Employees are already using generative AI at work — with or without permission. The question is whether that usage is governed or ungoverned.
The Ungoverned Reality
Most organisations that have not published a generative AI policy already have employees using consumer AI tools — ChatGPT, Claude, Gemini — for work tasks. They are pasting customer data into chat interfaces, drafting contracts with AI assistance, and generating code from proprietary specifications. This is happening regardless of IT policy because the productivity benefit is immediate and the personal risk is not obvious to the employee. The choice is not between AI adoption and no-AI adoption; it is between governed adoption and ungoverned adoption.
Data Residency and Confidentiality Risks
Consumer AI tools send input data to the vendor's servers for processing. For most vendors, consumer-tier data is used for model training. Enterprise-tier agreements typically exclude training use and may include data residency commitments, but require explicit contract provisions — not assumptions. Before sanctioning any AI tool for work use, review the vendor's data processing terms for: training data exclusions, data residency (US, EU), retention period, and what happens to your data if the service is terminated.
The Policy That Works
Effective AI governance policies have three tiers: approved tools (enterprise agreements reviewed and signed, data processing terms verified); tools allowed for non-confidential use (consumer tools for drafting, brainstorming, research — not for customer data, IP, or confidential information); and prohibited tools (tools with no enterprise tier, tools operated by sanctioned entities, or tools with inadequate data protection terms). Publish the tiers clearly, train employees on why the restrictions exist, and review the approved list quarterly as the landscape changes.
Deploying AI with Enterprise Controls
Microsoft 365 Copilot, Google Workspace Duet AI, and AWS Bedrock provide generative AI capabilities with enterprise data protection commitments. Microsoft Copilot in particular is interesting for M365-heavy organisations because it can access your SharePoint, Teams, and email data without sending it to OpenAI's consumer infrastructure — the processing happens within your Microsoft tenancy with your existing data governance controls applying. The governance decision then shifts from data residency to access controls: Copilot respects SharePoint permissions, so data governance quality determines what Copilot can access and generate.
- Employees are using consumer AI tools for work whether or not you have a policy — governed adoption is better than ungoverned adoption
- Consumer AI tiers typically allow training data use — enterprise agreements must explicitly exclude this
- A three-tier policy (approved / conditionally allowed / prohibited) is more effective than a blanket ban or blanket approval
- Microsoft 365 Copilot processes data within your tenancy — access controls and SharePoint permissions governance determine what it can access