Shadow AI: the data risk inside your business that nobody's talking about.

How shadow AI actually shows up in a construction business

A QS pastes the full text of a tender — including pricing, scope, and the client's internal notes — into ChatGPT to summarise it.

A bid manager runs the previous year's tender responses through Claude to extract reusable copy. Those responses included client-specific commercial terms.

An admin uploads a meeting transcript with a major client into a transcription tool to "tidy it up." That transcript included confidential commercial discussion.

None of these people are doing anything wrong by intent. They're being efficient. But every one of them has just moved sensitive business data onto an external server — often in the US, often used to train future versions of the model.

The three risks no one is calculating

GDPR. Most of these tools process data outside the UK. If client data has crossed into one of these tools without a lawful basis, your business has a notifiable breach under UK GDPR. The fines are six to seven figures.

PI insurance. Most PI policies require you to maintain confidentiality of client information. A breach via shadow AI could void cover for the engagement that produced it.

Cybersecurity. AI tools are becoming attack surfaces in their own right — prompt injection, leaked credentials, model-borne phishing. A team using fifteen different free AI tools is a much larger attack surface than the same team using one approved tool.

None of these risks register on a standard cyber audit. They sit in a category no one in the business is responsible for.

What a sensible AI policy looks like (and what it isn't)

A sensible policy is not "no AI." That ship has sailed. The team will use AI either way. A "no AI" policy just means they use it without telling you.

A sensible policy names which AI tools the business has approved, what data can be put into each, and what cannot. It nominates one person (usually a senior operations or IT lead) as the point of contact for "is this OK?" questions.

It's short — usually one page. It's reviewed quarterly because the tools change fast. And it pairs with light training so the team understands not just the rules but the reasoning.

Where to start this week

Ask the team. Not as an interrogation — as an inventory. "Which AI tools have you used in the last month? What did you put into them?" The answers are usually surprising.

That conversation, by itself, tells you whether you have a policy problem (no rules) or a tooling problem (no approved tool that does what they need).

The fix is usually small. One approved AI tool, one paragraph of guidance about what data it's safe to use with, and one person to escalate questions to. From there, the work of catching up to good practice is mostly habit, not technology.