AI isn't coming, it's already here. And in most businesses, it's running well ahead of any kind of governance.
To get a clearer picture of what that means in practice (and what to actually do about it!) we sat down with three experts:
Operational AI consultant
VP Operations
AI and Data Protection Advisor at Trust Keith
TL;DR
AI adoption is outpacing governance in most businesses. Employees are already using tools you haven't approved, building automations nobody's tracking, and sharing data you don't have visibility of. The fix isn't a 50-page policy nobody reads, it's lightweight, practical governance that makes it easy for people to do the right thing. Start with an AI audit, build a living inventory, get a policy in place, and distribute ownership across the business. The goal isn't to slow things down, it's to use AI properly.
The shift this year isn't subtle. Business leaders who were watching from the sidelines are now actively experimenting. Teams are building real things. And AI has stopped being a chat box — it can now access data, take actions, send emails, run automations, and operate in the background without anyone actively prompting it.
That's exciting. It's also where the risk starts.
"The ability for your AI to have hands and tools and to start taking action is really exciting from an operational perspective. Obviously, that's something that needs to be very carefully managed."
Laura Rosenberger, Operational AI Consultant
Shadow AI is one of the most significant (and most underestimated!) risks facing businesses right now. It's what happens when employees use AI tools without any oversight, approval, or governance. And in most businesses, it's already widespread.
Nobody's being malicious. Someone pastes client data into a free LLM to summarise a meeting. An engineer shares a chunk of proprietary code with an AI assistant to debug it. A team member uploads internal notes into a tool without thinking about where that data goes. These things are happening every day, in businesses of every size, and most leadership teams have no visibility of it whatsoever.
That's the problem. Not the use of AI, the lack of any structure around it.
"Your employees are using AI whether or not you endorse it, whether or not you want them to — even if they're just putting it into ChatGPT on their phone to get clarity for a meeting. Worst case scenario, they're putting sensitive data into a free LLM, and that data is being ingested and used for training. A lack of visibility and a lack of an approved solution just creates loads of shadow AI all over your business that you don't have any insight into."
Nick Harkin, AI and Data Protection Advisor at Trust Keith
Most people think AI risk means ChatGPT. The reality is broader, and some of the biggest risks are the ones nobody's paying attention to yet.
The good news is that most of these risks have the same solution at their core: a clear, practical AI policy that tells people what tools are approved, what data they can and can't share, and what to do when they're not sure. We'll cover what that looks like in detail further down, but it's worth keeping in mind as you read through these.
Standard LLMs respond to prompts. Agentic AI tools take actions. They access systems, make decisions, and can operate with minimal human involvement. The more autonomous the tool, the greater the exposure if it isn't properly governed. The foundations need to be solid before moving to the more powerful stuff.
Laura Rosenberger, Operational AI Consultant
Before adopting any agentic tool, run a quick risk assessment — what data will it have access to, what actions can it take, and who has oversight of it? If you don't have clear answers to those questions, it's not ready to deploy. For higher-risk AI deployments, an AI DPIA is worth running before you go live.
When someone builds an automation using a tool like n8n or Zapier, the knowledge of what it does and what data it touches usually lives entirely with that one person. They leave, or move teams, and the automation keeps running, quietly making decisions in the background that nobody's aware of.
Adam Fowles, VP Operations
This is exactly why an AI inventory matters. Any automation that touches personal data or business-critical processes should be logged — what it does, who owns it, what data it touches, and when it was last reviewed. If it's not in the inventory, it shouldn't be running.
For SaaS businesses especially, your code base is a core commercial asset. Sharing it (or chunks of it) with an AI tool, particularly a free one, creates IP exposure that isn't always obvious in the moment.
Adam Fowles, VP Operations
Your AI policy should explicitly cover what types of data and content can and can't be shared with AI tools, including code. Engineering teams in particular need clear guidance here. Enterprise-tier versions of tools like Claude or ChatGPT offer stronger data protection and don't use your inputs for training, which makes a meaningful difference.
This one catches businesses off guard more than almost anything else. Meeting transcripts, client notes, internal strategy documents — all of it gets uploaded into AI tools without much thought. One real-world example: a business's meeting transcripts, including a confidential conversation about company restructuring, ended up accessible to people who should never have seen them, simply because of how their AI tools had been set up.
Laura Rosenberger, Operational AI Consultant
Set clear rules about what kinds of documents can be uploaded to AI tools, and which tools are approved for sensitive content. Wherever possible, use enterprise-licensed tools with clear data processing agreements in place and make sure those agreements are reflected in your Record of Processing Activities (ROPA). Not sure where your biggest data protection risks sit right now? A data privacy risk assessment is a good place to start.
For a broader look at the data protection risks that come with scaling, this guide covers the ones most businesses overlook.
In most businesses, AI governance lands on whoever's prepared to pick it up. Usually that's the ops leader, on top of the hundred other things already on their plate. It's rarely a deliberate decision, it just defaults there.
The problem is that AI is being used across every function. Sales, product, finance, marketing — all using it differently, with different data, at different levels of risk. One person can't have real visibility of all of that. And more importantly: when something goes wrong, accountability can't sit with the AI, it always sits with the people and the business.
"Brakes on a car allow the car to go faster. Putting controls and guardrails in place is what allows you to use AI in a really powerful way. Without them, you end up limiting yourself because you can't do those things responsibly."
Nick Harkin, AI and Data Protection Advisor at Trust Keith
It's also worth noting that the DPO (whether in-house or outsourced) shouldn't be the accountable owner of AI governance. They're an independent adviser, not a decision-maker. That independence is exactly what makes them useful. If the same person is making decisions about how AI is used and also overseeing the risks, you've lost the check.
An AI policy is the foundation. But a 50-page document on a shared drive that no one reads isn't governance, it's box-ticking. The goal is something people will actually engage with: short, practical, and framed as an enabler rather than a restriction.
One thing worth considering: the word "policy" itself puts people off. Reframing it as "how we use AI at [Company]" or "our AI guidelines" can make a real difference to whether people actually read and follow it. The content is the same, the framing changes how it lands.
Pair any policy with:
Nick Harkin, Data Protection Officer at Trust Keith
Adam Fowles, VP Operations
Laura's approach in practice: build short, action-oriented guidelines that live somewhere accessible — a Notion page, a shared folder, a brief Loom video walking people through what to do. Have a clear, simple approval process for new tools so teams aren't blocked, but there's still a record of what's been greenlit and why. Keep the framing positive. This isn't about stopping people from using AI, it's about making sure they're using it in a way that won't cause problems later.
Laura Rosenberger, Operational AI Consultant
Need a starting point? Trust Keith's Privacy Essentials Template Pack includes an AI policy template you can adapt for your business.
You can't govern what you can't see. A living AI inventory is a simple, maintained record of every AI tool, automation, and process running across the business — what it is, who built it, what data it touches, who depends on it, and when it was last reviewed.
It doesn't need to be complicated. A Google Sheet or a Notion page is a perfectly good starting point. What matters is that it exists and gets maintained, so the business always has a clear picture of what's running, rather than finding out the hard way...
Adam Fowles, VP Operations
One person owning AI governance across the whole business doesn't work. The better model is a data or AI champion in each team, someone who takes accountability for how AI is being used in their area and feeds into a cross-functional committee that meets regularly to share what they're seeing.
This is the same model Trust Keith uses for data protection ownership with its customers. It distributes responsibility in a way that reflects reality, and it means no single person becomes the bottleneck... or the bad guy.
Nick Harkin, Data Protection Officer at Trust Keith
Adam Fowles, VP Operations
This is the one that actually determines whether any of the above sticks. Governance that's friction-heavy gets ignored. Governance that's built into how people already work gets followed.
Start with education, not enforcement. When people understand why something matters (not just that they've been told to do it!) they actually follow through. And when senior leadership visibly use AI tools properly and talk about them openly, it signals to the rest of the business that this is how things are done.
"Start with education rather than enforcement. If people understand why they're being asked to do things in a certain way, they're much more likely to do it than if they're just told you must do this or you must not do that."
Nick Harkin, AI and Data Protection Advisor at Trust Keith
Walk around the business, literally or virtually. Ask team leads what AI tools they're using and what they've built. You'll probably be surprised. Use what you find to start your AI inventory.
Adam Fowles, VP Operations
It doesn't need to be perfect. Start with Trust Keith's AI policy template. Adapt it, keep it short, and pair it with a simple checklist. Something lightweight that actually gets used beats a comprehensive document that doesn't.
Nick Harkin, AI and Data Protection Advisor at Trust Keith
The end goal isn't a policy document, it's an environment where people feel confident using AI correctly. Make guidance accessible. Make it easy to ask questions. Let leadership set the tone.
Laura Rosenberger, Operational AI Consultant
If AI is moving faster than your privacy programme can keep up with, that's not unusual, but it is worth addressing before something goes wrong.
Trust Keith provides expert, dedicated data protection support for scaling businesses. Whether you need help getting an AI policy in place, understanding your obligations under UK GDPR, or building a governance framework that actually works in practice, we can help.
You might also find these useful:
Adam Fowles, VP Operations
Laura Rosenberger, Operational AI Consultant
Nick Harkin, AI and Data Protection Advisor @ Trust Keith