Shadow AI is not a tooling problem. It's a permission problem.
Half the team uses ChatGPT in places nobody approved. The other half won't touch it. Both are symptoms of the same gap — and it's not a technical one.
Half your team is using ChatGPT in places you'd never have approved if you knew. The other half won't touch it because they're afraid of breaking something. You've heard "AI policy" thrown around in board meetings, but nobody has one written down.
That's shadow AI. And every regulated org we walk into has it.
The instinct: block everything
The instinct is to lock it down. Block ChatGPT at the DNS layer. Send out a stern email. Wait for the audit.
This doesn't work. It pushes the work into personal phones, personal accounts, personal browsers. Now the data is leaving your perimeter in ways you can't even see.
The actual problem
Shadow AI is not a tooling problem. It's a permission problem.
People are using AI because the work demands it. Marketing has a deadline. Sales has a call to close. Ops needs a report by Monday. AI saves them six hours — so they use it.
If you don't give them an approved way to do that, they find an unapproved way.
What works
A written AI policy that says yes to specific things. Approved tools. Approved use cases. A clear path for "what if I want to use AI for X" that doesn't require a board meeting.
The Adoption Workshop is half-day to multi-day, depending on team size and regulatory scope. The output isn't a slide deck — it's a written policy, drafted with your team in the room, that an auditor would recognize.
Shadow AI doesn't go away because you blocked the URL. It goes away when your team has a faster, safer, approved way to do the same thing.
The teams we've helped don't stop using AI after the workshop. They start using it where it was always allowed — and stop using it where it wasn't.