Your Employees Are Using ChatGPT. What to Do.

Your employees are using ChatGPT at work. Not all of them, but most of them.

78% of employees have used a personal AI tool in the workplace over the past year (Source: UpGuard 2025). Some use it daily. Some use it to draft emails. Some use it to debug code, generate ideas for a presentation, or understand a regulation they just read. The tools are free, they're good, and they're faster than asking someone on your team.

The risk is real. 57% of those employees, more than half, have entered sensitive information into these public tools (Source: UpGuard/ManageEngine 2025). Customer data. Internal documents. Code from your proprietary system. Contracts. Information they copied into ChatGPT without thinking about where it goes.

That's a data leak. That's a compliance problem. That's IP you cannot get back.

Here's the catch: none of that stops when you tell people not to do it.

I was in a legal services firm last year. Partner asked me: "If I need to worry about the 10% of AI output that's not accurate, I don't want to use it." I said, "You already are. Your associates are using it without your knowledge. They're probably using it well. They're also probably using it badly. You're just not seeing it because they're hiding it."

That's the real problem. Not that AI exists. Not that people use it. The problem is shadow AI. AI use that is invisible, ungoverned, and unsanctioned. It's the same problem as shadow IT: employees buying their own tools to do their job faster because the official tools are slow.

You can ban it. You will lose. Your best people will leave for a company that lets them use the tools they're productive with. And the second-best option: ban it and people use it anyway, but now it's hidden.

Most companies' first instinct is to block it. Ban ChatGPT. Ban personal AI tools. Block the websites. Require approval for every tool.

That fails for three reasons:

First, employees use AI because it works. ChatGPT writes a better email in 30 seconds than your employee can write in 5 minutes. Claude helps debug code faster. These tools are genuinely useful. If you take them away without replacing them, you're just making your team slower. The good people leave.

Second, bans are unenforceable. ChatGPT runs on web browsers. You would need to block every domain that runs a large language model, and new models launch every week. You would need to monitor every employee's device, every API call, every prompt they enter. The overhead of enforcement exceeds the risk you're preventing. Plus: a ban creates a culture of hiding tool use instead of transparency.

Third, bans don't eliminate the risk. The actual threat is not "employees using AI." The threat is "employees sending sensitive data to an AI that trains on it" and "employees trusting AI output without verification" and "employees making decisions based on hallucinated information." A ban on the tool does not solve any of that. An employee can still be wrong. They can still leak data. They just do it with a different tool.

The question isn't whether to let employees use AI. The question is how to govern it.

If you have 20 employees or 200, this is the sequence:

Step 1: Audit current usage. Do not start with a policy. Start with facts. Send a simple survey to your team, anonymous, no-penalty, 3 minutes. Have you used ChatGPT or another AI tool at work in the past 30 days? Yes or no. If yes, what for. What information did you enter, if any.

You will find out how widespread it is. You will learn what your team is actually using these tools for. And you will identify your highest-risk cases, the person who has been copy-pasting customer contracts into ChatGPT because they want a summary.

Most companies skip this step and write a policy based on fear. You write the policy based on evidence.

Step 2: Provide approved alternatives. Before you tell people what they can't do, tell them what they can do. Set up a private AI tool. Claude running inside your infrastructure, or an AI service that you can control.

Private AI is the phrase for this: AI that runs on your data, inside your systems, and does not train on what you enter. It's one of the six layers in the AI Operating System. Your employees get the speed and capability of ChatGPT without the risk of leaking data to a public model.

This is critical. If you ban public AI but do not provide a private alternative, you have just told your team to stop being productive. Expect resistance.

For most mid-market companies, a private AI instance is a fixed-fee setup as part of an AI Foundation Build, with a small monthly run cost. That is not expensive against the risk of a data leak or the cost of employee turnover from a ban.

Step 3: Write a simple AI use policy. Three to five pages. Clear. Operator-led, not legal-department-written.

Include these sections:

1. Approved tools and approved use cases. "You can use ChatGPT for brainstorming, drafting, learning. You must use our internal AI instance (Claude-in-Company) for any task involving customer data, contracts, or proprietary information."

2. Data rules. "Do not enter customer names, account numbers, contract terms, internal pricing, or code into public tools. If you're unsure, assume it's private and use the internal tool instead."

3. Verification requirement. "AI output can hallucinate or be inaccurate. Verify anything you plan to act on. When you submit AI-generated content as your own, an email, a code block, a proposal draft, you are responsible for its accuracy."

4. Prohibited use. "Do not use AI to generate content that misrepresents the company. Do not use it to create fake communications or impersonate anyone. Do not use it to bypass security controls."

5. Monitoring and enforcement. "We monitor AI tool access and log usage (without reading your prompts). If we see unusual activity, high volume uploads, bulk export of customer data, we will ask about it. Repeated policy violations will be treated as a conduct issue."

6. Updates and training. "As AI tools change, this policy changes. We'll update it quarterly and notify you of changes."

7. Questions. "If you're not sure, ask. Sending a DM to your manager asking 'can I put this in ChatGPT?' is the right move."

8. Good faith. "This policy is written in good faith. We assume you want to use these tools responsibly. We're not trying to catch you. We're trying to make sure you can work fast without putting the company at risk."

This should take one hour to write, not three weeks. It is not a legal document. It is an operating manual.

Step 4: Monitor and govern. Deploy a tool that monitors which AI applications your team is accessing, not what they enter, just which tools and how often. Tools like Deepsense, Lakera, or similar can integrate with your SSO and flag unusual patterns.

This is not surveillance. It's the same thing you do with your Salesforce instance or your GitHub repository. You see who is accessing what, at what volume, and whether it looks normal.

99% of the time, it is normal. Your data scientist uses Claude daily. Your marketing person uses ChatGPT to brainstorm campaign ideas. Nobody's doing anything wrong. The monitoring is there to catch the 1%, the person who is about to dump your customer database into a public tool.

When you see something unusual, you do not punish first. You ask. In almost every case, the answer is innocent, they didn't realize it was sensitive, or they were testing something, or they made a mistake. You explain the policy. You move on.

Here is a template that you can adapt to your business:

Section 1: Purpose. We use AI tools to be faster, smarter, and better at our jobs. This policy ensures we do that without putting customer data, proprietary information, or the company at risk.

Section 2: Approved AI Tools. Internal: your private AI instance. Public: ChatGPT, Claude, Gemini for non-sensitive work. Blocked: any tool you're not comfortable with. To request a new tool: submit to the designated owner, list your use case, and get approval.

Section 3: Approved Use Cases. Drafting (emails, presentation outlines, code scaffolds, process documentation). Brainstorming (campaign ideas, pricing strategies, operational improvements). Learning (explaining concepts, researching topics, understanding regulations). Summarization (turning long documents into executive summaries, if the document is not sensitive).

Section 4: Prohibited Use. Do not enter customer names, addresses, phone numbers, email, account numbers. Do not enter contracts, pricing, terms, or deal details. Do not enter code from your systems or clients' systems. Do not enter anything marked confidential, proprietary, or restricted.

Section 5: The Data Rule. When in doubt, use the internal tool instead of the public tool. If you're asking "should I put this in ChatGPT," the answer is probably no. That instinct is correct.

Section 6: Verification. AI is useful. AI is also wrong sometimes. If you're using AI output for anything important, a proposal, an email to a client, a recommendation to leadership, verify it first. You own the output.

Section 7: Monitoring. We monitor which AI tools you access and the frequency of your access (not the content of your prompts). We do this to protect the company, not to invade your privacy.

Section 8: Questions. Ask your manager or AI point-of-contact if you're not sure. The policy is here to help you work safely, not to catch you doing something wrong.

Shadow AI is not dangerous because employees are bad actors. It's dangerous because the tools are good, and nobody has told them how to use them safely.

Your best engineer is probably using ChatGPT to debug code. Your best salesperson is probably using it to customize proposals. Your operations person is probably using it to understand a new regulation. None of that is wrong. All of that is helping them do better work.

The problem is the person who doesn't know they're not supposed to paste the customer master list into ChatGPT to get it organized, or the attorney who copy-pasted a contract to get a quick summary without thinking about whether the contract is under NDA, or the finance person who used ChatGPT to draft expense policy language by feeding it your existing policy.

All of those are reasonable mistakes if the policy was not clear.

Most of my clients start exactly where you are: employees using AI, no visible system, no governance, and a vague worry that something bad is going to happen. The AI Ops Audit includes a shadow AI assessment, we interview your team, look at which tools are in use, and map the data flow. We identify your highest-risk cases. Then we build a policy, set up a private tool, and help you roll it out.

You're not trying to stop AI use. You're trying to make sure it's transparent, governed, and not leaking data. Take the free assessment to see where your shadow AI risk sits today.

If you want the full 5-step framework with the audit, policy, sanctioned tooling, training, and metrics covered end to end, read the Shadow AI Playbook.