Blair AI Rollout Podcast · Season 3 · Episode 3

Your employees are already using AI. Here's what to do about it.

Q: How do you triage unauthorized AI use by risk level?

Sort what you find into three buckets. Low risk: tools being used for non-sensitive tasks with outputs reviewed by a human before use — these can often be formalized quickly with minimal guardrails. Medium risk: tools being used for sensitive or client-facing tasks without a formal review process — these need guardrails before continuing. High risk: tools processing regulated data, personally identifiable information, or producing outputs that affect people without review — these require immediate intervention and should stop until proper governance is in place.

You didn't authorize it. Nobody asked IT. But it's already inside your organization — and the worst thing you can do right now is send a company-wide ban. Here's what to do instead.

Steve Buckner

Cloud Systems Engineer · MCT · PMP · Azure Solutions Architect Expert. 40+ years in IT and operations. Builder of the Blair AI Rollout Framework.

Published May 2026

Listen to the Episode

Your Employees Are Already Using AI. Here's What to Do About It. Blair AI Rollout Podcast · Season 3, Episode 3 · Steve Buckner

Hugh is IT Manager at a 200-person construction company in Chicago. He didn't roll out AI. Nobody asked him to. But it showed up anyway — and now leadership wants answers. This episode covers exactly what to do when AI gets ahead of your plan.

Listen on Spotify

The problem isn't that they're using AI. The problem is you don't know what they're doing with it.

Shadow AI — employees using AI tools without authorization, IT knowledge, or governance oversight — is now the default state in most organizations. Consumer AI tools are free, powerful, and require no IT involvement to start using. If your organization hasn't formally rolled out AI, that doesn't mean AI hasn't arrived. It means it arrived without you.

The instinct when this surfaces is to lock it down. Issue a policy. Send a memo. Make unauthorized AI use a disciplinable offense. That instinct is understandable and almost always counterproductive.

A ban doesn't stop the use. It drives it underground. And underground use is worse than visible use in every meaningful way — you lose whatever visibility you had, employees become less likely to ask questions or flag problems, and your governance gap gets harder to close, not easier.

"The unauthorized AI use you discovered inside your organization isn't just a risk to manage. It's a roadmap."

Step 1: Don't panic. Don't ban. Get visible first.

Before any policy decision, you need to know what's actually happening. Not what you assume is happening — what's actually happening. The gap between those two things is usually significant.

The fastest way to get an honest picture: send a short, casual message to three or four team leads this week. Not a formal survey, not a policy announcement — just a low-stakes question:

This Week's AI Hot Tip

"Hey — just trying to get a sense of how the team is working. Are you or anyone on your team using any AI tools in your day-to-day work? Doesn't matter what it is, just trying to build a picture."

The key is removing the threat from the question. The moment employees sense that honest answers will result in a ban or a disciplinary conversation, you get the answer they think you want to hear, not the truth. A casual, curious tone gets you real information. Real information is what you need to make good decisions.

What you're building is a map: which tools, which teams, which workflows, how long it's been happening. That map is more valuable right now than any policy you could write.

Step 2: Triage what you find — low, medium, and high risk are not the same problem.

Once you have a picture of what's actually happening, resist the urge to treat everything the same way. Not all unauthorized AI use carries the same risk, and treating low-risk use the same as high-risk use wastes your time and creates friction where none is needed.

Sort what you find into three buckets:

Low Risk

Formalize quickly.

Non-sensitive tasks. Outputs reviewed by a human before use. No regulated data involved. Examples: drafting internal notes, summarizing non-confidential documents, formatting reports.

These can often become your first official pilots with minimal guardrails required. The employees doing this work are already your most capable AI users.

Medium Risk

Add guardrails before continuing.

Sensitive or client-facing tasks. Outputs that may not be reviewed. Tasks where an AI error would be visible or consequential. Examples: client-facing drafts, project documentation, vendor communications.

Don't ban these. Define the review requirements and approved tools, communicate them clearly, and redirect into a structured workflow.

High Risk

Intervene immediately.

Regulated data, personally identifiable information, outputs affecting people without human review. Financial data, employee records, safety-critical documentation, legal materials.

This requires a direct conversation, not a memo. Stop the use, explain why clearly and without blame, and build proper governance before it resumes.

Most organizations that do this exercise find the distribution is roughly what you'd hope: a lot of low-risk use, some medium-risk use that needs guardrails, and a small number of genuinely high-risk situations requiring immediate attention. Addressing them proportionally is faster and more effective than a blanket response to all three.

Step 3: Turn the problem into your rollout plan.

Here's the reframe that changes how you approach this entire situation: the map of unauthorized AI use you just built is also a map of where your organization's AI interest and capability is highest. That's not a liability to manage. That's a starting point.

The employees already using AI — even without authorization — are telling you something important: they found a workflow where AI produced value worth the effort of adopting it informally. That signal is exactly what you need to identify your first official pilots.

From problem to plan

Low-risk unauthorized use → first official pilots

The employees doing low-risk AI work informally are your early adopters. Bring them into the structure. Give them approved tools and documented guardrails. Make their informal work the foundation of your first formal pilot. They'll become your internal advocates rather than a governance problem.

From problem to plan

Medium-risk use → structured workflow definition

Medium-risk use tells you which workflows have enough complexity to warrant careful governance. Work with the teams doing this to understand what they're actually trying to accomplish, then build the proper structure around it. A workflow defined with the people doing the work is more durable than one written without them.

From problem to plan

High-risk use → your governance priority list

High-risk use tells you exactly where your governance gaps are most exposed. Address those gaps directly and specifically. The areas where unauthorized AI use showed up in high-risk contexts are the same areas that need formal governance regardless — you've just learned about the gap earlier than you otherwise would have.

The mess that landed on your desk is also your roadmap. The organizations that handle shadow AI well are the ones that use it as a forcing function to build the structure they needed to build anyway — just faster and with better information than they would have had otherwise.

For a structured approach to building that governance foundation, see the AI Guardrails in the Workplace guide. For the full 30-day plan that takes you from this point through your first official pilot, see Your First 30 Days with AI.

What to tell leadership.

Leadership is asking for answers because unauthorized AI use creates real organizational risk — data exposure, ungoverned outputs, liability questions. They're right to want a response. The response they need isn't a ban announcement. It's a structured plan.

What leadership actually wants to hear:

We know what's happening — we've mapped the current state
We've triaged by risk level and addressed the high-risk situations directly
We're formalizing the low-risk use as our first official pilots
We're building the governance foundation so this is managed going forward

That's a credible, structured answer. It demonstrates control without overreacting. And it moves the conversation from "what do we do about unauthorized AI" to "here's how we're building responsible AI capability" — which is the conversation you want to be having.

Free Tool

Know where your organization stands before your next leadership conversation.

The AI Readiness Score measures your organization across all four capability pillars in about 5 minutes. It gives you a documented baseline you can bring to leadership — not just an anecdotal sense of where things are.

Take the Free AI Readiness Score →

Related resources.

AI Guardrails Guide →

Build the governance foundation that turns shadow AI into managed, structured adoption.

Your First 30 Days with AI →

From visibility and triage to your first structured pilot — the complete 30-day plan.

You're Not Behind — You're Unstructured →

Reframe the "we're already behind" pressure before you build your response plan.

AI Pilot Program Guide →

Turn your first formalized use case into a structured, documented pilot.

Common questions.

What should I do if my employees are using unauthorized AI tools?

Don't issue a blanket ban — it drives the use underground and eliminates your visibility. Start by building a map: send a casual, non-threatening message to a few team leads asking what AI tools people are using day to day. Remove the threat from the question and you'll get honest answers. Once you know what's actually happening, you can triage by risk level and make decisions grounded in evidence rather than assumption.

What is shadow AI and why is it a problem?

Shadow AI refers to AI tools being used inside an organization without official approval, IT knowledge, or governance oversight. It's a problem not because employees are using AI, but because unauthorized use carries real risk: sensitive data may be entering tools with no data handling agreement, AI outputs may be going unreviewed into decisions or client-facing work, and the organization has no visibility into what's happening. The solution isn't prohibition — it's structured visibility and governance.

How do you triage unauthorized AI use by risk level?

Sort what you find into three buckets. Low risk: tools used for non-sensitive tasks with outputs reviewed by a human — these can often be formalized quickly as official pilots. Medium risk: tools used for sensitive or client-facing tasks without a formal review process — these need guardrails before continuing. High risk: tools processing regulated data or producing outputs that affect people without human review — these require immediate, direct intervention.

How do you build an AI acceptable use policy employees will actually follow?

The policies that get followed are the ones that reflect what employees are actually doing, not the ones that prohibit everything. Start by mapping what's already happening. Build your policy around formalizing low-risk use with clear guardrails, redirecting medium-risk use into structured pilots, and setting firm boundaries only where the risk genuinely warrants it. A policy written after a visibility exercise is specific, credible, and far more likely to be followed than one written in reaction to a headline.

Ready to turn your shadow AI problem into a structured rollout?

The Blair AI Rollout Framework gives you the complete 90-day system — from visibility and triage to formalized, scalable AI adoption. Built for managers in real organizations.

Start with the Free Readiness Score → See the Full Framework →