Your AI policy is working. That's the problem.
Most organisations did two things at once. They bought a sanctioned AI tool, Copilot or ChatGPT Enterprise or similar. And they wrote a policy telling staff not to put confidential, privileged, or regulated material into it.
Both decisions were sensible. But together, they created a blind spot.
Your most sensitive work is now the work your approved tool is not allowed to touch. That work did not stop. It moved.
This is the question worth sitting with, and very few organisations can answer it:
What work is our AI policy actually stopping our people from doing, and where is it going instead?
The gap the policy created
The material your people most want AI help with is usually the material your policy excludes. The contract, the client matter, the incident report, the deal model, the patient summary, the internal investigation. High value, high sensitivity, high effort.
Your staff are not malicious. They are trying to do their jobs under a rule that forbids the tool that would help most. When the sanctioned path is closed and the deadline is real, people find another path.
That is not a discipline problem. It is a design problem.
Where the work actually goes
When a corporate AI tool is off limits, the work tends to reappear in places your controls do not reach:
Personal accounts. A staff member opens a chatbot on their own login, on their own device, and pastes in the document. Your enterprise agreement, your data-handling terms, and your logging do not apply. On consumer tiers, inputs can be used to improve the provider's models.
Browser-based AI. In-browser assistants, AI sidebars, and extensions that see whatever is on the page, including your DMS, your CRM, and your webmail.
AI features inside tools you already approved. The SaaS product you vetted two years ago has quietly shipped an AI feature that sends content to a model provider, sometimes via a subprocessor that postdates your vendor review. Your assessment predates the capability.
API and developer traffic. Scripts, agents, and integrations calling model APIs directly, often outside any sanctioned inventory.
The common thread is that the leakage does not happen where you are looking.
Heard on the wire
This is no longer a theoretical risk. A few developments worth having on your radar.
A US federal court has now ruled that public AI use waives privilege. In US v. Heppner (No. 1:25-cr-00503, S.D.N.Y., 18 February 2026), Judge Jed S. Rakoff held that a defendant who used the public version of Claude to prepare case documents, then passed them to his lawyers, had waived attorney-client privilege and work-product protection. The reasoning is uncomfortable in its simplicity: a public AI platform is a third party with no obligation of confidentiality, so disclosure to it is disclosure, full stop. As the analysis of the ruling puts it, privilege "dies upon submission." (TransPerfect Legal)
The same commentary draws the conclusion GCs should note: the answer is not to abandon AI, but to confine sensitive work to private AI instances governed by terms that actually prohibit third-party disclosure. Enterprise agreements that genuinely exclude training and carry enforceable confidentiality commitments change the analysis. Free public tools do not.
Shadow AI has become a mainstream insider risk, not an edge case. The 2026 Verizon DBIR reports that 45% of employees are now regular AI users on corporate devices, up from 15% a year earlier, with shadow AI now treated as a top insider threat. (Kiteworks)
People are using AI they believe is banned. Roughly two-thirds of office professionals report having used AI tools at work despite believing it was against policy, and around a quarter say they have entered confidential company data into public AI tools. (Airia, Red Team Partner)
Leadership is not seeing it. Roughly half of employees are using unsanctioned AI tools, and senior leaders are among the worst offenders. (CIO) The Register put the gap more bluntly: bosses are "blinded by confidence" about shadow AI use by their own workers. (The Register)
Almost nobody can measure it. Only about a third of organisations report having any formal shadow-AI detection program in place. (Airia)
And the bans keep coming. Samsung restricted public AI tools after an engineer uploaded source code. Apple, Amazon, JPMorgan Chase, Verizon, Spotify and most large law firms have introduced similar restrictions. Bans are now the norm. Compliance with them is not.
The questions most organisations cannot answer
Try these on your own environment:
- How much confidential material went into AI tools last month, and from which departments?
- Which AI tools are actually in use here, including the ones nobody requested?
- What types of work are people using AI for, not just how often?
- If a regulator or a client asked us to produce an audit trail of what left our environment and where it went, could we?
If the answer to most of these is "we would have to guess," then what you have is a policy, not a control. Policy without telemetry is a hope.
TransPerfect's own test is a good one to steal: if you cannot say where the data goes, who can access it, and how long it is kept, do not prompt with sensitive content.
The risks that are easy to miss
Terms drift. What is excluded from training today is a contractual position, not a physical boundary. Terms, subprocessors, and retention windows change. You are trusting a policy you do not write, on infrastructure you do not own.
Consumer versus enterprise is a real distinction, and your staff do not respect it. Your enterprise agreement may prohibit training on your data. The free account your employee used at 11pm does not, and as Heppner shows, the courts now treat that difference as decisive.
Discovery. Even where the prompt never surfaces, AI outputs become documents. New documents are discoverable, and a regulator or opposing party may be entitled to them.
Trade secret protection. Proprietary information can lose protected status if you cannot demonstrate reasonable measures to keep it secret. Pasting it into a public model is difficult to characterise as reasonable.
Contractual breach. Many MSAs, NDAs, DPAs and outside counsel guidelines prohibit disclosure to third parties without consent. A public model is a third party. One helpful prompt can be a breach.
A note for General Counsel
For legal and compliance leaders, the exposure is sharper, and Heppner has made it concrete rather than hypothetical.
There is also a commercial edge appearing. Corporate clients have begun writing AI restrictions into outside counsel guidelines, and bodies like the Association of Corporate Counsel now publish sample AI guidelines for outside counsel. Most existing OCGs predate AI entirely and say nothing about which tools may touch client data or where that data is processed. That is being corrected quickly.
When a major client says no third-party AI may touch their matters, a firm that cannot demonstrate a controlled, private alternative does not just have a compliance problem. It has a revenue problem.
Why blocking, on its own, makes it worse
The instinctive response is to block harder. It is the wrong reflex, for a specific reason.
Blocking without providing an alternative does not remove the demand. It relocates it, usually onto personal devices and personal accounts, where you have no visibility at all. You have not reduced the risk. You have reduced your ability to see it, while creating quiet resentment in the teams doing the most valuable work.
The numbers above make the point. Bans are already near-universal. Two-thirds of people are working around them anyway.
The most dangerous state is not permissive AI use. It is a policy everyone ignores, because then you carry the risk and the blindness.
What honest visibility looks like
A few principles worth holding, whoever you buy from:
Measure before you police. You cannot govern what you have never counted. Start with a passive, read-only picture of what is actually happening.
Capture the task, not just the violation. Knowing that finance sent confidential data to an AI tool is a security finding. Knowing they were summarising vendor contracts is a business requirement. The second one tells you what to build.
Metadata, not content. You do not need to read your employees' prompts to understand your exposure. Store the verdict, not the text. It makes security review easier and keeps you well clear of becoming a surveillance function.
Do not name individuals. Report at department and role level. The moment staff believe the tool exists to catch them personally, you lose the cooperation you need.
And be honest about the limits. Some vendor-embedded AI, Copilot inside Word being the obvious example, is internal to that vendor and cannot be inspected by your network controls. The surface you can see, browser AI, personal accounts, and API traffic, happens to be where most of the real leakage lives. Anyone who tells you they can see everything is selling you something.
The better question
The organisations handling this well have stopped asking "how do we stop people using AI." They are asking:
Which of our work is too sensitive for the tools we have, and what safe path can we give it?
Because that work is not going away. It is the most valuable work in the building. The only real choice is whether it happens somewhere you can see and control, or somewhere you cannot.
If you want a clear picture of what is actually happening with AI in your organisation, I am glad to talk it through, whether or not we end up working together. You can grab a time here: https://calendly.com/seankoretex