Free resource: Shadow AI Risk Checklist — 12 questions every SME leader should ask before next month's board meeting

Book a free Snapshot →
Method: WorkLex AI · Shadow AI Risk Assessment

When everyday AI use moves faster than your controls.

Staff are already drafting emails, summarising contracts, and analysing financial data in tools you don't see. RSVR helps you find that exposure, set practical controls, and build the safer workflow.

Book a free AI Data Safety Snapshot → See the WorkLex AI method
✓ Free 30-minute Snapshot ✓ No documents needed upfront ✓ UK, US, ANZ, Singapore ✓ Senior-led
71% Staff use unapproved AI Salesforce / Awareways 2025
$670K Avg. added cost per shadow AI breach IBM Security 2025
Most commonly exposed data categories
  • Customer emails with account details
  • Contracts, MSAs, and SOWs
  • Pricing, margin, and financial data
  • HR letters and grievance notes
  • Board reports and strategy roadmaps
  • Source code and credentials
A Snapshot finds the exposure in 30 minutes.
55%+
Employees using unapproved AI tools
Salesforce / Awareways 2025
$670K
Avg. added cost per shadow AI breach
IBM Cost of a Data Breach 2025
63%
Businesses with zero shadow AI visibility
PagerDuty 2026 Shadow AI Survey
37%
Organisations with any AI policy at all
IBM 2025
What is shadow AI?

The AI you didn't approve, used on data you can't see.

Shadow AI is the everyday use of free, consumer or personal AI tools for work — outside your approved systems, outside your data rules, and outside your visibility. It is already happening in your business.

Unlike traditional shadow IT, shadow AI involves active data transfer — staff are not just using an unapproved tool, they are feeding your most sensitive business information directly into systems you do not control, on terms set by providers you may never have reviewed.

"The question is not whether your staff are using AI. 55–71% already are. The question is whether you know what they are putting into it."

RSVR Tech · WorkLex AI Diagnostic · 2026

Shadow AI vs Shadow IT — why AI is different

Shadow IT (traditional)
Shadow AI (new risk)
Unapproved software on device
Data may not leave your environment
Unapproved AI with active data input
Sensitive data actively leaves your environment
Usually manageable via MDM
Device management can block tool use
Very hard to block via MDM
Web-based, personal devices, no device-level visibility

What is entering AI tools in your business right now

Customer communications

Complaint threads, account details, pricing proposals, onboarding history

High frequency
Contracts & legal

MSAs, SOWs, NDAs, DPAs, negotiation positions, clause libraries

High sensitivity
Financial & pricing

Margin data, customer revenue, cost structures, forecasts, board packs

High sensitivity
HR & people

Performance letters, disciplinary records, grievance material, salary data

Regulated — GDPR
Board & strategy

Management reports, M&A material, confidential roadmaps, board minutes

Highly confidential
Supplier & commercial

Supplier terms, preferred pricing, rebate structures, partner agreements

Commercially sensitive
Source code & IP

Proprietary code, API keys, system credentials, architecture documents

IP risk
Patient & client records

For healthcare, legal and professional services firms — regulated under GDPR / DPA 2018

Regulated — GDPR
Security & compliance

Risk registers, audit reports, vulnerability notes, penetration test findings

Restricted access
Convenience, not malice — but the data still leaves

Six reasons consumer AI use creates risk even when staff are careful.

Your staff are not being reckless. They are trying to do their jobs faster. The risk is structural, not behavioural.

01

Consumer terms of service

Free tools may use prompts for product improvement unless explicitly opted out. Most employees never read the terms.

02

Personal accounts, invisible to you

Work content in personal AI accounts lives in chat histories no manager can review, audit, or delete — including after the employee leaves.

03

No audit trail

There is no record of what was entered, generated, sent or kept. You cannot investigate after an incident if you have no logs.

04

No data classification

Confidential, regulated and customer data is not labelled when it enters an AI prompt. A board strategy document is treated the same as a marketing email draft.

05

AI output reaches customers without review

AI-drafted replies, proposals or documents go out without a factual check or human checkpoint — at scale, across every function.

06

No approved alternative

Without a clear approved route, even careful staff fall back on whatever is available. The absence of an approved tool is not a deterrent — it is the problem.

Why blanket AI bans make things worse

A ban removes visibility. It does not remove use.

A blanket ban pushes usage onto personal devices and personal accounts. Leadership loses the one thing it needs most: a clear view of where AI is actually being used and on what data.

✕ The ban approach
  • Staff continue using AI on personal devices — invisible to leadership
  • Usage moves to personal accounts — no audit trail, no compliance
  • Leadership loses visibility entirely
  • Valuable AI productivity gains are lost
  • Enforcement overhead with no measurable risk reduction
✓ The RSVR approved route
  • Approved-tool list with clear data rules — staff use the safe path
  • Manager routine takes four minutes per week — visible, not punitive
  • Leadership sees which tools are in use and on what data
  • AI productivity retained with risk controlled
  • Works alongside Microsoft Copilot and Google Gemini

The five governance gaps RSVR addresses

01

No visibility

Leadership cannot see which tools are in use, by whom, or on what data type.

Fix: AI use mapping by team and data type
02

No approved list

Staff default to whichever consumer tool is fastest, not what is safe.

Fix: Approved-tool register with clear data rules
03

No plain-language rules

Employees guess where the boundary is between safe and unsafe data entry.

Fix: Two-line data rule every employee can recite
04

No output review

AI-generated content reaches customers, boards and regulators without a human checkpoint.

Fix: Manager routine — 4 minutes per week
05

No safe alternative

Without an approved route, even careful staff use what is available and convenient.

Fix: Approved workflow that is easier than the workaround
WorkLex AI · The four-step method

Discover → Control → Adopt → Build.

Practical, senior-led shadow AI control for SME teams. Evidence-first at every step, implementable at SME speed and budget.

1

Discover

Map where AI is in use — by team, workflow, data type. Without surveillance. Without guesswork.

  • AI use inventory by department
  • Data categories currently exposed
  • Shadow AI risk register
  • Board-readable exposure summary
2

Control

Set practical controls that reduce exposure without killing productivity. Sized to your team — not enterprise-grade overhead.

  • Approved-tool list with rationale
  • Two-line data rule (recitable by every employee)
  • Manager output review routine
  • Escalation path for edge cases
3

Adopt

Make the safe route the easy route. Use cases, training and guidance so staff know what to do — not just what's banned.

  • Department-specific AI use cases
  • Role-based employee guidance
  • Manager enablement materials
  • Onboarding integration for new joiners
4

Build

Where the fix needs real engineering — dashboards, automations and AI-assisted workflows that make safe use operationally embedded.

  • AI usage dashboard for leadership
  • Approved workflow automations
  • Integration with Copilot / Gemini
  • Ongoing monitoring and review cadence
WorkLex AI · Four practical components

Safe, practical AI adoption your team will actually use.

WorkLex AI is RSVR's method for making workplace AI governance practical, embedded and self-sustaining at SME scale.

Component 01

AI Use Cases by Department

Department-specific, low-risk AI uses with clear value propositions and clear data boundaries.

  • Finance: automate report narrative, not the data itself
  • Legal: summarise public documents, not confidential ones
  • Sales: draft follow-up templates, not client-specific proposals
  • HR: use AI for job description drafts, not performance notes
Component 02

Manager Routines

Short, repeatable weekly routines that make AI supervision practical at the line-manager level. Built to take four minutes, not four hours.

  • Weekly prompt review — spot-check two outputs per team member
  • Monthly tool audit — confirm approved tools still in use
  • Escalation path for novel or ambiguous use cases
  • Quarterly update cycle as AI tools change
Component 03

Employee Guidance

Plain-English rules on what may and may not be entered into AI, with specific examples from your business context.

  • The two-line data rule — concise enough to recite
  • Green / amber / red data classification — one page
  • What to do if you're unsure — a named escalation point
  • The approved tools list with login instructions
Component 04

Training & Enablement

Role-specific training that focuses on judgement and practical skill — not just clicking through a compliance module.

  • 30-minute role-specific session per team
  • Live examples from your business context
  • Manager-led reinforcement guide
  • New joiner integration built into onboarding from day one
Investment

Scoped to your team. No surprises.

RSVR does not publish a fixed price list because every engagement is sized to your actual team, regulatory context, and delivery timeline — not a generic package. What we can tell you upfront:

  • The Snapshot is free. 30 minutes with Rajnish directly — no junior handoff.
  • The diagnostic is time-boxed and fixed-fee. Typically 2–4 weeks. Board-readable output. No open-ended retainer.
  • Build work is scoped before any commitment. You approve scope, timeline, and cost before we begin.
  • Structured for SME budgets. Not enterprise pricing. Senior-led delivery without the large-firm overhead.
Typical engagement path
Snapshot
Free · 30 minutes
Diagnostic
Fixed fee · 2–4 weeks
Build
Scoped & approved before start
Discuss scope in the Snapshot →
Free · 30 minutes · No documents needed

Start with an AI Data Safety Snapshot.

A focused executive conversation to identify whether your workplace AI exposure justifies a deeper diagnostic. You leave with a practical recommendation — not a sales pitch. If the answer is "not yet", we will say so.

Book a free Snapshot → Discuss a paid diagnostic

No documents needed · No confidential data before we speak · No vendor pitch

Free · No obligation
30
minutes
Book your Snapshot →

You leave knowing where exposure sits · whether a diagnostic is justified · what the right next step is

Built for SME leaders

Different roles. Same risk surface.

CEO / MD

Protect customer trust, commercial secrets and reputation while enabling AI productivity across the team.

COO

Bring visibility and consistency to how staff use AI across daily workflows — with practical controls, not bans.

General Counsel

Secure contract data, client matter information and HR material from entering unmanaged AI tools.

CFO / Finance Director

Prevent pricing, margin, forecast and customer revenue data from entering AI tools with no audit trail.

Regulatory context — not a compliance promise

Frameworks increasingly expect you to know how AI is being used.

RSVR helps you build the operational practice. Certification and formal compliance sign-off remain with your specialist advisers.

United Kingdom
UK ICO Guidance

Expects controllers to understand where AI is processing personal data and to have appropriate data handling rules in place.

European Union
EU AI Act

Requires transparency, human oversight and risk management for AI systems — including those used by employees in daily operations.

Australia
Australia's OAIC

Privacy Act obligations cover AI use of personal information — including information entered into consumer AI tools by employees.

NIST AI RMF

Organisations should map AI use, identify risks, and establish governance practices — a natural fit for RSVR's Discover → Control methodology.

Note: RSVR is not a law firm and does not provide legal or regulatory advice. We help you build the operational discipline that frameworks increasingly expect. Legal and regulatory sign-off remains with your specialist advisers.

FAQ

Questions leaders ask before booking.

Shadow AI is the everyday use of free, consumer or personal AI tools for work — outside your approved systems, outside your data rules, and outside your visibility. It is not a niche risk. It is already happening in your business. 55–71% of employees use unapproved AI tools (Salesforce / Awareways 2025), and most leaders have no visibility into which tools or which data.
Usually no — and banning often makes things worse. Bans push AI use onto personal devices and personal accounts, removing the visibility leadership needs most. Staff continue using AI, but now invisibly. The safer answer is an approved-tool list, clear data rules, and a manager routine staff can actually follow. That is what RSVR builds.
RSVR's WorkLex AI method is specifically designed for SMEs without dedicated IT or compliance teams. The four steps — Discover, Control, Adopt, Build — are sequenced and sized for teams that need practical action, not enterprise-grade programmes. The core controls (approved-tool list, two-line data rule, four-minute manager routine) can be operating within six weeks of a Snapshot.
No. RSVR maps AI use at the workflow and system level — not at the individual keystroke or message level. The goal is leadership visibility and an approved route, not employee surveillance. The manager routine we recommend takes four minutes per week and focuses on output review, not monitoring individual activity.
Yes. RSVR helps make Copilot or Gemini the approved route — with the data rules, manager routines and employee guidance that make them genuinely safe for your team. The WorkLex AI method is not tied to any specific tool; it builds the governance layer that makes approved AI tools sustainable.
The Snapshot is 30 minutes — free, no documents needed upfront. The Shadow AI Control Diagnostic is typically 2–4 weeks, producing a board-readable exposure view and a 30/60/90-day action plan. Build work is scoped to your team and roadmap before any commitment is made.
No. RSVR is not a cybersecurity firm and does not provide cyber certification. We help leaders identify where AI is being used on sensitive data, create practical controls, and implement safer workflows.
No. RSVR is not a law firm. We help you build the operational discipline that frameworks like the UK ICO guidance, EU AI Act and NIST AI RMF increasingly expect — but certification and formal compliance sign-off remain with your specialist advisers.
From AI Data Safety to the full picture

Where AI Data Safety connects.

If Snapshot identifies contract exposure

Contract Operations

Contractrix AI: safer, faster contract intake, triage, routing, approvals and commercial visibility for contract-heavy SME teams.

Explore Contract Operations
After the Snapshot

Shadow AI Control Diagnostic

A time-boxed 2–4 week diagnostic giving leadership a board-readable view of AI exposure, control gaps and a 30/60/90-day action plan.

Discuss a Diagnostic
After the Diagnostic

WorkLex AI Build

Dashboards, workflow automations and AI-assisted tools that make safer AI use operationally embedded — not just a policy document nobody reads.

How the Build works

Find where AI is already inside your business.

Book a free 30-minute Snapshot. You leave with a practical next-step recommendation — not a sales pitch. If no action is needed yet, we will tell you.

Book a free AI Data Safety Snapshot
Whatsapp