More than one-third of IT pros aren’t confident employees know AI policies

How many of your colleagues are actually familiar with your company’s AI usage policies? New data suggests your guess is as good as anyone’s.

According to IT Brew’s 2026 State of the Industry survey, 35% of IT pros have little to no confidence that employees using AI at their companies are aware of corporate AI usage and data security policies. Only 12% of professionals said they felt “very confident” about AI-using employees’ knowledge of relevant guidelines. (The survey drew responses from 241 IT pros.)

What a shocker. If that’s surprising, hold on to your seat: Other IT pros who spoke with IT Brew were unmoved by their peers’ self-doubt. For example, Xage Security CEO Duncan Greatwood said he suspects the proportion of companies whose employees aren’t schooled in their internal AI policies is much larger than the data might suggest.

“The number of companies where the employees have truly internalized what they need to do to keep their data secure with AI usage is probably pretty small, actually,” Greatwood said, adding this should be a concern due to the risk of shadow AI and unsanctioned use of the technology.

“Being secure when you’re using AI ends up being reliant on too many fine distinctions, like subtle policies that people don’t easily remember and don’t apply when they’re in a hurry and trying to do their work as efficiently as they can,” he said.

You can’t spell automation without “u” and “i.” How do you engage employees when rolling out AI-related policies? It starts early on, according to OneDigital CIO Marcia Calleja-Matsko, who told IT Brew there needs to be a “people component” in automation initiatives, and that companies should prioritize helping internal stakeholders understand the driving forces behind such projects.

“That’s something that companies and teams often forget about,” Calleja-Matsko said. “They just tell them, ‘This is what we’re doing without helping them understand. This is why we’re doing this. This is how it’s going to help you, the company, your teams, etcetera.’”

Mike Toole, director of security and IT at security operations platform company Blumira, said user education is critical after rolling out AI initiatives and policies.

“Yes, anyone could chat with an AI, but there’s a lot of ‘gotchas.’ There’s a lot of best practices,” Toole said. “How do you want your users to do this? You can’t really expect them to just know, because it’s gonna be different for every org.”

And it’s not a one-and-done deal. Repetition is key after rolling out an official AI or data security policy, according to Greatwood.

“You send them an email, they’ll have forgotten in a day. If you make them go to a meeting, they’ll forget in a week,” Greatwood said. “If you keep telling them regularly, then you have some chance that it will stick.”

Not a catch-all solution. Toole said expecting employees to know and follow internal AI policy should never be expected to serve as a company’s full line of defense against AI misuse. Instead, he said companies should rely on having a good policy, educating users, and having end controls as guardrails.

“You just can’t ask people to do the right thing because everything is so complex these days,” Toole said. “It’s not reasonable.”