By Steve Barham, President and Managing Shareholder, Chambliss, Bahner & Stophel, P.C.
In today’s business landscape, artificial intelligence tools are widely used, transforming
everything from content creation and data analysis to customer service and operational
efficiency. These technologies offer new opportunities to innovate and boost productivity, with
surveys revealing that 90% of workers say AI saves them time on tasks. However, as AI
adoption accelerated — with 75% of workers using AI in the workplace according to Microsoft’s
2024 research — businesses urgently need formal AI use policies. In an era where AI adoption is
inevitable, the question is not whether organizations will use these technologies, but whether
they’ll use them safely and strategically. Without clear rules and oversight, organizations risk
exposing themselves to security risks, intellectual property issues, and disruptions that could hurt
their competitiveness and compliance.
The Reality of Workplace AI Adoption
Survey data from 2024 shows how deeply AI has entered workplaces, with McKinsey reporting
that 78% of organizations were using it in at least one business function. More enlightening for
organizational leaders, generative AI usage surged to 71% of companies, with nearly half of
workers starting to use AI within six months of being surveyed.
These statistics reveal not just rapid adoption but also uncontrolled growth continuing into 2025.
The Federal Reserve Bank studies conducted across multiple districts in 2024 showed a troubling
trend: employees are often using AI tools on their own without oversight. This phenomenon,
known as “shadow AI,” mirrors the earlier challenge of shadow IT but is riskier because AI can
process and expose sensitive data. CybSafe and the National Cybersecurity Alliance found that
38% of employees share sensitive work information with AI tools without their employer’s
permission, creating ongoing data security risks.
Mounting Risks and Real-World Consequences
The risks of unsanctioned AI use go well beyond theory. Data confidentiality breaches are an
immediate threat, as AI models often retain interaction data, opening the door to leaks of
proprietary information. A telling example emerged from the telecommunications industry,
where employees inadvertently leaked proprietary source code into an AI engine outside
protected corporate accounts, showing how easily intellectual property can be exposed.
Security risks grow when employees use unvetted AI apps with regulated data. Without data
processing agreements (DPAs) due to use of unsanctioned vendors, organizations may lose audit
trails, making it hard to control access or prove compliance.
Compliance adds another layer of challenges, especially around data protection and privacy
rules; when employees use free online AI tools to paraphrase reports or generate performance
reviews, they may accidentally violate GDPR, HIPAA, or industry-specific regulations.
Strategic Implementation Framework
Developing an effective AI use policy requires balancing innovation with risk management.
Organizations should begin by bringing together technical experts, leaders, ethics reviewers, and
end-users to set up clear governance with defined roles. The policy framework should cover key
areas: approved AI tools and platforms, data handling protocols, confidentiality requirements,
and guidelines for appropriate use cases. Rather than implementing blanket restrictions — which
2024 research shows are ineffective, as 50% of organizations that ban AI still experience
unauthorized shadow AI use — policies should create structured, controlled ways to adopt AI.
Training is crucial, and should cover AI basics, handling confidential data, best practices for
working with AI, and knowing its limits. Companies should also use safeguards like DNS
filtering to block unsanctioned AI while giving employees access to approved, secure tools.
Policies should be tailored to factors like industry rules, company size, data sensitivity, and
existing tech. For example, financial firms may need tighter controls than creative agencies,
while healthcare must prioritize HIPAA compliance.
The Path Forward
Proactively establishing comprehensive AI use policies brings benefits beyond reducing risk.
Clear guidelines enable employees to leverage AI tools confidently while maintaining security standards, boosting productivity without risking data. Organizations with formal policies also
show regulators and stakeholders due diligence, which can reduce liability if issues arise.
The competitive advantages include attracting and keeping talent, as employees increasingly
expect employers to provide access to cutting-edge tools safely. Companies that successfully
balance AI innovation with responsible governance stand out as forward-thinking while staying
secure in an AI-driven market.
However, AI policy development is an ongoing commitment, not a one-time effort. As AI keeps
evolving and new risks appear, organizations must regularly review and update policies, assess
tools, and improve training. The dynamic nature of AI development demands that policies
remain living documents, continuously adapted to reflect emerging technologies, evolving
regulatory requirements, and lessons learned from implementation experience. Formal AI use
policies lay the foundation to harness AI’s potential while protecting assets and trust in 2025 and
beyond.
Steve Barham is the President and Managing Shareholder at Chambliss, Bahner & Stophel, P.C.
For guidance on how AI may affect your business, including the development of AI use policies
and employee training, contact Steve or your relationship attorney.
