Over the past 12 to 18 months, tools like ChatGPT and Microsoft Copilot have gone from being a novelty to something people use every day at work. They are fast, easy to access, and when used properly, genuinely useful.

As part of our ongoing commitment to security and best practice, we have conducted an audit across our clients to better understand how AI tools are being used. We can confidently confirm that the trends and statistics outlined below reflect real-world usage across businesses like yours.

70% of users at the businesses we support are using some form of AI*. And although some of this is authorised, with policies in place, the majority isn’t authorised and is being used via personal accounts. These findings were consistent and, frankly, a concern for any business owner or director.

The Reality: AI Is Already Being Used

Across the environments we assessed:

• 70% of employees are using AI tools at work
• A large proportion are using personal, unmanaged accounts
• Many businesses have no formal AI usage policy in place

This is not theoretical. This is happening right now inside real organisations.

And in most cases, leadership teams have no visibility of it.

That is where the risk starts.

Why This Matters: The Data Risk Most People Overlook

Public AI tools do not behave like traditional business software. When someone pastes information into them, that data is processed externally. In some cases, it may also be stored or used to improve the model.

Now think about a simple, everyday scenario.

An employee copies a customer contract into an AI tool to summarise it. That contract might include pricing, customer details, and commercially sensitive terms. Without the right protections in place, that information is now outside your control.

At best, this creates a governance issue. At worst, it could lead to a GDPR breach, a contractual issue, or loss of intellectual property.

The Blind Spot: Why Most Businesses Do Not See This Coming

This is not a technology failure. It is a visibility issue.

In many organisations:

• AI usage sits outside of IT oversight
• Employees access tools through browsers or personal devices
• There is no monitoring or control in place

From a leadership perspective, everything appears fine.

Under the surface, risk is building.

A Practical Approach to Safe AI Use

We are not here to say do not use AI. That is not realistic, and it puts you at a disadvantage. In our recent podcast, The Cost of Shallow Automation, we discuss exactly how you utilise AI (and automation) together to generate huge efficiency gains.

The businesses getting this right are doing two things well.

1. They Set Clear AI Usage Policies

This is the foundation.

A good AI policy should:

• Define which AI tools are approved
• Clearly state what data must never be shared
• Give simple, practical guidance employees can follow
• Be actively communicated across the business

If your team does not know the rules, they will make their own decisions.

2. They Put the Right Technical Controls in Place

Policy on its own is not enough. It needs backing up with controls.

That typically includes:

• Using enterprise-grade tools like Microsoft Copilot
• Ensuring your data is not used to train public AI models
• Applying Data Loss Prevention policies
• Monitoring and controlling how AI tools are accessed

This is not about locking everything down. It is about putting sensible guardrails in place so people can use AI safely.

The Risk of Doing Nothing

If this is left unmanaged, the risks are very real:

• Accidental data leakage
• GDPR or regulatory breaches
• Loss of intellectual property
• Damage to your reputation with customers and partners

Most of these issues do not come from bad intent.

They come from employees trying to work faster and more efficiently.

What We Are Seeing Across Businesses

From our audit, the pattern is clear:

• AI usage is high and growing quickly
• Governance is low or missing entirely
• Leadership awareness is limited

That combination creates a serious risk for any organisation.

For those organisations AAG IT Services work with, we are speaking directly with clients to walk through:

• What we have identified in their environment
• Where the risks sit
• What practical steps to take next

As a proactive, security-focused provider, we wouldn’t be doing our job right if we didn’t support our clients with this. If your provider hasn’t spoken to you about your AI usage, our advice is to contact them and ask them to review your environment.

In some cases, you may not be able to gain a picture of your AI usage due to licensing limitations, if this is the case, you should ask how to gain that visibility.

How AAG Helps You Adopt AI Safely

We work with organisations that want to use AI properly, not take unnecessary risks.

That means:

• Creating clear and usable AI policies
• Putting the right security controls in place
• Deploying appropriate business tools
• Giving leadership proper visibility

The goal is simple.

Help you benefit from AI without exposing your business.

Want to Understand Your Current Exposure?

If you are unsure where you stand, that is completely normal. Most businesses are in the same position.

And if your current provider isn’t supporting, we are happy to have a short, no-obligation conversation to help you understand:

• What is likely happening in your environment
• Where your biggest risks are
• What good looks like in practice

No scare tactics. No overcomplication. Just clear, honest advice.

*This report was generated on 4,112 accounts. Due to licensing limitations, we are unable to assess every environment.