LogicGate CEO Matt Kunkel featured alongside other strategic leaders
Ironically, employees who know the most about AI are often the ones breaking the rules and adopting unauthorized AI tools at work. As a result, CIOs are rethinking governance, training, and tooling to balance employee experimentation with security and oversight.
Last year, an engineer working for a messaging app posted a question on TeamBlind, the anonymous forum for verified tech workers: Did every company restrict ChatGPT, Claude, and Gemini — or was it just his?
When the company he worked for banned these tools, it offered an internal alternative built on ChatGPT, but the engineer didn’t like it because it slowed him down. “It was kinda useless,” he said.
The TeamBlind thread quickly filled with responses from techies at other organizations who joined him in his frustration that company-approved AI tools were heavily restricted or stripped of many useful features.
A week later, the same engineer returned to the forum with a workaround. Using a WebAssembly-based LLM engine, he managed to run a coding model entirely inside his browser, with conversations stored locally and no outbound network traffic for his employer to detect. “Happy coding,” he wrote on the forum. “DM me for features.”
Often, the employees who best understand the capabilities of gen AI are also the most likely to bend or break organizational rules governing its use. Engineers and, perhaps counterintuitively, other workers who have undergone mandatory AI training often see official guardrails less as strict boundaries and more as hurdles to overcome in the name of speed. A recent LexisNexis report found that 74% of AI-trained employees use unauthorized AI tools, versus only 17% of untrained employees.
“The issue is the gap between employee capability and enterprise-ready tooling,” says Dani McCormick, VP of product at Nexis Solutions. “Those with greater awareness of AI tools are more likely to experiment and incorporate them into their workflows.”
Training appears to remove some of the hesitation employees may initially feel toward gen AI, which can act as a barrier to adoption. “The takeaway isn’t that training creates risk, but that it surfaces demand faster than many organizations are prepared to meet,” McCormick adds.
Given all these, CIOs need to walk a fine line between encouraging AI adoption and controlling how these tools are used. That’s a difficult task that requires a rethink. As employees grow more comfortable with gen AI, traditional approaches, including blanket bans, may no longer work and can even prove counterproductive.
A more productive approach would be to capitalize on shadow AI’s silver lining. Using restricted AI tools can also be a sign that employees see value and are trying to move faster, says Seth Cohen, CIO at P&G. “The opportunity is to bring that learning into a system that’s right for the company and can scale,” he says.
But figuring out how to create that system can be a challenge for many CIOs under pressure to encourage experimentation while also protecting sensitive data and maintaining control over an increasingly fragmented AI landscape.
Build better trainings
One of the biggest challenges organizations face with AI use is how uneven it can be across the business. While some teams have integrated AI deeply into their daily workflows, others remain hesitant or disengaged.
“That imbalance is often where unsanctioned usage is most visible, and where there’s the greatest opportunity for better alignment,” says McCormick.
One way to close that divide is through hands-on AI training programs that address both the technical and ethical dimensions of AI use. These programs should teach employees how to integrate authorized AI tools into their daily work while explaining why using those authorized platforms matters, from protecting sensitive data and ensuring compliance, to maintaining transparency and accountability across the organization.
“Training is most effective when employees can apply it in their day-to-day roles, whether that’s improving decisions, accelerating innovation, or strengthening execution,” says Cohen.
These trainings should include everyone, not just tech workers, because gen AI tools are becoming mainstream, and employees with little formal technical background are increasingly experimenting with them on their own — a trend many CIOs have noticed.
“I’d say around 30% of untrained staff are more curious and exploring capabilities,” says Art Thompson, CIO at the City of Detroit. The real focus, he adds, should be empowering people to use technology responsibly. “If not, the shadow ecosystem will grow and we’ll have less visibility than we do today,” he adds.
A strong AI training program needs to address judgment, governance, and trust all at once, while also giving employees a broader understanding of the organization, its partners, and the wider ecosystem in which their AI tools operate. Workers need to understand how their choices can affect data security, customer trust, regulatory compliance, and business relationships.
Thompson saw that many employees still fail to understand how AI vendors source information or how outputs should be verified. “Having rules is a great start, but people need to understand the guidance to use the tools responsibly,” he says. “Having business units buy into the governance piece and be a part of the IT culture is a great way to help shape that.”
Several CIOs argue that rule enforcement should be done carefully. “If employees fear they’ll be disciplined for experimenting with AI, they won’t stop using it, they’ll just hide it,” says Matt Kunkel, CEO and co-founder of AI GRC platform LogicGate. “Instead, organizations should create an environment where employees feel comfortable disclosing AI use without fear of retribution, and reward employees who flag potential AI risks.”
Addressing employee AI needs
Designing better training programs and stronger governance frameworks is only half the challenge. Organizations also need to address the underlying reason employees turn to shadow AI in the first place, which is looking for tools that help them work faster and reduce friction in their daily tasks.
In many cases, if someone is willing to pay out of their own pocket for an AI tool, it may mean they’re not getting what they need from the organization’s official systems.
“That’s both a risk issue and a missed opportunity,” says Prakash Kota, CIO at UKG. “Shadow AI grows in the gap between what employees are ready to do and what the organization enables them to do.”
According to Kota, this should be seen as an opportunity to better understand what employees are trying to accomplish and where official tools fall short.
Richard Amos, CIO of IT services provider Blue Mantis, agrees with this approach. “In general, I’d seek to first understand if approved tools are hard to use, limited, or slow to provision,” he says. “If they are, employees will find alternatives. People naturally look for ways to get their work done better.”
Amos adds that, in most cases, employees who use unauthorized AI tools don’t act with malicious intent. Often, shadow AI doesn’t emerge from defiance but from curiosity, frustration, or a desire to work faster. “Once the use case is understood, it may be an opportunity to review it at the AI governance committee and consider it for the backlog,” Amos adds.
Paying attention to the AI tools employees use covertly can also help CIOs spot emerging trends before they become larger governance or security issues. Organizations with visibility into employee experimentation are often better positioned to understand which tools workers actually find useful.
“You’ll also catch new tools the moment they show up,” says Ryan Fritts, CIO of security provider Everon Solutions.
Picking up the pace
Several organizations have upgraded their AI tools after realizing that employees were turning to unauthorized alternatives to fill gaps in existing systems. But simply offering approved tools isn’t enough. Those platforms also need to remain flexible and adaptable enough to evolve alongside employees’ needs, and the rapid pace of AI innovation. “No one will be excited to build digital solutions on a platform that uses outdated models,” says Cohen.
Some organizations even give employees more flexibility by allowing them to choose among several of the latest commercially available foundation models. Others provide secure AI environments where workers can safely experiment.
“Allow for freedom within a framework and ensure active learnings are captured to improve the overall platform offerings,” Cohen says.
The underlying challenge is finding the right balance between rules and freedom, giving employees enough space to integrate AI effectively into their work while still maintaining oversight. CIOs need to build systems and cultures that allow teams to learn without exposing the organization to unnecessary risk.
And instead of playing an endless guessing game with new AI apps, organizations may gain more by focusing on their data.
“The work that actually moves the needle is on the data side, getting clear on what data sits where, and being able to enforce policy on it in real time,” Fritts says. “Get the data posture right and most of the shadow AI panic quiets down on its own.”