We have shadow AI in our company. Now what?

Common questions from Lincoln leaders

Should we ban consumer AI tools immediately?

Almost never works as a first move. A ban without an approved alternative pushes use further underground — onto personal devices and home networks. Express-Harris 2026 found only 36% of companies provide an approved tool list at all.

How do we find out how widespread it is?

Anonymous staff survey. Ask: which AI tools have you used for work in the last month? On company or personal accounts? With company data?

Is this a fireable offense?

Treating shadow AI as a discipline issue is usually the wrong move. Most shadow AI starts because employees are trying to do their jobs better. Punitive responses kill the trust you need to surface other issues later.

What about the data that's already gone into ChatGPT?

Depends on the tier. Free-tier and consumer-tier accounts typically train on user input by default unless explicitly turned off. Enterprise tiers have data-residency and no-training guarantees. For data that went into free-tier, the practical answer is usually 'it's gone' — and the response is policy + training going forward.

We're a regulated industry. What's the actual risk?

Real and tier-specific. NAIC IGD-H1 (Nebraska, June 2024) requires insurers to maintain a written AIS Program. OCC interagency third-party guidance applies to banks. HIPAA covered entities cannot put PHI into a tool without a BAA. Each gets harder to demonstrate compliance with the more shadow AI you have.

What's the first move?

Audit, then approve, then train. Audit first (anonymous survey + network logs). Stand up enterprise tier of one or two tools. Publish the approved list. Train staff. Attestation. Quarterly review.