Boards have moved on from asking whether AI matters. The question now, in almost every executive meeting we sit in, is some version of “what is our AI strategy?” It is a reasonable question. It is also, in most firms, one rung too high. Beneath it sits a quieter, more uncomfortable one: which AI tools are running in our firm right now, who is using them, and what data is travelling out of the door each time they do? Very few UK firms can answer with any confidence. Strategy without that ground truth is aspiration.
The shape of shadow AI
Shadow AI is rarely dramatic. It looks like a paralegal using free-tier ChatGPT to summarise a witness statement because the firm has not sanctioned an enterprise tool. It looks like a finance team trialling Copilot in Excel without telling IT, because the trial button was right there. It looks like a marketing manager pasting a draft board pack into a free AI writing tool to “tighten the language” before circulation. In one composite engagement — a UK mid-market accountancy firm, names changed — we found seven distinct AI tools in active use across thirty-two staff. None had been approved. Two had terms of service that explicitly granted the vendor the right to train future models on submitted content.
This is the pattern. DSIT’s Cyber Security Breaches Survey 2025/2026 finds around a third of UK businesses now using, adopting or considering AI, but only a quarter of those report any cyber security practices to manage AI risk. Enterprise telemetry tells a sharper story: the large majority of paste events into generative AI tools come from unmanaged personal accounts, sitting outside whatever DLP control the firm believes it has. Employees are not malicious. They are productive. The tools are faster than the firm’s procurement machinery, and the gap is widening.
Why an inventory beats a policy as a first step
The instinct, when a board hears “shadow AI”, is to commission a policy. We understand the appeal. A policy is a document, a document can be approved, and an approved document looks like progress. The trouble is that a policy governing tools you cannot see is, by definition, aspirational. You cannot enforce what you have not measured, train staff away from tools you have not catalogued, or brief the board on residual risk if the underlying exposure is invisible.
The honest first step is discovery. Every AI tool in use. By whom. With what data. Under what vendor terms. Only when that picture exists can a policy do meaningful work, calibrated to the real footprint rather than an assumed one.
The regulatory direction reinforces this. The EU AI Act’s Article 50 transparency obligations enter into force on 2 August 2026 and reach any UK firm whose AI output is used in the EU. The ICO’s updated draft guidance on automated decision-making (out for consultation through spring 2026) and its preparation of a statutory ADM Code under the Data (Use and Access) Act both presume the firm knows where AI sits in its own processing. So does ISO/IEC 42001, now being asked for in vendor questionnaires. Every one of these regimes begins with the same assumption: the firm has an inventory. Most firms do not.
What a credible AI usage audit covers
A genuine AI usage audit produces a defensible picture of the firm’s AI exposure. The findings categories we work to are:
- Shadow tool discovery — every AI service in active use, including free-tier consumer tools, browser plug-ins, and AI features embedded inside SaaS products that staff may not register as “AI”.
- Data egress mapping — what categories of information are leaving the firm via each tool: client data, personal data, commercially sensitive material, regulated data subject to sector overlays.
- Vendor terms of service review — the commercial reality of each tool. Does the vendor claim training rights on submitted content? Where is data processed and stored? What survives account deletion? Is there an enterprise tier with materially different terms?
- Employee usage patterns — who is using what, how often, and for what purpose. One finance lead pasting reconciliations daily into a free tool is a larger exposure than fifty staff using a sanctioned assistant once a week.
- Regulatory mapping — exposures cross-referenced against the EU AI Act (where output reaches the EU), UK GDPR and the ICO’s ADM expectations, and sector overlays: the FCA’s Consumer Duty and SM&CR for financial services, the NHS DSPT and DCB0129/0160 for healthcare deployers, and the SRA Code of Conduct for legal practices.
The deliverable is a three-part pack: an executive AI register for the board, a risk-ranked exposure register for the risk committee, and a remediation roadmap for the operational team that will close the gaps. Each has a named audience and a job to do.
How Rhentech helps
Our AI usage audit is delivered the same way as the rest of our work: senior-led and audit-first, with the consultant who scopes the engagement being the consultant who delivers it. No handoff to a junior team. We walk the firm’s tooling, interview the people actually using AI day to day, review the vendor terms behind each tool, and produce findings the board can read in a single sitting.
Where the audit identifies a need for ongoing oversight rather than a one-off cleanup — the right answer for most regulated mid-market firms — the findings feed cleanly into an AI Governance and Compliance engagement. Same team, same understanding of the footprint, no re-discovery cost.
If shadow AI is on your board’s risk register but you are not confident the register reflects reality, the sensible first step is an honest look at what is actually running. Book a free initial consultation and we will talk through your situation, scope the work properly, and tell you whether an AI usage audit is the right next move. The audit itself is a paid engagement; the conversation is not.