Survey Finds Employees Bypassing AI Policies; SPB Launches Govern

If your company has an “AI Acceptable Use Policy” PDF sitting in a shared drive, congratulations:
you have created the corporate equivalent of a treadmill used as a coat rack.
Meanwhile, employees are quietly (and sometimes loudly) using generative AI to summarize meetings,
draft emails, brainstorm campaigns, debug code, andhere’s the spicy partpaste in company information
they probably shouldn’t.

The gap between “policy” and “practice” has a name now: shadow AI.
And it’s not a niche behavior limited to “that one intern who discovered prompts.”
Multiple surveys and workplace studies point to the same reality: people are adopting AI at work faster
than governance can keep up. That mismatch is why new governance effortslike SPB’s “Govern” pushare
showing up right next to the usual compliance staples (privacy, security, record retention, and the
occasional panic).

Why Employees Bypass AI Policies (Even When They Like Their Jobs)

The most common assumption is that employees bypass AI rules because they’re reckless.
The more accurate answer is: they’re optimizingfor speed, clarity, and survival in a workplace
where deadlines are real and policies often feel theoretical.

1) Convenience beats compliance when the “approved tool” feels like a toaster

Many organizations roll out an “approved AI tool” that’s limited, hard to access, or awkward to use.
Then they act surprised when people reach for the public tools they already know. If the sanctioned
option can’t summarize a meeting transcript, rewrite a client email in plain English, and format a
spreadsheet explanation without fifteen clicks and a permissions request… people will improvise.

2) Policies are unclear, conflicting, or written like a medieval scroll

Employees often receive mixed signals: “Use AI to be more productive,” followed by
“Don’t use AI unless Legal blesses it,” followed by silence. Uncertainty creates two outcomes:
people either stop using AI entirely, or they use it quietly and hope nobody asks.
Spoiler: “quietly” is not a security control.

3) Training lags behind tool adoption

AI is easy to try and hard to use responsibly. Without practical trainingwhat you can paste,
what you must never paste, how to verify output, how to cite sources, how to avoid biasemployees
make up their own rules. And homemade governance is like homemade sushi: technically possible,
but not always safe.

4) Performance pressure turns “helpful assistant” into “unofficial coworker”

When performance expectations don’t change but workload increases, AI becomes a coping mechanism.
People will use whatever helps them hit the target. If compliance slows them down, compliance losesunless
you redesign workflows so safe AI use is the fastest path, not the hardest.

What the Surveys Are Really Saying: Shadow AI Is a Business Process Now

Across recent research, three themes show up repeatedly:
(1) AI use at work is growing, (2) a meaningful share happens without approval,
and (3) sensitive data exposure is the big risk hiding inside “productivity.”

Behavior patterns you should assume are already happening

• Summarizing and rewriting: meeting notes, emails, policy drafts, customer responses.
• Brainstorming: campaign ideas, product names, HR messaging, interview questions.
• Analysis support: turning messy notes into structured plans, or summarizing long documents.
• Technical help: code suggestions, debugging, generating scripts, explaining errors.
• Translation and tone: “Make this sound professional but not like a robot.”

These are reasonable usesuntil someone copies in proprietary information, customer data,
employee records, legal strategy, or internal financial details. That’s the moment “helpful”
becomes “reportable.”

The Real Risk: Data Leakage, IP Exposure, and Compliance Whiplash

Shadow AI isn’t scary because people are asking AI to write a nicer email.
It’s scary because employees may paste in information that triggers:
privacy obligations, confidentiality commitments, export controls, regulated recordkeeping, and contractual
restrictions. Even when the employee means well, the organization can inherit the liability.

Key risk buckets leaders should track

• Confidential data exposure: internal documents, pricing, source code, product roadmaps.
• Personal data mishandling: customer or employee info, sensitive personal data, health-related info.
• Regulatory scope creep: AI-specific laws and emerging rules plus “classic” privacy/security duties.
• Output reliability: hallucinations, fabricated citations, subtle errors that look confident.
• Brand and trust: customers notice when content feels incorrect, inconsistent, or “AI-ish.”

And here’s the awkward truth: many employees know these risks exist, but they don’t know how to manage them.
That’s not an employee problem. That’s a governance design problem.

Why “Ban It” Doesn’t Work (And Sometimes Backfires)

Blanket bans feel satisfyinglike slamming a laptop shut and declaring, “We are DONE with technology.”
But bans tend to drive usage underground. The tool doesn’t disappear; your visibility does.
The better approach is a controlled enablement model:
give people safe options, fast guidance, and clear guardrails that match real workflows.

Common anti-patterns (and what to do instead)

• Anti-pattern: “We have a policy.”
  Fix: Build AI rules into tools and workflows (DLP, access controls, logging, redaction, templates).
• Anti-pattern: “Don’t paste sensitive data.”
  Fix: Define what “sensitive” means in everyday terms, by role and data type, with examples.
• Anti-pattern: “Training is optional.”
  Fix: Micro-training in the moment: pop-up guidance, checklists, and approved prompt patterns.
• Anti-pattern: “Security owns it.”
  Fix: Shared ownership: Legal + Security + HR + IT + business leaders, with a single governance lane.

SPB’s “Govern” Moment: Measuring the Gap Between Policy and Practice

One reason governance is evolving is that organizations are realizing a painful truth:
you can’t manage what you don’t measure. Squire Patton Boggs (SPB) has been building out
tools and guidance under its “Privacy Powered by Squire Patton Boggs” brand, and part of that suite
includes a stakeholder survey designed to help enterprises compare written policies to actual behaviors
and generate a maturity score and gap report with recommendations.

That kind of approachcall it “Govern” in spirit and in practicematters because it treats shadow AI
like what it is: a system problem. If employees bypass policies, the organization needs evidence about:
where it happens, why it happens, what data is involved, and what controls would actually change behavior.

What a “Govern” assessment can uncover (quickly)

• Which teams are using public AI tools vs. approved platforms
• Which workflows drive the most policy-bending (sales emails, proposals, support scripts, coding)
• Whether employees understand what data is restricted (and what they incorrectly assume is “fine”)
• Where guidance is contradictory, outdated, or missing entirely
• Which controls would reduce risk without killing productivity

In other words: it’s not just a survey. It’s a mirror. And mirrors are inconvenientuntil they prevent you
from walking out the door with toothpaste on your face during a board meeting.

A Practical Governance Playbook for 2026

If you want fewer policy violations and more safe AI adoption, aim for a governance model that’s
easy to follow, hard to bypass, and built into daily work.
Here’s what that typically includes.

1) Define “approved use” by task, not by vibe

Stop saying “Use AI responsibly.” Start saying:
“You may use AI to summarize your own notes, rewrite public-facing copy drafts, generate meeting agendas,
and brainstorm non-confidential ideas. You may not paste in customer PII, employee records, source code,
contract terms, unreleased product plans, legal strategy, or security details.”

2) Provide a safe AI lane that’s actually better than the public lane

Employees don’t bypass policies for fun. They bypass them when the “safe way” is slower.
Approved tools should offer: single sign-on, logging, data controls, and the features people want
(summarization, drafting, analysis). Otherwise the safe lane becomes the empty lane.

3) Add guardrails where the risk lives

• Data loss prevention: detect sensitive data before it leaves the environment
• Access controls: restrict which roles can use which AI features with which datasets
• Prompt guidance: approved prompt libraries and “do/don’t” examples
• Human review: especially for legal, financial, medical, or policy-impacting content

4) Treat verification as a skill, not a suggestion

A good AI policy doesn’t just warn about hallucinations; it teaches verification habits:
check claims, confirm numbers, validate citations, and avoid presenting AI output as a “source.”
The goal isn’t paranoiait’s professional standards.

5) Audit outcomes, not just usage

Measuring “how many people used AI” is trivia. Measure what matters:
incident rates, data exposure attempts blocked, policy comprehension, quality metrics, and time saved in safe workflows.
Governance should improve performancenot merely restrict it.

Conclusion: Shadow AI Is HereSo Build Governance That People Will Actually Use

Surveys showing employees bypassing AI policies aren’t just cautionary tales; they’re operational signals.
People want the productivity boost. They’ll find it with or without permission.
The winners in 2026 won’t be the companies with the strictest AI bans; they’ll be the companies that build
clear rules, provide usable tools, and measure the gap between what’s written and what’s real.

SPB’s governance tooling directioncentered on assessments that expose policy/practice gapsfits the moment.
Not because another survey is thrilling, but because governance that starts with reality has a fighting chance
of changing reality. Shadow AI thrives in the dark. Turn the lights on, then redesign the room.

Experience Notes: What It Feels Like Inside a Company Living Through Shadow AI

The most revealing “shadow AI” moments rarely happen in security dashboards. They happen in ordinary conversations.
A marketing lead says, “We turned that campaign around in two daysAI helped.” A salesperson casually mentions,
“I asked a chatbot to rewrite the proposal so it sounds more confident.” Someone in HR admits they used AI
to draft performance feedback because they didn’t want to accidentally sound harsh. Nobody says, “I violated policy.”
They say, “I got the job done.”

In companies where AI governance is still forming, you can almost map behavior by emotional weather:
confusion (What’s allowed?), fear (Will I get in trouble?),
relief (This saved me two hours), and silence (Don’t ask, don’t tell).
That silence is the part leaders underestimate. Employees aren’t hiding because they’re villains twirling mustaches.
They hide because they’re unsure how their managers will reactespecially when performance evaluation systems
haven’t caught up to a world where “work product” can be part human, part AI, and part copy/paste regret.

One pattern shows up again and again: the first AI policy is usually written as if the biggest risk is that
employees will “use AI.” The reality is that employees will use AI either way; the real risk is
how data moves. In practice, the highest-risk moments happen when someone is rushing:
they paste an internal email thread into a public tool “just to summarize it,” or they drop in a spreadsheet
with customer notes because the model “needs context.” Most people don’t have malicious intentthey have
a deadline and a belief that “this probably isn’t sensitive.” That belief is rarely malicious; it’s often
simply wrong.

The companies that improve fastest usually stop treating governance like a lecture and start treating it like
product design. They build a short list of “safe default” use cases (summarize your own notes, rewrite public copy,
brainstorm non-confidential ideas). They create bright-line red zones (“never paste customer PII, employee records,
contract text, source code, legal strategy”). Then they make the safe path easier. The moment employees can open an
approved tool with single sign-on, get built-in guardrails, and still achieve the same quality output, policy
compliance stops being a moral choice and becomes the obvious workflow.

Another real-world lesson: training works best when it’s tactical, not theatrical. A one-hour “AI ethics webinar”
may feel impressive, but it doesn’t help the support rep deciding whether a customer email contains personal data,
or the engineer wondering if a snippet of code is okay to paste. What does help is scenario training:
five-minute modules, concrete examples, and “if you’re doing X, then do Y” guidance. People don’t need a philosophy;
they need instructions they can follow while they’re busy.

Finally, the most useful governance conversations aren’t about banning toolsthey’re about aligning incentives.
If leaders demand speed, volume, and always-on responsiveness, employees will use whatever gives them leverage.
Governance succeeds when it respects that reality and builds controls that support productivity rather than compete with it.
That’s why maturity and gap assessments (the “Govern” style approach) are so practical: they surface where policies fail,
where tooling is insufficient, and where employees are inventing their own processes. Once you see the actual map of behavior,
you can fix the routeswithout pretending people will stop traveling.