Home
Automazione & AI Dati & Controllo di gestione Siti web & E-commerce Sviluppo su misura Formazione AI
App Visione Manifesto Magazine Contatti
Accedi Prenota una consulenza
Risk & Rules · Guide

Shadow AI: your employees already use ChatGPT with customer data

While you debate "whether" to adopt AI, the company is already using it. It is the most concrete risk you have today: here is what you risk and how to put it in order in 7 steps.

By Davide De Filippis June 18, 2026 9 min read
Shadow AI: customer data ends up in ChatGPT

While management debates whether to adopt artificial intelligence, employees have already adopted it. A large share of workers use AI tools that the company has not approved, often pasting customer lists, contracts and balance-sheet figures into ChatGPT or similar tools.

It is called shadow AI, and it is the most concrete AI-related risk most SMEs have today. Not a theoretical future risk: it is happening this week, in your company, probably as you read.

What shadow AI is (and why it is already in your house)

Shadow AI is the use of artificial intelligence tools that the company has neither authorized nor configured. It is almost never bad faith: people simply want to work faster and better. The salesperson who has an offer rewritten, the employee who has a contract summarized, the person who pastes a table of customers to "tidy it up". All understandable.

The problem is not AI: it is what leaves the company when confidential data is pasted into a public tool, on servers you know nothing about, with terms of use no one has read.

What you really risk: FADP and GDPR

Three things, in order of concreteness.

  • You stay responsible. The fact that one of your employees enters the data into an external tool changes nothing: you are the data controller. The responsibility does not transfer to the tool.
  • Personal data out of control. Names, contacts, customer and employee data entered into tools without a legal basis and without an adequate contract with the provider are a data protection breach. If the data ends up on servers outside Switzerland or the EU without safeguards, the problem gets worse.
  • Trade secrets. Beyond privacy: price lists, know-how, strategies and confidential drafts that can end up in the logs or, in some cases, in the training data.

On the regulatory side, in Switzerland data protection law already applies fully to the use of AI: you remain the data controller, you must know which tools are being used and put adequate agreements in place. In Italy and the EU the rules of the GDPR apply. In every case, a careless handling of personal data can lead to significant penalties and liability for the company. Switzerland, unlike the EU, does not have a general law dedicated to AI, but this does not exempt anyone from data protection, which is already fully in force.

This article is for general information and does not constitute legal advice: for the obligations that apply to your case it is always worth checking with an advisor.

The golden rule

If you would not email it to a stranger, do not paste it into a public AI tool. It is a rule anyone in the company can remember.

Why banning does not work

The instinctive reaction is the ban: "ChatGPT is forbidden". It rarely works. A blanket ban does not eliminate shadow AI, it only pushes it further into the shadows: people use their personal phone, on the sly, and you lose even the little visibility you had. On top of that, you give up the real benefits AI can bring.

The path that works is the opposite: provide a safe alternative, clear rules and a minimum of training. When the good tool exists, the risky one stops being useful.

The 7-step guide to using AI safely

A concrete path, within reach of an SME, with no need for an in-house legal department.

  • 1. Map what is already in use. Ask people, without blaming, which AI tools they use and for what. It is a census, not a trial. The picture usually comes as a surprise.
  • 2. Classify the data. Define what must never leave (customer data, contracts, sensitive data) and what is free (generic text, ideas, public drafts). A simple rule beats a complicated policy.
  • 3. Offer a safe company tool. For example Microsoft Copilot inside the company tenant, or a tool with a data processing agreement and, where needed, data that stays in Switzerland or the EU. With the right alternative, shadow AI collapses on its own.
  • 4. Write a one-page policy. What can and cannot be done, with concrete examples ("do not paste customer lists", "fine to rewrite a generic text"). One page that people read, not a treatise no one opens.
  • 5. Configure and limit. Turn off the use of data for training where possible, set the permissions, separate personal accounts from company ones. Much of security is configuration.
  • 6. Train your people. One hour of practical training is worth more than ten bans: show what is safe and why. It is also the way to turn AI from a risk into an advantage. (This is the point of our AI training service.)
  • 7. Update your privacy notice and records. State in the privacy notice which AI tools are used and the logic of any automated decisions, and keep an up-to-date record of processing activities. It is the formal part, but it covers you.

From risk to advantage

Tackling shadow AI is not only defense. It is the chance to bring AI into the company the right way: with a reliable tool, clear rules and people who know what they are doing. Whoever puts things in order now not only reduces the risk: they start ahead, because they use AI with confidence while others use it on the sly and badly.

Want to make AI use in your company safe? We can help you run the census, choose the right tool, write the policy and train the team, starting from a consultation.

Book a consultation The AI Training service

Frequently asked questions

Is it illegal to use ChatGPT at work?

No, not in itself. It becomes a problem when you put personal or confidential data into it without the right safeguards: a legal basis, an adequate contract with the provider and awareness of where the data ends up.

Does Switzerland have an artificial intelligence law?

Not a horizontal law like the European AI Act: Switzerland has chosen a sector-based approach. But Swiss data protection law (FADP) already applies fully to the use of AI.

Is Microsoft Copilot safer than ChatGPT?

Used within the company tenant, with the data staying inside the Microsoft 365 perimeter and without training on your data, it offers guarantees that the public, free version of ChatGPT does not. A lot depends on the configuration.

Can I simply ban the use of AI?

You can, but it rarely works: a blanket ban pushes usage into the shadows, onto personal devices. It works better to offer a safe alternative, clear rules and a bit of training.

Is the data I put into ChatGPT used to train the model?

It depends on the tool and the settings. In business and enterprise versions often not; in free ones often yes, unless explicitly turned off. It needs to be verified for each tool.

← Back to the Magazine