Your AI policy might be what gets you fired
A written AI policy gives you legal cover and a false sense that the risk is handled. It does nothing to keep sealed court data out of public models. Here is why governing the tools your people already use beats banning them.
Eric Parsons
· 5 min read
If you try to block a tool you are not yet equipped to govern or secure, you do not stop people from using it. You only ensure that its use happens outside your view. That gap, between what users want and what the organization is ready to deliver, is where shadow AI lives: the everyday use of unsanctioned AI tools on personal accounts and personal devices, beyond any policy or control you have in place.
This is not conjecture. It is already happening, and the numbers are not close.
How widespread is shadow AI?
Shadow AI is the use of generative AI tools that an organization has not sanctioned, secured, or governed. Multiple 2025 studies show it is already the norm, not the exception:
| Finding | Source |
|---|---|
| 44% of employees have used AI in ways that violate company policy | KPMG, 2025 |
| 45% of employees use generative AI; 77% of those users paste data into it; 82% of those pastes come from unmanaged personal accounts | The Register, 2025 |
| 78% of employees use unauthorized AI tools, and 51% report conflicting guidance on AI use | WalkMe, 2025 |
| The acting head of CISA uploaded files marked “for official use only” to public ChatGPT | CSO Online, 2025 |
When the person leading a federal cybersecurity agency pastes restricted files into a public model, the problem is not awareness. The problem is that the pull of these tools outruns the controls around them.
Why does this keep happening?
In my more than 25-year career, I have repeatedly watched emerging technologies that end users want become available before the organization was ready to deliver them safely. Every time we sat in that governance gap, users found ways to use the tools and bypass the controls we had in place.
This was true for simple technologies like Dropbox and instant messaging. The difference now is that the demand for AI, and the consequences of misuse, are far higher. I cannot remember a technology more alluring than AI. The value it delivers to users is tangible and immediate.
An organization might try to block access at the firewall, but that does nothing when the tool is reached on a personal device through a personal account.
What shadow AI looks like in a courthouse
Tie that to a real-world use case: someone at a court pastes a sealed juvenile transcript or a victim's testimony into a public model to "summarize" it. Now that record is potentially in a training set. It is unattributable, and it is impossible to claw back.
This is the part that should keep court leadership up at night. The data is among the most sensitive a government holds, and the exposure is permanent.
Why a policy alone is not governance
Let me be clear: rushing to release AI into your environment without governance and controls is a terrible idea. But so is pretending that a policy telling users not to use it will prevent them from doing so.
A policy is a statement of intent. Governance is the set of controls that make the intent real: approved tools, managed accounts, data boundaries, logging, and an option that is good enough that users do not reach for the unsanctioned one.
Govern the tools your users are already using
The real question is whether you want to govern the AI tools your users are already using.
I will admit I am biased here. I am part of TheRecordXchange® (TRX), a software company that builds tools to solve this problem for courts. But being biased does not automatically mean I am wrong. Court data leaking into public models is sensitive, and it has real potential to erode public trust. This topic is not getting the attention it merits, and there are not enough resources for the people trying to navigate it.
If you are responsible for court technology and weighing how to handle AI without losing control of your record, I am happy to share how I have approached this throughout my career and how we approach it at TRX.
Start a conversation with our team
Frequently asked questions
What is shadow AI?
Shadow AI is the use of generative AI tools that an organization has not sanctioned, secured, or governed, typically on personal accounts and personal devices. It sits outside IT's visibility, so any data entered into those tools leaves the organization's control.
Does an AI use policy stop shadow AI?
No. A written policy provides legal cover and documents intent, but on its own it does not prevent employees from pasting sensitive data into public models. Studies in 2025 found that 44% to 78% of employees already use AI in ways that violate policy or use unauthorized tools.
Why is shadow AI especially risky for courts?
Courts hold some of the most sensitive data a government keeps, including sealed juvenile records and victim testimony. When that material is pasted into a public model, it can enter a training set, become unattributable, and be impossible to retrieve, which can erode public trust in the court.
How should courts govern AI instead of banning it?
Provide a sanctioned, secured option good enough that users do not reach for an unsanctioned one, then pair it with managed accounts, clear data boundaries, and logging. Governance keeps the data inside the court's control in a way that a blanket ban or a firewall block cannot.