Two-thirds of office professionals have used AI tools at work they believed weren’t permitted, according to PagerDuty’s June 2026 report. Here’s what shadow AI actually costs a scaling business, why banning fails, and the lightweight policy that works.
Ask your team who’s using ChatGPT for work. Then watch how many people suddenly find their shoes interesting.
The 2026 numbers on this are blunt. PagerDuty’s survey found 66% of office professionals have used AI tools at work despite believing they weren’t permitted. The Register put the growth of unsanctioned AI use at 4x in a single year, a figure Verizon’s 2026 breach report backs. And of the professionals using AI regularly, around two-thirds are doing it through personal accounts their IT setup has never seen.
If you run a 20-80 person business, this is already happening inside yours. The only question is whether you know what’s going into those tools.
What it actually costs
The headline risk is data. Client contracts pasted into free chatbots. Financial models uploaded to personal accounts. Customer data sitting in a consumer tool’s history, outside any agreement your business has signed.
IBM’s breach data puts a figure on it: organisations with high levels of shadow AI see breach costs around $670,000 higher than those without. Insider risk research tells the same story from another angle. Over half the cost now comes from people who meant no harm at all, just an employee on a deadline pasting the wrong thing into the wrong tool. BlackFog found 60% of employees would knowingly take risks to hit a deadline.
The legal exposure compounds the security one. If personal data has gone into an unapproved tool, you may have a UK GDPR problem before you’ve had a chance to have an opinion about it. And if that data belonged to a client, check your contracts: plenty of MSAs now include AI and subprocessor clauses that your team can breach from a personal phone on a Tuesday afternoon.
However, the risk that worries me more in scaling businesses is quieter: inconsistency. One salesperson uses AI to draft proposals, another doesn’t. One version of your pricing logic lives in someone’s chat history. Quality varies wildly and nobody can say why, because half the workflow is invisible.
Why banning fails
The instinctive response is a blanket ban. I’ve watched this play out, and it fails every time, for a simple reason: the tools work.
Your team isn’t using AI to be reckless. They’re using it because it turns a two-hour task into a twenty-minute one, and they’ve got targets. A ban doesn’t stop that. It just pushes the usage further underground, onto personal phones and home laptops, where you have even less visibility than before.
Some 80% of organisations say they’re worried about data leaking through generative AI. 60% still have no strategy for it. That gap between worry and action is where the damage happens.
What to do instead
You don’t need a 40-page policy. You need four things a new hire could understand in ten minutes:
- An approved tools list. Pick 2-3 tools on business accounts (with the data protections that come with them), pay for proper licences, and make them easy to access. Most shadow AI exists because the sanctioned route is slower than the unsanctioned one.
- Simple data rules. Be specific about what never goes into any AI tool: client-identifiable data, credentials, anything under NDA. Three categories, clearly named. People follow rules they can remember.
- A named owner. Someone accountable for reviewing the tools list, handling questions, and updating the rules as the tech moves. In a business your size that’s a hat someone wears, and it works fine, provided the hat actually sits on a head.
- An amnesty. Ask everyone what they’re currently using and what for, with no consequences. You’ll learn more about your real workflows in that one exercise than in most process audits. Some of what surfaces will be worth adopting properly.
That’s it. Written down, communicated once, revisited quarterly.
The upside hiding in the problem
Here’s the reframe worth sitting with: 66% of your team quietly adopting a technology is a signal. They’ve found friction in their work and gone looking for a fix themselves, unpaid and unprompted.
Most founders would kill for that level of initiative. The job is to point it somewhere safe.
The businesses getting this right in 2026 aren’t the ones with the strictest controls. They’re the ones who made the safe path the fast path, then got out of the way.
Want help?
If you’d like a clear picture of what’s actually happening inside your operation (AI included), that’s what the Ops Audit is for: a two-week diagnostic covering your top risks and the quick wins hiding next to them. Fixed fee from £5,000. Or book a free 30-minute discovery call and we’ll talk it through.
Sources
- PagerDuty, Shadow AI Workplace Survey, June 2026
- The Register, “Shadow AI invades the workplace, up 4x in the last year”, May 2026
- TechTimes, “Shadow AI Cybersecurity Risk Spikes as 45% of Workers Use Unsanctioned Tools”, June 2026
- IBM, Cost of a Data Breach Report 2025
- BlackFog shadow AI research