Skip to content

Shadow AI in your small business: a 30-minute discovery (not a crackdown)

Floating panel showing shadow AI tools being discovered and documented: scattered icons on left transitioning to organized list with checkmarks on right.

Shadow AI is already in your business. Your team is using ChatGPT to write emails, Claude to summarize documents, and three other tools you have never heard of. None of it is on any inventory.

The instinct is to ban it. Skip that. The instinct that works is to find it first, see what work it is doing, and then decide what to keep.

What shadow AI looks like in a small business

Shadow AI is any AI tool an employee uses for work without an explicit decision from the business. It includes the obvious ones (ChatGPT, Claude, Gemini), the embedded ones (Notion AI, Copilot in Word, the generative features inside Grammarly), and the ones bolted into apps you already pay for and never noticed.

In a 22-person professional services firm, it usually looks like this. Two people pay for ChatGPT Plus on their personal cards. Four people use the free version. One assistant has Claude open all day. Someone in operations has been pasting customer emails into a tool the team has never named out loud.

None of these people are acting in bad faith. They are solving a problem the business has not given them a sanctioned way to solve.

Why discovery beats a ban

A ban does three things, all of them bad. Tools move into private logins. The work continues, but you lose visibility. And the people doing the most thinking about how to use AI well stop telling you about it.

Discovery does the opposite. It treats existing usage as data. Which tasks are bottlenecks. Which workflows the team is already trying to improve. Where the business is exposed.

The data is more useful than any policy you could write before you knew it existed.

The 30-minute discovery walkthrough

Block 30 minutes. Use a shared doc. Three steps.

Minutes 0 to 10: scan. Ask each team lead two questions in writing. Which AI tools have you used for work in the last month? Which tasks did you use them for?

Minutes 10 to 20: collect. Add a row per tool to a single sheet. Columns: tool name, who uses it, task, login type (personal or business), what data goes in.

Minutes 20 to 30: triage. Mark each row with one of three flags. Green: low-risk, useful, formalize it. Yellow: useful but uses sensitive data, needs guardrails. Red: stop using it until reviewed.

That is the whole exercise. No procurement form. No legal sign-off. A 30-minute snapshot of what is actually happening.

Three patterns you will probably find

Pattern one: one or two people are quietly doing the team's most useful AI work. They have figured out prompts, workflows, and shortcuts the rest of the team would benefit from. These people are the start of your prompt library, not your enforcement target.

Pattern two: at least one tool is processing data that should not leave your business. Customer records, contracts, finance numbers, employee information. This is the urgent finding. Not a reason to panic. A reason to act this week.

Pattern three: a useful tool is on a personal login and a personal card. The business cannot govern it, audit it, or keep it when that employee leaves. Move it onto a business account before something forces the conversation.

From discovery to first decisions

After the 30-minute audit, three decisions are enough to start.

First, name an owner for shadow AI. Not a committee. One person who is the point of contact when someone wants to try a new tool.

Second, write one paragraph of guardrails. What data never goes into an external AI tool. What approval is needed for new tools. Where to log them. Three sentences is enough for now.

Third, pick one shadow tool the discovery surfaced as useful and make it official. Move it to a business account, document the workflow, and tell the team. This is the first proof that the new process is not a crackdown.

That is enough to stop the bleeding and start building something durable.

Keep exploring

If discovery surfaced more than you expected, the AI Readiness Audit is the structured next step, or contact FIT if you want to talk it through first.