Are my employees using AI with company data?

It's a bigger privacy problem than you think.

Vetted Portal

6/20/20253 min read

four woman on brown wooden table looking at laptops
four woman on brown wooden table looking at laptops

It's highly probable your employees are using AI with company data, even if you haven't explicitly provided them with official tools or given them permission. This phenomenon is often called "Shadow AI" or "Bring Your Own AI (BYOAI)," and it's a significant and growing concern for businesses.

Here's why you should assume this is happening and what the implications are:

Why it's likely happening:

  • Accessibility of Public LLMs: Tools like ChatGPT, Claude, and Google Bard are incredibly easy to access and often free or low-cost. Employees are already using them in their personal lives and naturally think of them for work-related tasks to boost efficiency.

  • Productivity Gains: Employees are discovering that AI can genuinely help them with tasks like drafting emails, summarizing documents, brainstorming ideas, writing code, or analyzing data. The temptation to use these tools to work faster and smarter is very strong.

  • Lack of Awareness: Many employees simply don't understand the data security implications of inputting company-sensitive information into public AI models. They don't realize that their queries might be used to train the model, potentially exposing confidential data.

  • "Solutions" for Everyday Problems: If a task is tedious or time-consuming, and an AI tool can help, employees will find ways to use it, regardless of official policy.

  • Ubiquitous AI Integration: AI is being integrated into many common business applications (e.g., Microsoft Copilot in Office 365, Notion AI, even some CRMs). Employees might be using these integrated AI features without even realizing the extent of their AI usage or its data implications.

Risks of unauthorized AI usage with company data:

  • Data Leaks and Confidentiality Breaches: This is the biggest risk. Sensitive company information (customer data, financial records, intellectual property, trade secrets, employee PII) entered into public LLMs can become part of their training data, potentially accessible to others or used in future responses.

  • Loss of Intellectual Property (IP): If employees are using AI to generate content based on proprietary company information, that IP might lose its protection if it's fed into a public model.

  • Compliance Violations: Many industries have strict data privacy regulations (GDPR, HIPAA, CCPA, etc.). Unauthorized AI usage can lead to severe fines and legal repercussions if sensitive data is mishandled.

  • Inaccurate Information / "Hallucinations": AI models can "hallucinate" or provide incorrect information. If employees rely on these outputs for critical business decisions, it can lead to costly mistakes.

  • Malware and Security Vulnerabilities: Unvetted AI tools can be vectors for malware, phishing attacks, or other cyber threats, creating new entry points for attackers.

  • Shadow IT and Lack of Control: When employees use unsanctioned tools, IT and security teams lose visibility and control over data flows, making it impossible to enforce security policies.

  • Reputational Damage: A data breach or privacy incident caused by unauthorized AI usage can severely damage your company's reputation and erode customer trust.

How to determine if your employees are using AI with company data:

Since direct asking might not yield complete honesty due to fear of repercussions, you need a multi-faceted approach:

  1. Network Monitoring:

    • DNS Logs/Firewall Logs: Look for traffic to known AI service domains (e.g., openai.com, perplexity.ai, anthropic.com, claude.ai, gemini.google.com, etc.).

    • Cloud Access Security Brokers (CASB): These tools can monitor and control access to cloud applications, including identifying unsanctioned AI services and blocking sensitive data uploads.

    • DLP (Data Loss Prevention) Solutions: Implement DLP tools that can detect and prevent sensitive data from being uploaded to unauthorized cloud services, including AI platforms.

  2. Endpoint Monitoring:

    • Employee Monitoring Software: Tools like ActivTrak, DeskTrack, Teramind, or Insightful can track application usage, website visits, and even copy-pasted content, helping identify when employees are interacting with AI tools.

    • Antivirus/Endpoint Detection and Response (EDR): These tools might flag unusual activity or connections to unsanctioned applications.

  3. SaaS Portfolio Audits: Regularly audit the SaaS applications your employees are using. Many legitimate SaaS tools now have AI features embedded, and you need to understand how those features handle your data.

  4. Employee Surveys (Anonymous): While not foolproof, an anonymous survey about AI usage (without punitive framing) can provide valuable insights into what tools employees find useful and why they use them.

  5. Policy Review and Communication: Even if you detect usage, the first step isn't punishment. It's to acknowledge the trend, educate employees on the risks, and provide them with safe, approved alternatives and clear guidelines.

In conclusion, it's highly probable your employees are already leveraging AI, and likely with company data. The critical next step is to gain visibility into this usage, educate your workforce on the risks, and implement robust governance and secure AI solutions to protect your valuable information.

Vetted Portal is your partner to begin or enhance your AI journey. Call Rich at 585-905-4177 to learn more.

Empowering businesses with AI-driven solutions and insights.

Connect

Support

rich@vettedportal.com

+1 585-708-7573

© 2025. All rights reserved.