Employees know about company AI policies, but break them anyway

When you know better, you do better…or do you? For some employees, that’s not the case when it comes to using AI responsibly in the workplace.

According to a June report by AI-native browser security platform Neon Cyber, almost half (48.3%) of US knowledge employees admit to knowingly breaching an AI policy within their company. The findings are based on a May survey of 227 US knowledge workers who use AI at work.

Employees also admitted to circumventing AI policies to use tools of their choice without restraint. About half (49.3%) said they would use a tool even if it wasn’t approved yet. Another 41.9% said they would copy work data into a personal, unapproved tool “just this once.”

Policy is no longer the problem. In its report, Neon Cyber said “policy clarity” is no longer the obstacle facing companies. More than six in ten (63%) employees said their company had a clear AI policy that they understand.

Instead, companies are now grappling with an enforcement gap, which, according to Neon Cyber co-founder and COO Mark St. John, exists because of the extreme pace at which new AI tools appear: “It is a Whac-A-Mole situation for IT teams and security teams…because they have users adopting technology so fast.”

“We’re very much in a ‘asking for forgiveness instead of permission’ mode right now with end users, and we have to adjust to that a little bit,” St. John added.

What’s at risk? When companies fail to enforce their AI policies, St. John warned, they run into the risk of unintended data disclosure.

“We’ve seen government workers put in sensitive spreadsheets into ChatGPT,” St. John said. “We’ve seen people just accidentally copy and paste things. You can’t get that data back from these large models.”

How to properly enforce. In order to enforce AI policies, it is important to have visibility into the browser surface where tools are being used, said Neon Cyber co-founder and CEO Cody Pierce.

“You can’t secure what you can’t see,” Pierce said. “And I think with AI, that is absolutely going to be number one that people need to work on.”

Enforcement can look like encouraging the use of one AI tool versus another that your company doesn’t have a license for, St. John added.

“And then from there, it’s taking the basic steps to say, ‘Hey, you can log in with corporate accounts. You can’t use Gmail to log into these things,’” he said.

What not to do. St. John told IT Brew that many companies are approaching enforcement by blocking AI tools from being used—and that’s not the best strategy, he said.

“That creates a lot of friction,” St. John said. “That friction will cause people to seek alternatives on their own, which leads to the shadow AI problems.”