By: Jennifer Gilligan, IntegraMSP President
“Wait… Employees Are Using WHAT?” — The Next AI Insurance Problem
Why shadow AI may become the next major governance and underwriting challenge for businesses
A few years ago, cyber insurance applications became significantly more uncomfortable.
Businesses that once answered a few basic security questions suddenly found themselves documenting multifactor authentication, endpoint detection, backup testing, and incident response plans. Organizations that lacked those controls quickly discovered that insurers were no longer willing to absorb unlimited cyber risk.
Artificial intelligence appears to be moving in the same direction.
The challenge is that many businesses are already behind. Employees across nearly every industry are using AI tools daily, often without formal approval, governance, or oversight. AI-powered meeting summaries, browser extensions, writing assistants, publicly available large language models, and embedded AI features in productivity software have become commonplace in everyday workflows.
In many organizations, leadership still does not fully know:
- Which AI tools employees are using
- What company data is being entered into those systems
- Whether AI-generated outputs are being reviewed
- Which business processes now rely on AI assistance
That creates what many technology leaders are beginning to describe as “shadow AI,” a growing parallel to the shadow IT and unsanctioned cloud application problems businesses struggled with during earlier digital transformation cycles.
The difference is that AI introduces broader operational, legal, and compliance exposure.
Recent reporting from Axios found that many organizations remain unprepared for AI governance despite rapid adoption, with executives acknowledging concerns around oversight, accountability, and operational readiness. (axios.com) At the same time, insurance and risk analysts are increasingly warning that AI-related liability exposure is becoming difficult to model due to evolving regulations, data risks, and autonomous decision-making concerns. (wtwco.com)
This creates a familiar pattern. Cybersecurity became operationalized when insurers began requiring organizations to prove they had controls in place before issuing or renewing coverage. AI governance is likely heading toward a similar maturity curve. The next generation of underwriting and risk assessment questions will probably not focus on whether businesses use AI. That answer is already assumed.
Instead, insurers, regulators, and legal teams are more likely to ask:
- Do employees have approved AI usage guidelines?
- Can sensitive company or customer data be entered into public AI tools?
- Is AI usage monitored or logged?
- Are AI-generated recommendations reviewed by humans?
- Who owns AI governance internally?
- Are AI vendors evaluated for security and compliance risk?
For many organizations, those questions are difficult to answer today.
Part of the challenge is the speed at which AI capabilities are being integrated into existing software platforms. AI is no longer limited to standalone tools. It is now embedded into productivity suites, customer relationship management systems, security platforms, marketing software, and operational applications that employees already use daily. That creates both opportunity and risk.
For most businesses, the safest and most practical approach is likely not building custom AI systems or allowing unrestricted use of public tools. Instead, organizations should focus first on the AI already embedded within trusted enterprise platforms that provide stronger governance, logging, identity management, and compliance controls.
Enterprise vendors are investing heavily in:
- Tenant-level protections
- Administrative controls
- Audit logging
- Data governance
- Security testing
- Responsible AI frameworks
Those controls create a significantly more defensible position than unmanaged public AI usage.
However, technology alone does not solve the governance problem.
Organizations still need:
- AI acceptable use policies
- Clear ownership of AI governance
- Employee training
- Defined approval standards
- Human oversight requirements
- Visibility into how AI is being used internally
Without those controls, businesses may find themselves in a difficult position as AI-related underwriting standards evolve.
The concern is not hypothetical. AI-related legal disputes, privacy concerns, and operational risks are already beginning to emerge across industries. As insurers evaluate those exposures, organizations that cannot demonstrate reasonable governance and oversight may face higher premiums, exclusions, or additional scrutiny. The good news is that businesses do not need massive governance departments to begin addressing the issue.
In many cases, the first practical steps are relatively straightforward:
- Identify which AI tools employees are using
- Define approved platforms
- Restrict sensitive data from unapproved AI systems
- Establish human review requirements
- Create an internal AI acceptable use policy
Those are the same types of foundational controls businesses once implemented for cybersecurity maturity. AI governance is now following a similar path. The organizations that address it early are likely to be in a much stronger position than the companies waiting for insurance renewals, compliance issues, or legal exposure to force the conversation.
Free Download: Basic AI Acceptable Use Policy
To help organizations begin formalizing AI governance, we created a free downloadable AI Acceptable Use Policy template that businesses can use as a starting point for internal policy development.
The sample policy includes:
- Approved AI usage guidance
- Data protection considerations
- Human oversight expectations
- Governance recommendations
- Employee responsibilities
Download the free template here:
AI Acceptable Use Policy Sample
