In almost every governance engagement we run, the same scene plays out. Leadership tells us the organisation "hasn't really started with AI yet." Then we run a confidential staff survey, and the numbers come back: a majority of knowledge workers are already using AI tools weekly. Drafting client emails. Summarising contracts. Cleaning data. Preparing board notes.

None of it approved. None of it logged. Much of it involving data that should never have left the building.

This is shadow AI, and it is currently the most under-reported operational risk in Indian enterprises — not because it is exotic, but because it is invisible by design. Employees don't report using unsanctioned tools for the same reason they don't report taking a shortcut through the warehouse: it works, everyone does it, and raising it invites trouble.

Why banning fails

The instinctive response is a circular: AI tools are prohibited until further notice. We have watched this policy fail in every organisation that tried it, for a simple reason — the prohibition competes against a tool that saves each employee several hours a week, costs them nothing, and leaves no trace. The ban doesn't stop usage. It stops visibility of usage, which is strictly worse. Your risk is unchanged; your ability to see and manage it is gone.

A banned tool that saves four hours a week doesn't disappear. It goes underground, taking your data with it.

What discovery actually reveals

A proper shadow-AI discovery has three parts: an anonymised staff survey with an explicit amnesty, a review of network and expense data for AI-tool signals, and structured conversations with team leads. The findings follow a pattern:

  • Usage is broadest exactly where data sensitivity is highest — finance, legal, HR — because that's where the document burden lives.
  • The tools in use are almost all free consumer tiers, which typically offer the weakest data protections.
  • Employees are not reckless; they are unguided. Most will happily follow rules that exist. The rules don't exist.

The two-week plan

Getting in front of shadow AI does not require a transformation programme. It requires two weeks of decisive work. Week one: run the discovery with a genuine amnesty — nothing surfaced in the survey may be punished, or you will never get honest data again. Issue an interim acceptable-use note the same week: two pages, plain language, covering what data may never enter external tools.

Week two: give people a sanctioned path. Approve one or two enterprise-grade tools with proper data terms, and tell staff what they may use them for. The sanctioned option must be at least as good as what people are using secretly, or the shadow economy simply continues.

From there, the longer-term governance work — policy, approval workflow, training, monitoring — has a foundation of facts rather than assumptions. But the order matters: discovery first, enablement second, enforcement last. Organisations that start with enforcement end up governing a fiction.

The uncomfortable truth is also the encouraging one: your organisation has already voted, with its behaviour, that AI is useful. The question is no longer whether AI enters your business. It is whether it enters through the front door, with your rules attached.