Request a proposalContact

Analysis

Shadow AI: your staff are already using it

Here is the conversation we keep having with island CEOs, almost word for word. We ask how the firm uses AI. The answer is "we don't, really, we're being careful." Then, a few minutes later: "although I suspect some of the team use ChatGPT for bits and pieces." That suspicion is almost always correct, and it describes shadow AI: staff using AI tools through personal accounts, outside any policy, logging or control, because the organisation never gave them a sanctioned route.

What it looks like in practice

It looks like client correspondence pasted into a free chatbot to "tidy the wording". Meeting notes summarised on a personal account. A spreadsheet formula debugged by pasting the sheet, and the client names in it, into a tool nobody approved. Individually, each act is a person trying to do their job faster. Collectively, it's your firm's information flowing through consumer accounts you can't see, on terms you never accepted.

Why this matters more in regulated firms

For a trust company, a fund administrator or a law firm, the exposure is specific: client data leaving your controlled environment with no record it ever left. No log of what was shared, no data processing agreement covering it, no answer if a regulator or a client asks "where does our information go?" The uncomfortable part is that a firm can have a beautifully governed core system and still leak from the edges, one helpful employee at a time.

Why bans fail

The instinctive response is to block the tools. It doesn't work. The productivity gain is real, so usage doesn't stop, it hides: personal phones, home laptops, lunchtime. A ban converts visible, correctable behaviour into invisible behaviour, which is strictly worse. You cannot govern what you've pushed underground.

The fix is enablement, not prohibition

The firms handling this well do four things. They approve specific tools, so there's a sanctioned route that's genuinely good. They publish a short usage policy in plain language, including the "never paste this" list every member of staff can recite. They train people on their actual workflows, not generic demos, so the sanctioned route is also the fastest route. And they take one honest look at anything staff have already built on their own, because enthusiasm sometimes ships software, and software needs checking.

A first step that takes one meeting

Ask your team, without consequences attached, what tools they already use and for what. The answers are usually a relief: sensible people doing sensible things that simply need a frame around them. From there, a policy, an approved toolset and a half day of training turn your shadow AI problem into your AI capability, which is what it wanted to be all along.

We run this exact programme for island firms: usage policy, approved tools, hands-on training built around your workflows, from £1,450 for a half day, with a 90-minute leadership briefing from £750 if the board wants the picture first. The appetite in your team is an asset. Give it a safe channel before it finds an unsafe one.

Frequently asked questions

Is staff use of ChatGPT actually a data protection issue?

It can be. Client or personal data entered into a consumer AI account leaves your controlled environment with no agreement covering it and no record of the transfer. That's precisely the kind of processing your obligations expect you to know about and control.

Should we just block AI tools on the network?

Blocking moves the behaviour to personal devices where you have no visibility at all. A sanctioned route plus a clear policy governs the behaviour; a ban only hides it.

What does the training cover?

Safe, effective use of approved tools on your team's real workflows, the never-paste-this list, and a written usage policy your compliance function will accept. Half day from £1,450.

Talk to us before you talk to a platform.

A 20-minute call is enough to tell you whether AI is worth it for your operation, what it would cost, and what could go wrong. No pitch deck, no obligation.

Book a 20-minute call