Consulting Firms Adopt Policies to Combat Shadow AI Data Leaks

Serge Bulaev

Serge Bulaev

Consulting firms are making it a top priority to require approvals for using AI tools because shadow AI may be spreading faster than rules can keep up. Reports suggest that many workers, especially in professional services, might be sharing sensitive data with unsanctioned AI platforms, raising the risk of leaks and breaking confidentiality agreements. Short policies that list approved tools, require human checks, and set clear data rules may help prevent these problems and meet new regulations. Experts say technical controls and regular training could be necessary, since many AI tools operate without managers knowing. Audits, logging, and fast reporting of any issues appear to be important for keeping data safe.

Consulting Firms Adopt Policies to Combat Shadow AI Data Leaks

Combating data leaks from shadow AI is now a board-level priority for top consulting firms, as internal governance struggles to keep pace with the rapid, unsanctioned adoption of generative AI. With many employees using unapproved platforms for sensitive work, firms are rushing to implement clear policies to prevent confidentiality breaches, protect client data, and ensure regulatory compliance.

The Scale and Risks of Shadow AI

The threat of unmanaged AI is significant, with 70% of companies seeing AI as the biggest data risk according to Thales 2026, while IBM reports 74% of organizations have limited or moderate AI governance coverage. According to industry reports, a significant portion of workers paste sensitive data into unsanctioned AI platforms, a trend most prevalent in professional services (CybersecurityDive). Each AI-related breach can cost organizations substantial amounts. This informal tool adoption exposes trade secrets and client data, as information entered into public models can be used for future training, potentially violating NDAs and incurring severe penalties. According to Reco's 2025 State of Shadow AI Report, 91% of AI tools in enterprise environments operate outside IT control, making manual monitoring no longer a viable strategy.

Consulting firms are issuing new AI rules because the widespread, unapproved use of public AI models creates major financial and legal risks. Each instance of an employee pasting sensitive client information into an unsanctioned tool can violate confidentiality agreements, expose trade secrets, and incur substantial breach-related costs.

Core Components of an Effective AI Use Policy

A review of leading templates, including the Enterprise AI Acceptable Use Policy from Worqlo (worqlo), reveals eight essential components for a robust and compliant policy. A practical framework should clearly define:

  • Scope: Specify which employees, contractors, and AI systems (including agentic and shadow AI) the policy covers.
  • Approved Tools: Maintain a register of sanctioned AI services. Any tool not on the list is implicitly forbidden.
  • Data Classification: Map data sensitivity tiers (e.g., Public, Restricted, Confidential) to specific, approved AI tools.
  • Human Oversight: Mandate human review for all client-facing outputs and document bias audit requirements.
  • Client Disclosure: Provide clear language for informing clients when AI is used to shape deliverables or advice.
  • Intellectual Property: Explicitly block the use of client data for training AI models.
  • Incident Reporting: Establish a direct and rapid reporting path to the CISO or an AI Governance Board.
  • Training and Sanctions: Require mandatory training modules and outline graduated penalties for policy violations.

A simple table that links data tiers to permitted tools can significantly reduce ambiguity and speed up project-level reviews.

Implementation Tips and Technical Controls

Before finalizing a policy, firms should conduct a shadow AI audit using surveys and technical logs to establish a usage baseline. This data informs the creation of the approved tools register. For enforcement, technical controls are essential. These include real-time data loss prevention (DLP) on chatbot prompts, cross-platform redaction for email and Slack, and automatic logging to a SIEM for auditing purposes. Assigning a clear owner (like a CISO or Chief Data Officer) and establishing an AI Governance Board to review usage metrics ensures the policy remains a living document, enforced by technology rather than paperwork.


Why are consulting firms issuing new AI rules now?

A significant number of employees across industries already use unapproved AI tools, and professional-services teams show the highest shadow-AI rates because strict procurement pushes staff to free, public models. Each unvetted upload can expose client data and costs firms substantial amounts per incident, so updated policies are being released to close this gap before reputational damage occurs.

How can firms discover shadow AI before writing the policy?

Run a short, anonymous survey asking staff which tools they paste work data into, then cross-check firewall and SaaS-usage logs. 91% of AI apps are invisible to IT, so combine employee answers with technical telemetry to build a baseline list and decide which tools deserve enterprise licences or explicit blocks.

Who should own and enforce the policy?

Assign a named policy owner (Chief Data Officer, CISO or DPO) and an AI Governance Board that meets monthly. Link technical controls - such as real-time DLP on prompts and cross-SaaS redaction - to the same board so policy reviews are driven by live metrics rather than annual paperwork.