Shadow AI at Work: When Employees Upload Company Data to ChatGPT Without Asking

Shadow AI isn't rebellion — it's convenience. Under deadline pressure, AI removes the friction from the boring parts of a job, so people reach for it. And in most workplaces no one has said either yes or no, so staff simply decide for themselves. It's widespread: Microsoft's 2024 Work Trend Index found that 78% of AI users bring their own AI tools to work — rising to 80% at small and medium businesses — and that three in four knowledge workers already use AI on the job.

Crucially, most people don't experience pasting a spreadsheet as "sharing data." It feels like using a calculator, not sending a file to a third party — so the privacy implication never crosses their mind. Many also keep it to themselves: a 2025 KPMG and University of Melbourne study of 48,000 people found 57% present AI-assisted work as their own and hide that they used it.

The takeaway: this is normal behaviour by good employees, not misconduct by bad ones. Which is exactly why a ban-and-punish reflex misfires — and why clear guidance works.

Here's the part that catches employers out: as the data controller, you're responsible for personal data processed under your control — including processing you never authorised. "I didn't know my staff were doing that" isn't a defence. Under GDPR's accountability principle, the absence of a policy, training, and basic controls is itself the gap, and the business generally remains exposed.

There are two practical risks. First, personal data typed into a consumer AI tool can be used to train the model by default on free and Plus accounts unless someone has turned that setting off — and there's no EU data residency on those tiers. Second, sending EU personal data to a US-based consumer tool is a restricted international transfer under Chapter V of the GDPR, which needs a lawful safeguard in place.

You don't need to become a lawyer about this. The Data Protection Commission has published guidance on AI, large language models and data protection, and the practical fix is simple: a clear line about what staff can and can't put into an AI tool. (For the same reason, be wary of free online tools that route documents through AI.)

The instinct is to ban AI outright. The problem is that a ban doesn't remove the behaviour — it removes your visibility of it. People switch to personal phones and personal accounts, and the activity disappears into the shadows where you can't manage it at all. In one 2024 survey, 46% of workers said they wouldn't give up their personal AI tools even if their employer banned them.

The businesses with the fewest incidents aren't the strictest ones — they're the ones that offer a simple, safe, approved way to use AI. That means three things: an approved tool on the right tier, a few bright-red lines about what must never go in, and a culture where asking "is this OK?" is genuinely easy and never punished.

In other words, channel the productivity — don't try to switch it off. The policy below does exactly that.

A policy handles judgement calls — but some data is too sensitive to leave to a judgement call made under deadline pressure. The strongest control for those categories is structural: handle the data in systems that don't use AI at all, so there's simply nothing to leak.

Travel and expense data is a good example. It quietly contains a lot of personal data — staff names, home addresses, journey patterns, and bank details — and it's exactly the kind of thing someone might paste into AI to "tidy up" or summarise. Keep it in a tool that never sends it to any AI, and that whole category drops off the list of things your policy has to police. That's one less risk to manage, by design. For everything that does stay in AI, our guide to choosing AI tools you can trust gives you a checklist to vet each one.