is not hypothetical. It happened.
The financial exposure is real. IBM’s Cost of a Data Breach report found that organizations with high shadow AI exposure face breach costs of $4.63 million on average. Companies without AI governance programs pay approximately $670,000 more per breach than those with governance in place.
The Compliance Problem Nobody Is Talking About
Shadow AI creates regulatory exposure that most SMBs do not see coming.
GDPR requires a documented legal basis for every data processing activity. When an employee uploads customer data to a free AI tool, there is no data processing agreement. There is no legal basis. There is a violation.
HIPAA requires a business associate agreement with any third party that touches protected health information. Free AI tools do not sign BAAs. When a medical office employee pastes patient notes into ChatGPT to summarize them, that is a HIPAA violation.
PCI DSS requires cardholder data to stay inside approved environments. AI tools are not approved environments.
Most client contracts include data handling requirements that free AI tools do not meet. When an employee uploads client financials to an AI tool, they may be violating a contract they have never read.
The employee was not trying to violate GDPR, HIPAA, or their client contract. They were trying to save twenty minutes on a report. But the violation happened anyway, and the organization is liable.
Why This Is Your Problem
Your clients are not thinking about shadow AI. They are thinking about revenue, operations, payroll, and the hundred other things that fill a business owner’s day.
But when the data leaks, when the regulator calls, when the client whose financials ended up in an AI training model finds out and sues, who do they call?
The IT provider. You. The person who was supposed to be managing their technology environment.
You cannot manage what you cannot see. Right now, you cannot see most of what is happening with AI in your client’s environment. That needs to change.
A Five-Step Process for Getting Control
Step 1: Discover what is happening. You cannot govern what you do not know about. Start with browser extension audits. Look for AI-related extensions on company-managed browsers. Run network traffic analysis to identify connections to known AI service endpoints. And ask employees directly. Most will tell you what they are using if you ask without threatening consequences. The goal is to understand the scope, not to catch people doing something wrong.
Step 2: Classify the tools. Use a three-tier system. Tier 1 is approved tools, enterprise-grade platforms with proper security controls and data processing agreements. Tier 2 is restricted, tools employees can use with limitations, such as no client data and no regulated information. Tier 3 is prohibited, free consumer tools with no data protections, no agreements, and no oversight. This is not about being restrictive. It is about being clear.
Step 3: Set data guardrails. Some data should never be entered into AI tools under any circumstances. Regulated data. Personally identifiable information. Protected health information. Financial records. Proprietary source code. Client information. Strategic planning documents. The list should be short, specific, and non-negotiable.
Step 4: Write the policy. An AI acceptable use policy does not need to be forty pages. It needs to be clear, enforceable, and actually communicated to employees. Define what tools are approved. Define what data is off-limits. Define what happens when someone violates the policy. Then make sure every employee has read it and acknowledged it.
Step 5: Monitor and enforce. Browser-level controls can restrict access to known AI tool websites. Network monitoring can flag unauthorized usage patterns. Periodic audits keep the process current. This is ongoing work, not a one-time project. AI tools are evolving monthly. Your governance needs to keep pace.
How to Have the Conversation
When you bring this up with a client, lead with facts, not fear.
“Your employees are already using AI tools. Most likely ChatGPT, Copilot, or something similar. Some of them are probably pasting client data or business information into those tools without realizing the risk. I am not here to tell you to stop using AI. I am here to help you understand what is happening in your environment and put controls in place so you can use AI safely instead of hoping nothing goes wrong.”
That is the conversation. It is not about stopping innovation. It is about managing risk.
Where This Leaves You
Shadow AI is not a future risk. It is a current reality. Sixty-seven percent of employees are using AI tools at work. Most organizations have no policy, no governance, and no visibility into what data is being shared with what tools.
The MSPs who address this proactively will be the ones their clients trust when something goes wrong. The MSPs who wait will be the ones explaining why they did not bring it up sooner.
Your clients’ employees are already using AI. The question is whether you find out before or after something leaks.
Frequently Asked Questions
Q: How do we discover what AI tools employees are using?
Start with network traffic analysis, browser extension audits, and a straightforward employee survey. Most employees will tell you what they are using if you ask directly without threatening consequences. The discovery phase should feel like fact-finding, not an investigation.
Q: Should we ban all free AI tools?
A blanket ban drives usage underground. Employees will use the tools anyway, but they will hide it, which makes the problem worse. Use a tiered classification system instead. Give employees safe alternatives. Make it easy to do the right thing.
Q: What about Microsoft Copilot and built-in AI features?
Enterprise versions of Copilot with proper Microsoft 365 licensing include data processing agreements and tenant-level controls. That is very different from the free consumer version. The key question is: which version is deployed, and what data controls are configured? Do not assume enterprise-grade protections are in place. Verify.
Q: How much does an AI governance engagement typically cost?
A basic assessment and policy development engagement for a 20 to 50 person organization runs $2,500 to $5,000. Ongoing monitoring and governance retainer arrangements vary by scope. The cost is a fraction of the exposure.
Q: Is this really that different from traditional security awareness?
Yes, because the risk profile is different. In traditional security awareness, the threat is someone clicking a phishing link. In AI governance, the threat is a well-meaning employee saving twenty minutes by pasting sensitive data into a free tool. The behavior looks productive. The risk is enormous. Your security awareness program needs to address both.
About Brent Lacy: Brent Lacy is the author of Rewired MSP: Mastery, Scalability and Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business Security. With over 20 years in the managed services industry, Brent writes about the operational discipline, trust-based relationships, and strategic thinking that separate MSPs built to last from those built to bill.
Related Articles:
