There is a way to check whether your organisation's AI governance is real or theoretical. Look at its current job postings.
If the postings require AI fluency from candidates while you, as an existing employee, have no sanctioned AI tools, no training, and no clear policy, that gap is informative. The organisation has decided that AI skills have value. The decision about whether to give you a governed way to develop them has not been made in your favour.
This is the contradiction that surfaced in a comment thread after I posted about shadow AI last week. Nigel Maskery named it in public, then developed it further in a follow-up conversation: the governance failure around shadow AI is not only neglect. In many cases it resembles what he called "don't ask, don't tell governance." The organisation knows people are using AI tools: it can see the effects in the work. It captures the productivity benefit. But it provides no approved pathway, no oversight, and no assurance. And if something eventually goes wrong, the individual who was using the unapproved tool was, it turns out, operating outside policy.
Upside captured. Risk pushed down to you.
The reason this matters to you specifically is that the arrangement is not symmetrical. You are the one making decisions about whether to use an ungoverned tool, without a clear picture of what risk you are holding. Your organisation is in a different position: it can observe that productivity is improving without asking why, and if a specific incident occurs, it has a policy document that formally prohibits the behaviour.
That document is worth describing concretely, because it takes different forms in different organisations. In many cases it is the acceptable use policy you signed when you joined, written two or three years before generative AI was in common use, with a general clause about using only approved or company-provided software. In others it is a BYOD or shadow IT policy, drafted for the era when the concern was personal phones and non-corporate cloud storage, which technically covers "non-sanctioned tools" but never mentions AI. In a growing number of organisations, a new AI policy has been drafted in the past year, circulated to management and legal, and perhaps not yet formally communicated to staff. And in some organisations, new hires are now asked to sign an AI-specific policy that you, as an existing employee, have not yet seen.
In each of these cases, the document exists. It applies to you. What it does not do is track the reality you are working in. The policy was written to protect the organisation: to satisfy a controls checklist, not to reflect how the tools are actually being used or which ones are appropriate today. The people deciding what is sanctioned are typically not the ones doing the work. In many cases, the tools that would satisfy the checklist do not yet have the features those controls require, which means nothing gets approved. The landscape moves faster than the approval process. The tool that was sanctioned twelve months ago is not necessarily the right tool now, and the tools that would actually serve the work have not been evaluated at all.
That paper policy is not the protection it appears to be. Regulators and employment lawyers describe policies that exist on paper but receive no training, enforcement, or monitoring as paper policies. They are treated as weak or unusable. The accountability for work-related data processing does not transfer to the individual because a prohibition document exists; it sits with whoever sets the purposes and means of the processing. That is the organisation. And the legal question of whether the organisation carries liability for what an employee does while doing their job turns on whether the activity was within their field of work, not on whether the specific tool they used was on the approved list.
The legal landscape for AI tools specifically is still developing. No court has ruled on "employer benefits from employee's use of a generative AI tool while official policy prohibits it." The principles above are established and apply by analogy, but the analogy has not been tested. I am not saying the paper-policy defence will fail in any particular case. I am saying it is considerably weaker than it looks, and that relying on it is a different thing from having done the governance work.
The moment all of this becomes concrete is when something goes wrong.
A customer data incident is reported. An investigation reveals that personal data was processed through a consumer AI tool that was not on the approved list. The organisation now faces a regulatory inquiry, or an internal review, or a client demanding to know what their data was used for. The first question: what controls were in place?
The policy document is produced. The organisation's position: we have a clear policy that prohibits use of unsanctioned tools, and the employee acted in breach of that policy.
From the individual's side, the sequence of that moment is worth understanding in advance. You will be asked what you knew and when. The fact that the productivity from your AI use was welcomed, that no one asked where the improved output was coming from, that there was no sanctioned alternative provided to you, will not be the first thing mentioned. The policy document will be.
This does not mean the organisation's position will hold under scrutiny. The questions a regulator or employment tribunal would ask go to whether the policy was enforced, whether training was provided, and whether the organisation took any reasonable steps to prevent the practice it now claims to have prohibited. The accountability does not sit cleanly with the individual. But you will be in the position of making that case rather than the organisation, which is a different and harder position to be in.
What you can do, before the question is no longer theoretical: if you are uncertain whether a tool is sanctioned, ask in writing and document the response, or the absence of one. The absence of a sanctioned alternative does not make the risk disappear; it means you are holding more of it than the arrangement makes visible. If you are told to use "your best judgment", that is not an indemnity. The moment a judgment call produces an incident, best judgment becomes after-the-fact reasoning about whether your judgment was actually best.
What concerns me most is not the legal exposure in isolation. It is the incentive structure the arrangement creates and what it teaches over time.
If using AI effectively and quietly is rewarded, while being transparent about it invites the response "you were using an unapproved tool", then silence is the rational individual response. You learn not to surface the capability. You learn to manage the gap between what you are doing and what has been sanctioned, and you get progressively better at keeping that gap invisible. This is not a neutral state waiting to be formalised once the organisation decides to govern properly. It is a set of habits and practices that resist formalisation. The period of ungoverned use does not just delay governance; it makes governance harder to implement later, because the behaviours have become embedded and the transparency required to govern them carries individual risk.
The hiring contradiction is not incidental to this. When an organisation advertises for candidates with AI fluency, it has made a public statement: this capability is valuable to us, valuable enough to screen for. If that same organisation has not provided its existing workforce with sanctioned tools, training, or policy, the message to you is implicit but legible. The value is wanted. The responsibility for developing and using the capability appropriately is being placed on you, without the support, the clarity about what responsible use looks like here, or the shared framework that would let you make good decisions and surface them openly.
The "don't ask, don't tell" framing is apt because it names the convenience the arrangement provides to the organisation. It does not need to make a decision about AI governance if the question is never asked. The productivity comes in without triggering the policy conversation. And the individual, not wanting to create a problem, also does not ask. The system holds together through mutual silence, and the risk accumulates in the place where the power is weakest.
If you are in this position, you are entitled to ask a direct question: if AI fluency is valuable enough to list in job postings, when will existing employees receive a governed way to develop and use it?
That is not an accusation. It is the question the hiring contradiction opens up. The organisation has already answered the part about value. The part about responsibility is still open, and it is reasonable to expect an answer rather than silence.