Shadow AI in SMEs: Finding It, Fixing It

What it covers

This workshop helps ops and IT leads at small and mid-sized companies discover where AI tools are already being used without approval, assess the associated risks, and implement a practical governance response. Participants leave with a ready-to-use discovery survey, a lightweight acceptable-use policy, a sanctioned-tool list, an amnesty process for existing usage, and a monthly drift-check routine. The format combines facilitated discussion, hands-on policy drafting, and peer review across two half-day sessions.

What you'll be able to do

• Design and deploy a discovery survey that surfaces AI tool usage across all business functions within one week
• Classify identified tools by risk tier using a repeatable scoring rubric
• Draft a one-page acceptable-use policy tailored to your organisation's size and risk appetite
• Run a structured amnesty session that encourages honest disclosure without punishing early adopters
• Schedule and execute a monthly drift-check routine to detect new unsanctioned adoption before it becomes a liability

Topics covered

• Running a shadow-AI discovery survey across teams
• Mapping risk exposure from unsanctioned tools (data leakage, compliance, vendor lock-in)
• Drafting a lightweight acceptable-use policy for AI
• Building and communicating a sanctioned-tool list
• Designing an amnesty process to surface existing usage without blame
• Setting up monthly drift checks to catch new shadow adoption
• Aligning AI governance with GDPR obligations for SMEs

Delivery

Delivered as two half-day facilitated sessions (remote or on-site). Day one covers discovery and risk mapping; day two covers policy drafting and governance processes. Participants work in small groups on real scenarios from their own organisation. All templates — survey, policy, tool-assessment rubric, amnesty script, drift-check checklist — are provided as editable documents. Hands-on drafting accounts for roughly 60% of total time.

What makes it work

• Pair the amnesty process with a clear sanctioned alternative so employees have an immediate path forward
• Assign a named owner for the monthly drift check — accountability matters more than process sophistication at SME scale
• Involve at least one non-IT business lead in policy drafting to ensure the language is practical and understood company-wide
• Review and update the sanctioned-tool list at least quarterly as the AI tool landscape evolves rapidly

Common mistakes

• Issuing a blanket ban on AI tools without an amnesty period, which drives usage further underground
• Building a policy that is too complex for a small team to maintain, leading to immediate non-compliance
• Skipping the discovery phase and assuming IT already knows every tool in use
• Treating shadow AI purely as an IT problem rather than a cross-functional ops and people challenge

Providers to consider

• Jedhawww.jedha.co →
• DataScientestdatascientest.com →
• OpenClassroomsopenclassrooms.com →
• Ironhackwww.ironhack.com →

Sources

• ENISA — Artificial Intelligence Cybersecurity Challenges →
• CNIL — Recommandations pour les systèmes d'IA et le RGPD →