Shadow AI: How SMEs Can Stay Secure and in Control 

Most organisations think they have an AI strategy problem. In reality, they have a visibility problem. AI is already embedded across the modern workplace – in marketing, finance, operations, and customer service. Not through formal rollouts, but through individuals using tools to get work done faster.

Across the UK, the shift has happened quickly and, in many cases, quietly. More than half of workers have already used AI in their roles, and AI tools are now part of everyday workflows for a growing number of teams.What’s more telling is how frequently that use is happening. Nearly one in five UK workers are now using generative AI daily.

That’s the reality.

And like Shadow IT before it, it’s scaling faster than most organisations can control it. The question is no longer whether AI will enter your business. It already has.

The real question is: can you see it, control it, and secure it?

What is Shadow AI?

Shadow AI is when employees use AI tools at work without clear visibility, governance, or approval.

It’s not usually intentional risk. It’s people trying to move quicker and solve problems with the tools available to them.

That might mean:

• Uploading company or client data into public AI tools
• Using AI-generated outputs without review
• Introducing unapproved automation into workflows
• Using AI content in customer-facing material

On their own, these actions feel low risk. At scale, they create something very different, a way of working that sits outside of visibility and control. That’s where the real problem starts.

The gap is growing: adoption vs control

AI adoption is accelerating quickly across SMEs. Control isn’t keeping up.

Recent data highlights the scale of the issue:

• 71% of UK employees have used unapproved AI tools at work
• 34% of businesses do not have formal policies
• 37% have not communicated how AI should be used
• Over a third of SMEs (35%) say they are actively using AI technology

AI is now part of everyday work. But most organisations can’t answer basic questions:

• Where is it being used?
• What data is being shared?
• How are outputs being used?

That’s where risk builds – not when AI is introduced, but when it’s invisible.

Most AI usage starts with simple productivity gains:

• Drafting emails and documents
• Summarising information
• Automating admin tasks
• Supporting internal communication

Individually, none of this feels like a security issue. But without structure, it introduces real risk:

• Data leaving the organisation without oversight
• Inaccurate or unverified outputs being used in decisions
• Compliance gaps with no audit trail
• Inconsistent ways of working across teams

The issue isn’t that AI is being used, it’s that it’s being used without visibility or control. And that usually only becomes obvious once something goes wrong.

Why blocking AI is the wrong response

Blocking AI tools might feel like control, but in reality, it often removes it. These tools are easy to access and already embedded into how people work. If organisations don’t provide a secure option, employees will find their own.

That leads to:

• Personal accounts being used for work
• Workarounds that bypass controls
• Data being shared outside approved environments
• A growing gap between policy and reality

In many cases, people aren’t deliberately bypassing policy, they’re simply trying to get work done faster. They may not realise the capabilities already available to them through approved tools like Copilot Chat or Microsoft 365 Copilot, or they may not find those tools meet their specific needs.

That makes engagement critical. Speak to your people to understand:

• Why they’re using AI tools
• What they’re trying to achieve
• Where existing tools are falling short
• What would help them stay within secure, approved environments

Without that feedback loop, organisations risk creating policies that look good on paper but don’t reflect how work actually happens.

The behaviour doesn’t stop, it just becomes harder to see.

The shift SMEs need to make

Organisations that are getting ahead are not resisting AI. They are restructuring how it is governed. The focus is shifting from restriction to enablement with control. This requires a foundation built on:

• Clear and practical AI usage policies
• Visibility of where and how AI is being used
• Defined data boundaries and classification rules
• Controlled access to approved tools and environments
• Integration of AI into secure, repeatable workflows

This is the difference between unmanaged adoption and controlled adoption. One creates fragmentation and risk. The other creates consistency, visibility, and measurable value.

Why Microsoft 365 Copilot changes the picture

A big driver of Shadow AI is simple: people want to work faster. If the organisation doesn’t provide a way to do that securely, people will look elsewhere. Microsoft 365 Copilot changes that.

It brings AI directly into tools people already use, Outlook, Word, Excel, and Teams, without moving data into external, uncontrolled environments.

Unlike public AI tools:

• Data stays within your Microsoft 365 environment
• It isn’t used to train external models
• Access is controlled through identity and permissions
• Outputs are based on your organisation’s data

It also means:

• A consistent way of using AI across the business
• Less reliance on multiple unapproved tools
• AI embedded into everyday workflows, not separate from them

This turns AI from something happening outside the business into something you can manage and scale. For most SMEs, that makes it as much about risk reduction as productivity.

But tools alone aren’t enough

Tools like Copilot are powerful, but they do not resolve the problem in isolation. Without the right foundations, AI can still amplify existing weaknesses. Organisations still need:

• Clean, structured and accessible data
• Strong identity and access management
• Clear governance frameworks
• Defined usage boundaries across teams

Technology enables control, but only when it is supported by the right structure.

What SMEs should focus on next

You don’t need a full AI transformation programme. You need clarity and control. Start with:

• Visibility – where AI is already being used
• Guidance – what’s acceptable and what’s not
• Data control – what can and can’t be shared
• Access management – who can use which tools
• Enablement – a secure alternative like Microsoft 365 Copilot

AI is already part of how your business operates, the question now is whether you’re in control of it.

From Shadow AI to secure adoption

Shadow AI isn’t a future problem. It’s already shaping how people work and the organisations that will struggle most are those without visibility and control over how AI is being used.

The goal isn’t to slow people down. It’s to give them a secure, consistent way to move faster, without creating risks the business can’t see.

AI adoption is happening either way. The only real question is whether it happens in the dark, or on your terms.

Take control of AI adoption in your business

If this reflects what you are seeing internally, you are not alone. Most organisations are already dealing with some level of Shadow AI. The challenge is not whether AI will be used, but how you gain visibility, control, and confidence in how it is used.

On 30th June, we are hosting a live masterclass focused on exactly that.

In this session, Air IT Group’s CTO, Lee Johnson, will walk through what it really takes to move from informal AI usage to structured, secure adoption.

You will gain a clearer understanding of:

• Where AI is already operating across your environment, and how to identify it
• What “AI-ready” actually means across your IT, security, and data foundations
• How to introduce control and governance without slowing down innovation
• Where to focus now to turn AI from a risk into a scalable capability

If you have questions around AI risk, data exposure, or governance, but lack full visibility, this session will give you a clearer path forward.