Here is the conversation we keep having with island CEOs, almost word for word. We ask how the firm uses AI. The answer is "we don't, really, we're being careful." Then, a few minutes later: "although I suspect some of the team use ChatGPT for bits and pieces." That suspicion is almost always correct, and it describes shadow AI: staff using AI tools through personal accounts, outside any policy, logging or control, because the organisation never gave them a sanctioned route.
What it looks like in practice
It looks like client correspondence pasted into a free chatbot to "tidy the wording". Meeting notes summarised on a personal account. A spreadsheet formula debugged by pasting the sheet, and the client names in it, into a tool nobody approved. Individually, each act is a person trying to do their job faster. Collectively, it's your firm's information flowing through consumer accounts you can't see, on terms you never accepted.
Why this matters more in regulated firms
For a trust company, a fund administrator or a law firm, the exposure is specific: client data leaving your controlled environment with no record it ever left. No log of what was shared, no data processing agreement covering it, no answer if a regulator or a client asks "where does our information go?" The uncomfortable part is that a firm can have a beautifully governed core system and still leak from the edges, one helpful employee at a time.
Why bans fail
The instinctive response is to block the tools. It doesn't work. The productivity gain is real, so usage doesn't stop, it hides: personal phones, home laptops, lunchtime. A ban converts visible, correctable behaviour into invisible behaviour, which is strictly worse. You cannot govern what you've pushed underground.
The fix is enablement, not prohibition
The firms handling this well do four things. They approve specific tools, so there's a sanctioned route that's genuinely good. They publish a short usage policy in plain language, including the "never paste this" list every member of staff can recite. They train people on their actual workflows, not generic demos, so the sanctioned route is also the fastest route. And they take one honest look at anything staff have already built on their own, because enthusiasm sometimes ships software, and software needs checking.
A first step that takes one meeting
Ask your team, without consequences attached, what tools they already use and for what. The answers are usually a relief: sensible people doing sensible things that simply need a frame around them. From there, a policy, an approved toolset and a half day of training turn your shadow AI problem into your AI capability, which is what it wanted to be all along.
We run this exact programme for island firms: usage policy, approved tools, hands-on training built around your workflows, from £1,450 for a half day, with a 90-minute leadership briefing from £750 if the board wants the picture first. The appetite in your team is an asset. Give it a safe channel before it finds an unsafe one.
Frequently asked questions
Is staff use of ChatGPT actually a data protection issue?
It can be. Client or personal data entered into a consumer AI account leaves your controlled environment with no agreement covering it and no record of the transfer. That's precisely the kind of processing your obligations expect you to know about and control.
Should we just block AI tools on the network?
Blocking moves the behaviour to personal devices where you have no visibility at all. A sanctioned route plus a clear policy governs the behaviour; a ban only hides it.
What does the training cover?
Safe, effective use of approved tools on your team's real workflows, the never-paste-this list, and a written usage policy your compliance function will accept. Half day from £1,450.
