An Employee Found an AI Writing and Summarization Tool That Makes Her Significantly More Productive. It’s Not on the Company’s Approved Tool List. She Isn’t Pasting Sensitive Data Into It. The Policy Doesn’t Mention It. Is She in Compliance?

Quick Answer

Is using an AI tool for work tasks acceptable when the tool isn’t on the approved list, the employee isn’t sharing sensitive data through it, and the policy doesn’t explicitly address it?

No, and the policy gap is the most important element of this scenario. “The policy doesn’t say I can’t” is not the same as “the policy says I can.” Most enterprise AI acceptable use policies were written before the current generation of AI tools existed and contain gaps that employees interpret as permission. Using an unapproved AI tool for work tasks exposes the organization to unassessed data-handling risks, may violate vendor agreements or data processing requirements under privacy regulations, and contributes to a Shadow AI ecosystem that security teams cannot monitor or manage. The right action is to surface the tool to IT and request an assessment—not to proceed on the basis of policy silence.

The Situation

A marketing manager at a financial services company discovered an AI drafting and summarization tool three months ago. She uses it to draft first-pass versions of campaign briefs, summarize meeting notes, and structure internal presentations. The tool has significantly reduced the time she spends on routine writing tasks. She is not using it to process client data, financial records, or anything she would identify as confidential. She is using it with content she’s drafted internally.

The company has an AI acceptable use policy that was last updated 18 months ago. The policy addresses not inputting client personal data into public AI tools and requires disclosure when AI-generated content is published externally. It does not include a list of approved tools, does not address tools used for internal drafting, and does not explicitly prohibit the use of AI tools that aren’t on an approved list — because the approved list doesn’t exist yet.

The employee’s reasoning: “The policy doesn’t say I can’t use it. I’m not doing anything the policy prohibits. And it’s helping me get more done.”

Choice AContinue using the tool. The policy doesn’t prohibit it. She isn’t doing anything the policy says is wrong. The tool is making her more productive and hurting no one.

Choice BStop using the tool and surface it to IT for assessment — documenting what the tool does, how she’s been using it, why it’s valuable, and requesting that IT assess whether it can be approved or whether an equivalent approved alternative exists. Resume using it only after IT has assessed and cleared it.

Choice CAsk her manager if it’s okay to keep using it — if the manager says yes, she has organizational approval and can continue.

The Right Call

Choice B — Stop using and surface to IT for assessment.

Choice A relies on a policy silence as permission, which it isn’t. The policy is outdated, and the gap is not authorized. Using any external service to process work content — even internally drafted material — may implicate data processing agreements, vendor terms, GDPR or CCPA data processing requirements, and the company’s vendor risk management obligations. None of those analyses has been done for this tool. Choice C has the same problem as in the Shadow IT scenario: the manager’s approval is not IT security authorization and doesn’t close the gaps the assessment would address. Choice B is the path that gets the tool assessed — and if IT approves it, she gets to use it officially. That’s a better outcome than using it unofficially and creating exposure that surfaces in an audit.

This scenario is distinct from the “pasting sensitive data into ChatGPT” scenario — and that distinction matters for training.

The employee in this scenario isn’t doing the obvious wrong thing. She’s not pasting client data into a public AI tool. She’s using AI for internal productivity in a way that feels clearly harmless. The training value is in surfacing the risks that exist below the obvious: data processing compliance requirements, vendor risk exposure, the organizational visibility gap, and the policy gap rationalization that allows Shadow AI to spread through organizations under the cover of productivity improvement.

AI tool terms of service often include training data provisions that the employee hasn’t read.

Many publicly available AI tools include terms that allow user inputs to be used for model training — meaning the employee’s “internally drafted content” may be feeding a training dataset. Even if the content isn’t confidential at the time of input, it may contain strategic framing, competitive intelligence, or organizational voice and process information that the company would prefer to keep internal. The employee accepted terms she didn’t read, on behalf of an organization that didn’t assess them.

The productivity benefit is real — and it makes the policy gap rationalization feel even more justified.

The fact that the tool genuinely improves her productivity is not a compliance consideration — but it is a powerful rationalization fuel. “I’m doing better work, I’m not hurting anyone, the policy is behind” is the framing that allows Shadow AI to become normalized across entire marketing, legal, HR, and operations teams before the organization has conducted a single vendor risk assessment on the tools being used.

What is Shadow AI, and how does it differ from the AI data exposure risk employees usually hear about?

Shadow AI refers to the use of AI tools within an organization without IT approval or security assessment — the tool adoption gap rather than the data-pasting problem. Most AI security training focuses on the obvious risk: don’t paste client data into ChatGPT. Shadow AI training addresses the broader risk: any use of unapproved AI tools for work tasks creates vendor risk, data processing compliance, and organizational visibility exposure, regardless of how sensitive the content being processed appears to the employee.

Does an AI acceptable use policy that doesn’t list prohibited tools mean all unlisted tools are permitted?

No. Policy silence is not authorization. Most enterprise AI policies are behind the technology they’re governing — they were written before the current tool generation existed. A policy that doesn’t address unapproved AI tools reflects a drafting gap, not a deliberate permission. The general principle that tools and systems require IT approval applies regardless of whether the AI policy specifically addresses every possible tool category.

What should an employee do when they find an AI tool that would genuinely improve their productivity?

Surface it to IT for assessment — documenting what the tool does, the intended use case, and why it’s valuable. IT can assess vendor risk, review the tool’s data processing terms, check for compliance with privacy regulations, and either approve the tool or identify an approved alternative that meets the same need. This process protects the employee and gives the organization the opportunity to formally adopt a tool that may benefit the entire team.

How to Use This Scenario in Training

Recommended for all employees — particularly in marketing, legal, HR, finance, and operations functions where productivity AI tools have the fastest adoption rates. Most effective when delivered before a Shadow AI audit or as part of an AI acceptable use policy refresh. Cross-reference with the existing Responsible AI scenario cluster for organizations running comprehensive AI compliance programs.

This scenario demonstrates the policy gap rationalization from the Decision Readiness Engine™ — “the policy doesn’t say I can’t” is the framing that allows Shadow AI to spread through organizations under the cover of productivity improvement. Decision-ready employees recognize that policy silence is not authorization and that surfacing the tool for assessment is both a compliant action and the most likely path to getting it officially approved.

More Security Awareness Scenarios

Want Security Awareness Scenarios in Your Program?

Xcelus builds scenario-based security awareness training covering Shadow AI, unapproved tool adoption, and the policy gap, reasoning that creates invisible organizational risk.

View the Compliance Reinforcement Kit →
Contact Xcelus