Somewhere in your organisation this week, an employee pasted part of a customer email into a consumer chatbot to draft the reply. Another summarised an internal paper. Neither asked permission, and neither will appear in a risk report. Microsoft-commissioned research from October 2025 found that 71% of UK employees have used unapproved consumer AI tools at work, and 51% still do so every week. Shadow AI is not an emerging risk on the horizon. It is the current condition of your workforce.
The instinctive board response is a ban, and it is the response most likely to make things worse. A ban does not stop the behaviour; it moves the behaviour to personal phones and personal accounts, where your telemetry ends and your audit trail with it. The governing response is a policy with four working parts — discover, triage, provide, police — and a quarterly report that tells the board whether it is holding. This post sets out each part.
Key takeaways
- Shadow AI is the norm, not the exception: 71% of UK employees have used unapproved consumer AI at work; 51% use it weekly (Censuswide for Microsoft, October 2025, 2,003 UK employees).
- A ban does not stop the processing — it removes the evidence. Use moves to personal devices and the audit trail your board would rely on disappears.
- Unsanctioned AI use is personal-data processing your organisation already owns: UK GDPR controller obligations do not lapse because the tool was never approved.
- Discovery must respect the ICO's monitoring-workers guidance — lawful basis, proportionality, transparency, a DPIA where risk is high. Aggregate telemetry and amnesty surveys, not keystroke surveillance.
- The policy that works has four parts: discover actual use, triage it into three bands, provide a sanctioned alternative on enterprise data terms, and police a narrow, explicit prohibited line — with a standing quarterly report to the board.
The ban reflex trades a visible risk for an invisible one
Start with why staff do it, because the policy fails if it ignores the incentive. In the same UK research, workplace users of generative AI assistants report saving 7.75 hours a week on average across admin tasks. The most common uses are mundane: drafting and responding to workplace communications (49%), drafting reports and presentations (40%), finance-related tasks (22%). Asked why they reach for consumer tools, 41% say it is what they are used to in their personal lives — and 28% say their employer provides no approved alternative at all. This is not a UK quirk: Microsoft and LinkedIn's 2024 Work Trend Index found 78% of AI users globally were bringing their own AI tools to work, across every generation — while 60% of leaders admitted their company lacked a vision and plan for implementation.
A ban therefore asks staff to hand back the better part of a working day, every week, for a policy reason most of them do not rate: only 32% express concern about the privacy of company or customer data entered into consumer tools. They will not hand it back. The tools live in pockets and personal browser tabs, beyond the reach of corporate network blocks. What a ban actually achieves is to end the declarations, the questions and the near-miss reports — the only early-warning signals you had.
Now put that in the language the board already speaks: data protection. When an employee enters personal data into a consumer chatbot, your organisation is the controller of that processing under UK GDPR. The obligations do not lapse because the tool was unapproved. The processing has happened with no lawful-basis assessment, no processor agreement, possibly an international transfer nobody evaluated — and possibly a personal-data breach carrying a 72-hour reporting clock that is very hard to meet for an incident nobody will admit to. The board owns this risk today, ban or no ban. The only question a policy decides is whether the use happens inside terms you set, or outside your sight.
Discover: measure actual use without surveillance overreach
You cannot triage what you have not measured, so the first deliverable is a baseline of actual use — and here boards walk into a second trap. Discovery is itself the processing of workers' personal data, and the ICO's guidance on monitoring workers, published in October 2023, sets the constraints: a lawful basis, proportionality, transparency about what is monitored and why, and a data protection impact assessment where the monitoring is likely to be high risk. Workers should only be monitored in ways they would reasonably expect. The ICO's own research found 70% of people would find monitoring in the workplace intrusive. Solving a shadow-AI problem by creating a surveillance problem is not progress.
The discovery methods that stay proportionate are also the ones that work:
- Aggregate network telemetry. Which AI domains are reached from corporate networks and devices, and how much — reported at organisation or team level, never as named individuals.
- Anonymous staff surveys with an explicit amnesty. The cheapest and most candid signal, and the only one that reaches personal devices.
- Expense and procurement records. Personal AI subscriptions claimed back are shadow AI with a receipt.
- Sanctioned-tool usage counts. Once an approved tool exists, the gap between its adoption and survey-reported use is your standing estimate of the shadow.
What to avoid is equally clear: keystroke logging, screen capture and individual league tables. They are hard to justify as proportionate under the ICO guidance, and they destroy the candour the rest of the policy depends on. The aim is epidemiology, not prosecution.
Triage: three bands, not one verdict
The mistake in most first-draft policies is a single verdict on "AI", as if the tool were the unit of risk. It is not. The unit of risk is the data that goes in and the decision that comes out. A workable policy triages use into three bands:
| Band | What sits in it | The rule |
|---|---|---|
| Permitted | Public or non-confidential material: drafting from a blank page, general research, summarising published documents | Use the sanctioned tool freely; no approval needed |
| Conditional | Internal but not personal: anonymised data, internal procedures, supplier documents | Sanctioned tool only, a named owner, data minimised before entry |
| Prohibited | Personal data, special-category data, client-confidential or price-sensitive material, credentials | Never into a consumer tool; into the sanctioned tool only where the DPIA and processor terms cover it |
Two things make the table work. First, it runs on your data classification scheme — and if you do not have one, that is the real finding, not the chatbots. Second, the bands are one artefact of a wider AI governance framework: the policy names the bands, but the framework names who assigns a new use case to a band, and how that decision is evidenced.
Provide: the sanctioned alternative is the control
A policy that prohibits without providing is a press release. Remember the 28% who say no approved option exists: every one of them is a shadow user your policy created. The sanctioned alternative must offer what consumer free tiers do not — enterprise data terms. The non-negotiables: a contractual commitment that your prompts and outputs are not used to train the provider's models; a processor agreement under Article 28 UK GDPR; UK or EU data residency, or a transfer mechanism someone has actually assessed; single sign-on, admin controls and audit logs; retention you set. These belong on the same procurement list as the questions every UK board should ask about AI.
Then watch one number: adoption. If the sanctioned tool is good and reachable, shadow use falls because the path of least resistance now runs through your terms. If sanctioned adoption is low, shadow use is high — you do not need a surveillance programme to know it, just the adoption dashboard. Provision, not prohibition, is the control that scales.
Police the boundary, narrowly
What does the policy actually prohibit? Only the red band — and it should say so in concrete examples, not abstractions: no client lists, no payroll data, no draft accounts, no passwords, into any unsanctioned tool. A narrow line is one staff can hold in their heads; a broad one is one they will rationalise around.
The consequence should sit on the same footing as the expenses policy or the data-handling policy: proportionate, escalating, and actually applied — paired with a standing amnesty for self-declared past use and near misses, because the policy must punish concealment, not honesty. A boundary that is policed erratically has been repealed in practice; staff read the enforcement, not the document. And the board must be able to police it credibly. Directors who cannot tell a consumer chatbot from an enterprise deployment cannot oversee the line they drew — that fluency gap is what AI board training exists to close.
What the board asks for quarterly
Shadow AI is not a project with an end date; it is a population to be managed. The board's instrument is a short standing report, quarterly, with five lines:
- The usage baseline and trend — the aggregate discovery read-out: sanctioned use, and the estimated shadow alongside it.
- Adoption of the sanctioned tool — and the stated reasons where teams remain outside it.
- Red-band incidents — number, nature, how many were self-declared versus discovered, and the consequence applied.
- Policy drift — new tools and use cases since last quarter, which band each was assigned to, and by whom.
- The data-protection paperwork — DPIA current, processor terms in force, records of processing updated.
A board that cannot yet produce this report should start by finding out how far away it is: the Board AI Scorecard takes about ten minutes and returns the gap list.
A ban feels like control. It is the opposite — it outsources your AI governance to whatever staff phones can reach, and burns the audit trail on the way out. Discover, triage, provide, police: that sequence keeps the evidence, keeps most of the hours saved, and keeps the processing your board already owns inside terms it actually set.
Last reviewed: 12 June 2026.
If the policy document itself is the blocker, our AI policy generator produces a tailored draft built on the discover-triage-provide structure — the practical next step before the next board meeting. For a fuller, assessor-led view of where your governance stands, a GovernIQ diagnostic starts from £3,950.
