josecustom.ai josecustom.ai Book
AI Strategy

Employees Using ChatGPT at Work: What Managers Need to Know

Your employees are already using ChatGPT at work. 78% of them without approval. Here is what the risks are, why banning it fails, and the 3-step response that actually works.

Jose Lugo · · 11 min read

Your employees are using ChatGPT. Right now. Whether you approved it or not.

This is not speculation. WalkMe and IDC found that 78% of employees use AI tools their employer never sanctioned. And 77% of those employees share sensitive work data when they do (eSecurity Planet, 2025). That means in a company of 20 people, roughly 12 are using ChatGPT or similar tools with company data, and you probably have no idea what they are putting in.

If you manage people, this is your problem to solve. Not IT’s. Not legal’s. Yours. Because the employees using AI report to you, and the data they are exposing belongs to your clients.

I have spent 12 years in U.S. Army intelligence where unauthorized data handling had real consequences. As a CISSP-certified security engineer, I now help businesses get AI adoption under control. Here is what you need to know.

They are already using it

The first thing to accept is that the horse has left the barn. ChatGPT launched in November 2022. Your employees found it within weeks. By now, they have integrated it into their workflows in ways you cannot see.

What they are doing with it:

  • Drafting emails and client communications
  • Summarizing meeting notes and documents
  • Generating reports and presentations
  • Researching topics for client work
  • Writing code or formulas
  • Analyzing data and creating summaries
  • Translating documents
  • Brainstorming and problem-solving

Most of this is productive. That is the uncomfortable part. Your employees are not wasting time on ChatGPT. They are getting real work done faster. The problem is not the productivity gain. The problem is what they are feeding into the tool to get it.

The real risks

Client data exposure

When an employee pastes a client contract into ChatGPT to summarize it, that contract text goes to OpenAI’s servers. Depending on the account tier and settings, it may be stored, reviewed by OpenAI staff, or used to train future models. Your client did not consent to that. Your NDA probably prohibits it. Your compliance framework definitely does.

A financial advisor who types “Summarize Mrs. Johnson’s portfolio performance for Q1” into ChatGPT just sent a client’s name and financial context to a third-party server. A lawyer who uploads a deposition for analysis just moved privileged communications outside the attorney-client relationship. A healthcare office manager who asks ChatGPT to draft a patient reminder just shared PHI with a non-BAA-covered entity.

None of these employees think they are doing anything wrong. They are trying to be efficient. But the data exposure is real.

Fabricated output

ChatGPT makes things up. Confidently. In well-formatted prose that looks authoritative.

The most famous example: in Mata v. Avianca (2023), a New York attorney used ChatGPT to research case law for a federal court brief. ChatGPT generated citations to cases that did not exist. The lawyer submitted them to the court without checking. The judge discovered the fabrication, sanctioned the lawyer, and the case became a national warning about trusting AI output.

This does not only happen with legal citations. AI tools fabricate statistics, attribute quotes to the wrong people, invent product features, and generate financial figures that look plausible but are wrong. Any client-facing output that includes unchecked AI content is a liability.

Compliance violations

If your business operates under HIPAA, FINRA, SEC, CCPA, or industry-specific privacy regulations, employees using free-tier ChatGPT with regulated data are creating compliance violations every time they press Enter.

HIPAA requires a Business Associate Agreement with any service that processes protected health information. Free ChatGPT does not offer a BAA. FINRA requires that client communications be archived. ChatGPT conversations are not in your archive. CCPA gives consumers the right to know where their data goes. “We do not know because our employees used a free AI tool” is not an acceptable answer.

The penalties are not theoretical. HIPAA violations can reach $50,000 per incident. FINRA fines regularly exceed $100,000 for recordkeeping failures. And the reputational damage of disclosing a client data incident to affected parties can cost more than the fines.

Inconsistent quality

When everyone on your team uses a different AI tool with different capabilities and no shared standards, output quality becomes unpredictable. One employee’s AI-assisted proposal might be excellent. Another’s might contain errors that damage your credibility.

The problem compounds across departments. Your sales team might be using one AI tool to draft proposals. Your operations manager might be using another to write procedures. Your bookkeeper might use a third for client communications. Each tool has different strengths, different failure modes, and different data handling. Nobody is checking whether the outputs are consistent in tone, accuracy, or professionalism. And when a client notices that the proposal they received reads nothing like the follow-up email, your brand takes the hit.

Shadow AI cost sprawl

There is also a cost problem nobody tracks. When employees sign up for AI tools individually, you end up with overlapping subscriptions across the company. Marketing pays for a writing assistant at $20/month. Sales pays for a different one at $30/month. Three people in accounting share a premium ChatGPT login. None of these costs show up in your AI budget because you do not have an AI budget. They show up as miscellaneous software expenses scattered across department credit cards.

Add it up across a 20-person company and you might be spending $500 to $1,000 per month on fragmented AI subscriptions that do not integrate with each other, do not meet compliance requirements, and do not give you any visibility into usage.

The wrong response: ban it

Your instinct might be to ban ChatGPT outright. Samsung did it after engineers leaked proprietary code. Apple and Amazon followed with their own bans.

The bans did not work.

Employees access ChatGPT from personal phones. They use it on home networks during remote work. They switch to competing AI tools that are not on the blocked list. Within weeks, the same behavior continues through channels that are even harder to monitor.

Banning AI in 2026 is like banning Google in 2006. The productivity difference is too large for employees to voluntarily give up. When you tell a marketing coordinator they cannot use the tool that cuts their brief writing time from 2 hours to 20 minutes, they are going to find a way around the ban. The only difference is that now they are also hiding their usage from you.

A ban also sends the wrong message. It tells your team that you would rather they be slower than adapt. The best employees, the ones most comfortable with technology and most interested in efficiency, are the most likely to resist. You do not want your top performers working around your policies.

The right response: 3 steps

Step 1: Audit current usage

Before you write any rules, find out what is actually happening. You cannot build a policy on assumptions.

Run an anonymous employee survey asking:

  • Which AI tools do you currently use for work?
  • What tasks do you use them for?
  • What types of data do you typically enter?
  • What would make an approved AI tool useful to you?

The anonymous part is non-negotiable. If employees fear punishment, they will lie, and your policy will be based on fiction.

Supplement the survey with technical checks: review network logs for connections to AI service domains, audit browser extensions on company devices, and check OAuth logs for AI service sign-ups. Our shadow AI audit guide walks through the full process.

The survey results will probably surprise you. In most audits I have run, the business owner expected 2 or 3 employees to be using AI. The actual number was closer to 80% of the team. The types of data being entered were also more sensitive than expected. Managers assume employees use AI for quick Google-type questions. The reality is that employees are summarizing client documents, drafting client communications, and processing data that belongs to someone else.

Step 2: Deploy an approved alternative

This is the step most managers skip, and it is the reason most AI policies fail.

If your policy says “do not use ChatGPT with client data” but you do not give employees a tool they CAN use, the policy is dead on arrival. Under deadline pressure, they will default to whatever works. That is ChatGPT.

An approved AI alternative running in a secure environment gives your team:

  • The same AI capability they want
  • Data that stays in your controlled environment
  • Audit logging so you know what is being processed
  • Role-based access controls
  • Compliance coverage (BAA for HIPAA, DPA for CCPA)
  • Integration with your actual business systems and documents

When the approved tool is connected to your CRM, your documents, and your workflows, it is actually more useful than ChatGPT for work tasks. Employees switch because the sanctioned option is better, not because you forced them.

Microsoft research shows that organizations deploying approved AI alternatives see unauthorized usage drop by 60-70%.

Step 3: Implement policy and train

Once employees have an approved tool and know what the rules are, compliance becomes natural instead of adversarial.

Write a short, clear AI acceptable use policy. One page. Two at most. Cover: which tools are approved, what data can go in, what requires human review, and how to report a mistake.

Then train. Thirty minutes. Cover why the policy exists (data protection, not surveillance), how to use the approved tools, and what to do when they are not sure. Record the session for new hires.

Review quarterly. AI tools change fast. Your policy needs to keep up.

What to do Monday morning

If you read this on a Sunday night and want to start fixing it tomorrow, here is your priority order:

  1. Ask your team (informally or via anonymous survey) what AI tools they use for work. Just find out.
  2. Review whether any regulated data (client PII, health records, financial data, privileged communications) is going into unapproved tools.
  3. If it is, that is your urgent problem. Address it this week.
  4. Start evaluating approved AI options. ChatGPT Enterprise ($60/user/month) for basic needs. A private Azure OpenAI deployment ($5K-$15K setup, $1,500/month managed) for businesses handling sensitive data.
  5. Write the policy. Use our free template as a starting point.

This is not a six-month strategic initiative. It is a two-week project that protects your business from a risk that already exists.

Frequently asked questions

Should I let my employees use ChatGPT at work?

Not the free version with company or client data. The free tier has no business data protection, no compliance coverage, and no admin controls. Either deploy ChatGPT Enterprise with proper configuration or use a private AI deployment that keeps data in your controlled environment.

How do I know if my employees are using ChatGPT?

Start with an anonymous survey. Supplement with network traffic analysis (look for connections to openai.com, chat.openai.com), browser extension audits, and OAuth log reviews. The shadow AI detection guide walks through each step.

What should my ChatGPT policy say?

At minimum: which AI tools are approved, what data can and cannot be entered, what requires human review before client use, and how to report a data exposure. Keep it under two pages. Our free policy template covers all the essentials.

Can employees use ChatGPT for personal tasks on work devices?

That is a business decision, not a security decision. The risk is that personal use blurs into work use. An employee who is already logged into ChatGPT for personal tasks is one copy-paste away from entering work data. If you allow personal use, make the boundaries explicit.

What is the biggest risk of employees using ChatGPT at work?

Client data exposure. When employees paste sensitive information into free-tier AI tools, that data goes to external servers with no contractual protection for your business. For regulated industries, this creates compliance violations with real financial penalties.

How much does it cost to set up an approved AI alternative?

ChatGPT Enterprise runs about $60/user/month. A private Azure OpenAI deployment with custom integrations typically costs $5,000 to $15,000 for setup and $1,500/month for managed service. Compare either option to the $4.2 million average cost of a data breach (IBM, 2025).

Jose Lugo is a CISSP-certified security engineer with 12 years of U.S. Army intelligence experience. He builds secure AI work environments for businesses at josecustom.ai. See his portfolio of 13 live client systems at portfolio.josecustom.ai.