Security Gaps Deep Dive #5: If AI Tools are Being Used Without Guardrails

AI has moved into the workplace far faster than most business policies have kept up. Microsoft’s 2024 Work Trend Index found that 75% of global knowledge workers are already using AI at work, and 78% of AI users are bringing their own AI tools into the workplace. In small and medium-sized businesses, that rises to 80%. That matters because it means AI is no longer a future planning conversation for most SMEs. It’s already happening, often quietly, in day-to-day work across email, documents, meetings, research and admin tasks.

The risk isn’t AI itself. The risk is uncontrolled usage. When staff start using whichever tools feel easiest, with no clear approval process, no guidance on what data can be shared, and no visibility for the business, AI quickly becomes another form of shadow IT. Sensitive information can be pasted into prompts too casually, commercial decisions can be influenced by unverified outputs, and different teams can end up using different tools in completely different ways with no governance behind any of it.

This is where many SMEs can slip into a false sense of security. People often assume the problem begins only when someone shares obviously confidential data, but unmanaged AI creates other issues long before that point. It can lead to inconsistent answers being used in client-facing work, staff relying too heavily on polished but inaccurate outputs, and decisions being shaped by tools the business has never formally assessed. Microsoft’s own research shows that the bigger challenge for leaders is moving from scattered individual experimentation to a planned, business-wide approach. In the same report, 79% of leaders said their company needs to adopt AI to stay competitive, but 60% worried leadership lacks a plan and vision to implement it properly.

That’s why guardrails matter so much. Good AI adoption doesn’t start with a ban, and it doesn’t start with a free-for-all either. It starts with some very practical questions. Which tools are approved? What kind of information should never be entered into a public or unmanaged AI tool? Where does human review remain essential? Which teams have the clearest use cases, an d where could careless use create avoidable risk? Those are the questions that turn AI from an interesting experiment into something the business can actually control. Having a structured approach that combines governance, security controls and practical training so AI use becomes visible, consistent and manageable across the organisation is essential in today’s business landscape.

There is also an important difference between “using AI” and “using AI safely inside a governed business environment”. Microsoft Copilot is a good example of a more governed AI option. It gives organisations a clearer, safer way to bring AI into day-to-day work, without relying of staff to make up their own rules as they go. It still needs oversight and sensible usage policy, but it does make AI adoption far easier to manage than a patchwork of unmanaged public tools.

If this feels familiar, we already have two useful next steps for businesses that want to get a handle on the issue. The first is the Shadow AI Risk Checker, which gives organisations a simple way to assess how exposed they may be and starts the conversation around where unmanaged AI use may already be happening. The second in our “What is Shadow AI and Why Blocking It Isn’t The Answer” for a more practical view of the problem, and then speak to Apex about a structured rollout through Microsoft Copilot consultancy, governance support and AI readiness guidance. That’s how you turn AI from a growing blind spot into something the business can use with far more confidence.