Summary
This post is a continuation of our earlier piece, Shadow AI Is Becoming the Biggest Data Leak Most Companies Cannot See. That article set out the scale of the problem, including how unmanaged AI tools are quietly exposing sensitive business data across organisations of every size. If you have not read it yet, it is worth doing so alongside this one. Here, we move from the problem to the practical steps you can take to address it.
Artificial intelligence is no longer a future consideration. It is already inside your organisation. Staff are using ChatGPT to draft emails, Copilot to summarise documents, and a growing number of AI-powered tools to speed up tasks that used to take hours. The question is not whether your people are using AI. It is whether they are using it safely, and whether you have any visibility into what is happening.
For most organisations, the honest answer is no. And that is a significant risk.
The good news is that implementing AI in a structured, secure way is entirely achievable. It does not require a massive budget or a dedicated AI team. What it does require is a clear policy, a willingness to listen to your staff, and the right controls in place before problems arise.
Start With the Policy, Before Anything Else
If you do not have an AI policy, you need one before any other step. This is non-negotiable. Without a policy, you have no baseline, no accountability, and no legal standing if something goes wrong.
Your AI policy should address several core questions. What AI tools are approved for use? What types of data can be processed through them? Who is responsible for AI-related incidents? How will staff be trained? What happens if the policy is breached?
If you are operating in the EU, or handling data that falls under EU jurisdiction, your policy also needs to align with the EU AI Act. Enforced from August 2024, the EU AI Act introduces a risk-based framework for AI systems. High-risk applications, including those touching areas such as healthcare, critical infrastructure, and employment decisions, carry significant compliance obligations. Even if your current AI use sits in the lower-risk categories, the Act establishes transparency and accountability standards that all organisations should be building toward.
If you are not yet confident that you can produce a compliant policy, take a temporary step back. Suspend the use of unsanctioned AI tools, including public-facing chatbots and autonomous agents, until the policy is in place. It may feel like a disruptive call to make. It is far less disruptive than a data breach or a regulatory finding.
Run a Pilot Before You Roll Out
Once your policy exists, resist the urge to immediately enforce a set of tools and rules across the whole organisation. Instead, run a structured pilot first, ideally over a period of three to four weeks.
The goal of the pilot is not to test the technology. It is to understand how your people are actually using AI right now. What tasks are they turning to it for? What data are they inputting? Are they aware of the risks? Do they understand what is appropriate and what is not?
The best way to get this picture is to combine usage monitoring with direct conversation. Conduct short interviews with staff across different departments. Keep the tone relaxed and exploratory, not interrogative. You will likely find a wide range of behaviours, from highly sophisticated use cases to staff who are routinely pasting customer data into public AI tools without a second thought.
This intelligence is valuable. It tells you where your training effort needs to focus, what controls are most urgent, and what AI use cases might actually deliver business value if managed correctly. Do not skip this step in the rush to implement.
Implement the Right Technical Controls
Understanding the risk is one thing. Mitigating it is another. There are tools available that sit between your users and the AI platforms they interact with, monitoring and blocking the transfer of sensitive information in real time.
Two worth noting are NROC and CrowdStrike Falcon AI-DR. Both operate as AI data loss prevention layers, capable of detecting and preventing sensitive data such as personally identifiable information, financial records, and confidential business data from being transmitted to large language models. These tools do not block AI use altogether. They make AI use safer by enforcing boundaries that staff may not always enforce themselves.
Alongside these specialist tools, review your broader data classification and access control policies. The principle of least privilege applies as much to AI interactions as it does to any other system. If a member of staff does not need access to a particular category of data to do their job, they should not be able to inadvertently expose it through an AI tool either.
Document every control you implement. If you face a regulatory inquiry or a client due diligence question, your ability to demonstrate that you have a structured, auditable approach to AI governance will matter.
Make Training a Collective Cultural Initiative
One of the most common mistakes organisations make when rolling out new policies is treating training as a tick-box exercise. A short e-learning module, a policy sign-off, and a checkbox in the HR system does not constitute a culture of AI awareness.
Approach AI training as a collective effort, not a compliance task. Bring teams together. Run workshops that are specific to how each department uses or might use AI. Use real examples, including examples of things that have gone wrong in other organisations, to ground the conversation in practical reality.
The framing matters enormously here. This is not about telling staff that AI is dangerous and they should be afraid of it. It is about helping them understand how to use it effectively and responsibly, and why the guardrails exist. People are far more likely to follow policies they understand and respect than policies that feel like restrictions imposed from above.
Leadership visibility matters too. When senior leaders demonstrate that they take AI governance seriously, it signals to the rest of the organisation that this is a genuine priority, not a passing initiative.
Coordinate Across Teams, Then Review Continuously
AI governance cannot live in the IT department alone. The decisions being made about what tools to use, what data to share, and how AI outputs are used in decision-making touch every part of the business. Legal, compliance, HR, operations, and marketing all have a stake in this.
Establish a cross-functional working group with representation from each key area. This group should own the ongoing review of your AI policy, assess new tools before they are adopted, and act as the internal point of escalation when issues arise. It does not need to meet weekly, but it does need to meet regularly and have genuine authority to act.
Build in a formal review cycle. AI technology is moving fast. The tools available today are not the tools that will be available in twelve months. Your policy and your controls need to keep pace. Schedule a comprehensive review at least every six months, with lighter-touch check-ins in between.
The Shadow AI Problem Disappears When You Get This Right
Shadow AI, the use of unsanctioned AI tools that exists outside your visibility and control, is one of the fastest-growing risks in enterprise security. It is not a new phenomenon. It is the same pattern organisations saw with shadow IT twenty years ago, and it creates the same problems: ungoverned data flows, unmanaged risk, and a false sense of security. If you want to understand exactly how that exposure manifests in practice, our earlier post on Shadow AI and data leakage covers it in detail.
The antidote is not surveillance or restriction. It is a policy that is clear and fair, training that genuinely builds understanding, and approved tools that actually meet the needs staff are trying to address. When people have access to AI tools that are fit for purpose and easy to use within sanctioned boundaries, the incentive to go around the controls largely disappears.
Get the foundation right, and AI becomes an asset rather than a liability. A structured, policy-led approach gives your organisation the confidence to move forward with AI adoption, knowing that the risks are understood, managed, and proportionate. That is a significantly better position than discovering what your staff have been doing six months after the fact.
CommSec helps organisations navigate the governance, risk, and compliance challenges that come with AI adoption. If you are working through your AI policy or need guidance on the technical controls that support safe implementation, we are happy to help. Contact us now.
Previous post to this topic: Shadow AI Is Becoming the Biggest Data Leak Most Companies Cannot See