Shadow AI Is Already in Your Business. Here's How to Handle It.

A bakery owner in Ghent recently told us about a moment that made her pause. Her part-time assistant had drafted a beautiful apology email to a customer whose birthday cake had arrived late. The email was so good — too good, actually. She asked how she'd written it. "Oh, I used ChatGPT. I always do."

That assistant had pasted the customer's name, address, allergy notes, and order history into a personal ChatGPT account to get the tone right. No one had told her not to. No one had told her she could. She was just trying to do a good job.

This is shadow AI, and if you run a small business in Europe, it's almost certainly already happening under your roof.

The 45% number you should know

A recent Gusto survey found that 45% of workers have used AI tools at work without telling their employer. Roughly a third have pasted company data into public AI models. About one in four have shared financial or sales information. Harvard Business Review's April 14 piece called it "the hidden demand for AI inside your company" — a quiet wave of employees using Claude, ChatGPT, Gemini, and a dozen other tools to move faster, usually without anyone in management noticing.

For small businesses, the stakes are specific and personal. You don't have a 50-person IT team. You probably don't have anyone whose job title includes the word "compliance." And yet the risks land on your desk.

Four risks that look small until they aren't

GDPR exposure. When your bookkeeper drops a client invoice into a free AI tool to "summarize the line items," that invoice is personal data under GDPR. Some free tools train their models on what you submit. Others store prompts indefinitely. A data protection authority won't accept "I didn't realize" as a defense, and fines are calculated on company-wide turnover.

EU AI Act obligations. As of August 2, 2026, deployer obligations under the AI Act take full effect. If your staff uses an AI system to screen job applicants, score customer creditworthiness, or make other decisions that affect people, you have legal duties — regardless of whether you built the tool or not. Many SMB owners still think the Act only applies to companies that build AI. It applies to anyone who uses it in certain ways.

Inconsistent quality. When five employees use five different AI tools with five different prompting styles, your customer emails stop sounding like your brand. Your proposals vary wildly. Your support replies feel like they came from different companies. You lose the one thing a small business has over a big one: a distinct, coherent voice.

Missed learning. Here's the quietest risk. When employees hide their AI use, you never learn which tasks AI does well for your specific business. The patterns that could save you ten hours a week stay invisible. BBVA, one of Europe's largest banks, figured this out and stopped pretending shadow AI wasn't happening. They turned it into a structured rollout and now track 4,800 internal AI tools their own employees built. Time saved: two to five hours per employee, per week.

Your bakery is not BBVA. But the principle holds: unseen AI use is wasted signal.

The one-page policy that actually works

Forget the 40-page corporate policy template. Here's what a small business policy needs to cover, and it fits on one side of A4.

Green list. Name the tools you've approved. For most SMBs, this is a short list: one general-purpose AI (ChatGPT Team, Claude Pro, or a European option like Mistral Le Chat Pro), one meeting notetaker, and any AI features built into tools you already pay for (Microsoft 365 Copilot, Google Workspace Gemini, your CRM's AI add-on).

Red list. Name what's not allowed. Clearly. The simplest rule: do not paste customer data, supplier contracts, financial figures, or employee information into any AI tool that isn't on the green list. No exceptions for "just this once."

The paste test. Before employees paste anything into an AI tool, they ask one question: "Would I be comfortable if this text showed up in a competitor's AI-generated reply next week?" If no, don't paste it. If maybe, rewrite it to remove specifics.

Who to ask. A single name and email. If an employee wants to try a new tool, they send one message. You respond within a day. No forms, no committees.

The log. A shared document — a Google Sheet is fine — where employees add the AI tools they use and what tasks they use them for. Update monthly. This becomes your real AI map.

That's it. Five sections. One page. Signed by every employee.

How to replace shadow AI with sanctioned AI

Banning tools doesn't work. If your staff can get better email drafts with ChatGPT, they will use ChatGPT — policy or not. The fix is to give them something equal or better that you actually control.

Start with a paid team account. ChatGPT Team is €25 per user per month. Claude Team is similar. Both come with data protection promises: your prompts aren't used for training, conversations are encrypted, and you get an admin console. This single step solves the paste problem for roughly 80% of shadow AI cases.

Sanction one notetaker. Meetings are the second-biggest shadow AI zone. Pick one — Fireflies, tl;dv, Otter, or your video platform's built-in option — and make it the default. Configure it to delete transcripts after 90 days unless an explicit retention tag is added.

Use the AI features you're already paying for. Most SMBs discover they already own half the AI capability they need. Microsoft 365 Copilot, Google Gemini in Workspace, HubSpot's AI assistant, Pipedrive AI — all of these run on contracts you've already signed, with data handling terms you've already agreed to. Turn them on. Train your team. Half the shadow AI problem disappears the day you realize employees were paying personally for what the company already owned.

Create two or three shared prompts. A good "write a customer reply" prompt for your business, saved in a shared doc, solves more consistency problems than a style guide. Have your team tweak it together over a coffee meeting. They'll use it because they built it.

The European context: why this matters more here

Small businesses in Europe are in an unusual position. You operate under the strictest data protection regime in the world (GDPR), you're about to operate under the strictest AI regime in the world (EU AI Act), and most of the AI tools you use are built by American companies that don't always understand either framework by default.

The good news: Europe is not trying to crush small businesses with this. The AI Act has explicit provisions for SMEs — priority access to regulatory sandboxes, free compliance training, proportional fees, and automatic 75% fine reductions for micro-enterprises. The EU AI Act Service Desk is free and can save you the €25,000-50,000 in legal fees you'd otherwise spend figuring out whether your use case is high-risk.

The bad news: none of this helps you if you don't know what AI your employees are already using.

What to do this week

If you've read this far and you're thinking, "right, I should probably do something" — here's a 60-minute version.

Tomorrow morning, send one message to your team: "I'd like to know what AI tools everyone is using for work. No judgment, just curious. Reply with a list — personal or work accounts, anything. I'll use it to figure out what we should standardize."

That single email does three things. It surfaces the real AI map of your business. It signals that AI use is welcome, not hidden. And it gives you the list you need to write a one-page policy that actually matches what's happening in your company.

Then, next week, pick one paid team account (ChatGPT, Claude, or a European option) and turn it on for everyone who was already paying personally. You'll get goodwill, better data handling, and probably a smaller total bill.

At Cresly, we help European small businesses get AI-ready without the compliance headache. Our AI Readiness Scan starts with a free review of your website and shows how AI-compatible your business already is. If you'd like a second set of eyes on your AI policy or your current tool stack, that's a conversation we're happy to have. The shadow doesn't have to stay shadow.