Survey after survey through 2025 and into 2026 has shown the same thing: a substantial proportion of knowledge workers are pasting work content — including client data — into consumer AI tools that their employer has not approved. They aren't doing this because they're careless. They're doing it because it makes them better at their job.

The ban-it response is brittle. People will route around it. The licence-and-channel response is durable: provide a sanctioned AI tool (Microsoft 365 Copilot, ChatGPT Enterprise, Claude for Work) that's tenanted, audited, and configured with sensible data-loss-prevention. Make it the obvious path. Make the unsanctioned path the inconvenient one.

This isn't an AI strategy. It's an information-security strategy that acknowledges AI exists. The cost of doing nothing is not zero — it's data leaking out of the tenant, one prompt at a time, into systems your DPA has never seen.

What it means for your businessIf you haven't given staff a sanctioned AI tool, they're already using an unsanctioned one. Pick the channel and govern it — don't hope the demand goes away.
Source & referenceConcentric AI — 2026 Microsoft Copilot Security Concerns Explained ↑