AI tools and shadow AI
What can be placed in a chatbot, what cannot, and how to verify output.
The employee does not enter company secrets, personal data, or client documents into AI tools without permission.
Threat
AI helps defenders and attackers: scams become more believable, while employees can accidentally leak data.
What to know
- A public AI chat is not automatically a safe place for client lists, contracts, code, passwords, or incident information.
- AI can be confidently wrong, so legal, financial, and security conclusions must be checked.
- Attackers use AI to create well-written scam messages and adapt them to a specific person.
- A safe AI policy defines which tools may be used and which data may be entered.
Actions
- Do not enter passwords, access keys, client data, or unpublished contracts into an AI tool.
- Anonymise examples when AI is needed to improve text.
- Check AI suggestions against an official source or company procedure.
- If an AI tool asks to connect a work account or grant broad permissions, stop and ask.
Manager note
A blanket AI ban without alternatives creates shadow AI. A short approved-tools and allowed-data policy works better.