computer2cloud supports UK businesses with reliable and secure IT and technology management.
AI is the topic on everyone's lips right now. It's helping teams write faster, analyse data, and cut hours of administration. But while many leadership teams are still debating their official AI strategy - there's a good chance staff have already made the decision for them. 
This is known as Shadow AI - employees using tools like ChatGPT, Gemini, or Copilot at work without IT's knowledge or approval.
According to Microsoft UK research, 71% of UK employees have used unapproved AI tools at work, with over half of them doing so weekly. The government's own Cyber Security Breaches Survey 2025/26 found that while a third of UK businesses are now using or adopting AI, only around a quarter of those have any cyber security practices in place to manage risks.
This has already caused real damage
It isn't hypothetical. In 2023, Samsung engineers pasted confidential source code and internal meeting notes into ChatGPT on three separate occasions, within a month looking for a quick fix to a coding problem. That data was gone the moment it was submitted – stored on a third party's servers, with no way for Samsung to retrieve or delete it. The company responded by banning the tool, and building a locked-down alternative.
More recently, in 2026, web infrastructure provider Vercel confirmed a data breach traced back to a third-party AI tool that an employee had connected to company systems, while IBM's 2025 Cost of a Data Breach Report found that 20% of organisations have now experienced a breach directly linked to shadow AI use.
Why it matters
Once data is in a public AI tool, you generally lose control of it – no audit trail, no contract, often no idea where it's stored. UK GDPR requires you to demonstrate control over personal data, which is hard to prove once it's been pasted into an unmanaged chatbot. The ICO is now actively monitoring AI use, and if you trade with the EU, AI Act obligations add another layer.
What should I do instead?
For many organisations, the answer isn't banning AI altogether, but providing staff with approved tools that sit within existing security and compliance controls.
Providing solutions such as Microsoft Copilot can offer many of the productivity benefits while remaining aligned with your Microsoft 365 environment, user permissions, and data governance policies.
Not every business needs Copilot, but every business should have a clear policy around which AI tools are approved and how they can be used safely.
Manage it, don't ban it
Outright bans rarely work as people simply find workarounds.
A better approach:
• Find out which AI tools your team are already using
• Put a simple, written AI usage policy in place
• Provide approved, secure alternatives
• Keep client data, financial information, and contracts away from public AI tools
• Include AI usage as part of your wider IT security strategy and reviews
Want to know where you stand?
If you're unsure what AI tools are already being used across your business, or whether your current policies and controls are fit for purpose, we can help.
We can review your current setup, identify potential risks, and help you put practical controls in place so your business can benefit from AI without compromising security, compliance and control.
Take our free Security Health Check Cyber Security Assessment | computer2cloud | Computer2Cloud or get in touch for a quick, no-obligation chat.
I have over 12 years business telecoms and IT sales experience and I work based on referrals from customers I have helped and the partners and buying groups I’ve worked with.
Post articles and opinions on Bristol Professionals
to attract new clients and referrals. Feature in newsletters.
Join for free today and upload your articles for new contacts to read and enquire further.
