Wavex
AI & Emerging Technology

AI Governance: How to Stop Shadow AI Putting Your Business at Risk

Over 60% of employees are using AI tools outside their organisation's controlled environment every day. Discover what Shadow AI is, why it creates serious GDPR and data breach risks, and how Wavex helps you implement a layered governance framework using Microsoft Purview, Defender for Cloud Apps, and Cisco Umbrella.

AI Governance: How to Stop Shadow AI Putting Your Business at Risk

AI tools such as Microsoft Copilot, ChatGPT, Claude, Grok, and Gemini are now embedded in day-to-day working life. They help staff write emails, summarise documents, analyse data, and accelerate almost every knowledge task. But alongside the productivity gains, a significant and largely unaddressed risk is emerging: employees are routinely pasting sensitive business information into AI tools that operate entirely outside your organisation's control.

Wavex research into AI usage patterns across client organisations found that over 60% of staff are actively using AI tools outside their organisation's tenant on a daily basis. This is not a future risk to plan for. It is already happening, and in most organisations it is happening without any visibility or governance framework in place.

What Is Shadow AI and Why Does It Matter?

Shadow AI refers to the use of AI tools by employees without the knowledge, approval, or oversight of their IT or security teams. It mirrors the concept of Shadow IT - the use of unauthorised applications and services - but with a critical difference: AI tools are specifically designed to process, interpret, and generate content from the data you feed them.

The risk is not malicious intent. In the vast majority of cases, employees using public AI tools are simply trying to do their jobs more efficiently. Common examples include improving the wording of a client email, summarising a lengthy document, or asking an AI to analyse a spreadsheet. Each of these actions feels routine and harmless. But when the data involved includes client information, financial records, personal data, or confidential internal documents, the consequences can be severe.

For AI platforms operating outside your organisation's tenant - such as public versions of ChatGPT, Claude, or Gemini - you are not operating in a controlled, private environment. Data entered into these platforms may be processed, stored, and in some cases used for model training. Once that data leaves your environment, you have lost control of it. Depending on what was shared, you may have already breached client confidentiality, violated contractual obligations, or triggered a reportable data breach under GDPR, requiring notification to the ICO within 72 hours.

The Scale of the Problem

Risk FactorDetailPotential Consequence
Public AI tool usageOver 60% of staff using non-enterprise AI daily (Wavex research)Uncontrolled data leaving the organisation's environment
GDPR data breach exposurePersonal or sensitive data entered into public AI platformsICO notification required within 72 hours, potential fines
Client confidentialityClient data summarised or analysed using public AI toolsBreach of contract, reputational damage, loss of client trust
Shadow AI invisibilityNo IT visibility of which tools are being used or what data is sharedNo ability to detect, respond to, or evidence a breach
Model training riskSome public AI platforms use inputs to improve their modelsSensitive data potentially surfaced in responses to other users

How Wavex Addresses AI Governance

Most organisations already have the foundations needed to reduce this risk significantly. The challenge is not a lack of technology - it is a lack of configuration, policy, and visibility. Wavex recommends a layered approach that combines detection, control, and user enablement, so that AI can be used safely rather than blocked outright.

Microsoft Purview: Data Protection at the Source

Microsoft Purview is a data governance and compliance platform that operates across your Microsoft 365 environment. It detects sensitive information - including personal data, financial records, and confidential documents - and can warn or block users before that information is shared inappropriately. Every data interaction is logged, creating a full audit trail that supports GDPR compliance and provides evidence in the event of an investigation.

For organisations already using Microsoft 365, Purview is often already available as part of their licensing. The challenge is activation and configuration, which requires an understanding of your data classification requirements and the policies needed to enforce them. Wavex configures Purview as part of our cybersecurity and compliance service, ensuring that sensitive data is identified, labelled, and protected before it can be inadvertently shared.

Microsoft Defender for Cloud Apps: Visibility Across Your Environment

Microsoft Defender for Cloud Apps provides visibility and control over the cloud applications and AI tools being accessed across your organisation. It identifies which AI tools staff are using, highlights risky behaviours such as large data uploads to external platforms, and enables you to control or restrict access to unsanctioned services.

Defender for Cloud Apps gives your IT team immediate visibility of Shadow AI activity across the organisation - often revealing usage patterns that were entirely unknown before deployment. This visibility is the first step in any effective AI governance framework. Without it, you cannot manage what you cannot see.

Cisco Umbrella and a Tiered AI Access Model

A DNS-layer protection approach using Cisco Umbrella, combined with a tiered AI usage policy linked to user identity, allows organisations to enable AI safely rather than applying a blanket block that drives usage further underground. Wavex recommends the following three-tier model as a starting framework, which can be adapted to your organisation's specific risk appetite and operational requirements.

User TierAI Access LevelControls Applied
General UsersApproved enterprise AI tools only (e.g. Microsoft Copilot)Block or limit access to unsanctioned public AI platforms; prevent data upload to high-risk services
Power Users / DevelopersBroader access to selected AI tools (e.g. ChatGPT, Claude)Controlled usage with monitoring and policy enforcement; suitable for productivity and development use cases
AI Researchers / Innovation TeamsWide range of AI models and platformsFewer restrictions but with full logging and oversight; enables evaluation of new tools for business adoption

These policies are enforced at the network and identity level using Cisco Umbrella, ensuring consistent control regardless of whether staff are working in the office, at home, or on the road. The result is a clear separation between safe, sanctioned AI usage and higher-risk experimentation - with appropriate oversight applied at every level.

Building an AI Governance Framework

Effective AI governance is not a single product or policy. It is a framework that combines technical controls, clear usage policies, and user education. The organisations that manage AI risk most effectively are those that treat it as an ongoing programme rather than a one-time configuration exercise.

Wavex works with organisations to build AI governance frameworks that are proportionate to their risk profile and practical to operate. This includes an initial assessment of current AI usage patterns, identification of the highest-risk behaviours and data types, configuration of the technical controls described above, development of an AI acceptable use policy, and a user awareness programme that helps staff understand why these controls exist and how to use AI safely.

For organisations with an existing IT strategy and consulting engagement, AI governance can be incorporated into the broader technology roadmap. For those starting from scratch, Wavex offers a standalone AI governance assessment that provides a clear picture of current risk and a prioritised remediation plan.

AI is already being used across your organisation by over half of your staff. The risk is not the technology itself - it is the absence of visibility and control around how it is being used. The longer that gap remains, the greater the likelihood of a serious incident. Speak to a Wavex consultant today to understand your current exposure and the steps needed to address it.

Frequently Asked Questions

What is Shadow AI and how is it different from Shadow IT?+
Shadow AI refers to employees using AI tools - such as public versions of ChatGPT, Claude, or Gemini - without the knowledge or approval of their IT or security teams. It is a specific form of Shadow IT, but with a higher risk profile because AI tools are designed to process and learn from the data you provide. Unlike a rogue file-sharing app, a public AI tool may store, process, or use the data entered into it for model training, meaning sensitive information can leave your environment in ways that are difficult to detect or reverse.
Does using ChatGPT at work constitute a GDPR breach?+
It depends on what data is entered. If an employee pastes personal data - such as client names, contact details, financial information, or health records - into a public AI tool that operates outside your organisation's controlled environment, this may constitute a personal data breach under GDPR. If the breach is likely to result in a risk to individuals' rights and freedoms, you are required to notify the ICO within 72 hours. Wavex recommends implementing technical controls to prevent this before an incident occurs rather than relying on policy alone.
Can we just ban AI tools to eliminate the risk?+
Blocking AI tools outright is rarely effective and often counterproductive. Staff who find AI tools genuinely useful will find ways around a blanket ban, driving usage further underground and making it harder to monitor. A tiered access model - which permits approved enterprise AI tools for all staff while restricting access to higher-risk public platforms - is a more effective approach. It enables productivity while maintaining visibility and control, and it can be enforced at the network and identity level using tools such as Cisco Umbrella.
What is Microsoft Purview and do we need it?+
Microsoft Purview is a data governance and compliance platform included in many Microsoft 365 licences. It detects sensitive information across your environment, warns or blocks users before inappropriate sharing, and creates an audit trail of data interactions. If your organisation handles personal data, financial information, or confidential client documents - and most do - Purview is a valuable control for reducing accidental data leakage and supporting GDPR compliance. Wavex can assess whether your current Microsoft 365 licensing includes Purview and configure it as part of a broader data governance programme.
How long does it take to implement an AI governance framework?+
A basic AI governance framework - covering visibility of current AI usage, configuration of Microsoft Defender for Cloud Apps, and an initial acceptable use policy - can typically be implemented within a few weeks. A more comprehensive programme including Microsoft Purview configuration, Cisco Umbrella deployment, tiered access policies, and a user awareness campaign will take longer, typically two to three months depending on the size and complexity of the organisation. Wavex provides a phased approach that delivers quick wins early while building towards a complete governance framework.
How does Wavex help with AI governance?+
Wavex provides end-to-end AI governance support, from an initial assessment of your current AI usage patterns and risk exposure through to the configuration of technical controls, development of usage policies, and delivery of user awareness training. We work with the Microsoft security stack - including Purview and Defender for Cloud Apps - as well as Cisco Umbrella for DNS-layer enforcement. Our IT strategy and consulting team can incorporate AI governance into your broader technology roadmap, ensuring it is treated as an ongoing programme rather than a one-time exercise.
Back to Insights

Related Articles

How to Make the Most of AI in Your Organisation: A Practical Guide
AI & Emerging Technology

How to Make the Most of AI in Your Organisation: A Practical Guide

AI is reshaping how businesses operate - but most organisations are either using it without controls, or not using it at all. This guide covers what AI tools are available, which roles benefit most, how to deploy Microsoft CoPilot safely, and what risks to manage along the way.

Read article
Shielding businesses from AI-driven cyber threats: What you need to know
AI & Emerging Technology

Shielding businesses from AI-driven cyber threats: What you need to know

Read article
AI Assessment: How to Start Your AI Journey the Right Way
AI & Emerging Technology

AI Assessment: How to Start Your AI Journey the Right Way

Most organisations know AI can help - but don't know where to start, what to prioritise, or how to avoid wasting budget on licences that don't deliver. A Wavex AI Assessment gives leadership a clear, prioritised roadmap before a single licence is bought.

Read article

Ready to talk to a Wavex expert?

Our consultants are available to discuss how these insights apply to your organisation.

Speak to an Expert