Martin Elstner

The Unintended Consequences of Strict AI Policies If your company implements stringent rules regarding the use of Generative AI tools, there's a high probability employees will find ways to circumvent them. Our initial survey data from a large, mid-sized German technology firm supports this. It indicates that a limited number of approved AI offerings often leads to unregulated usage through other channels. Approximately one-third of respondents admitted to using unauthorized LLM chatbots via their personal phones, unapproved websites, or both. While this data point represents a single company with 3,409 survey respondents, it provides valuable insight. Furthermore, a quarter of all respondents (789, or 23%) reported not using LLMs at all. We conducted an anonymous survey across all employees, comprising 12 questions on GenAI usage and 7 demographic classification questions. The company itself is focused on industrial goods production, rather than IT, though about 20% of the workforce is in software roles and another 20% in hardware engineering. All employees have access to an internally developed web UI that integrates OpenAI models hosted in Azure—essentially, an isolated, internal ChatGPT clone. Both GPT-4o and GPT-4o-mini are available, and the use of internal, confidential data within this tool is explicitly permitted (e.g., copying confidential email content into the chat window for context). Despite this internal tool, company regulations prohibit the use of any other GenAI tools for work-related purposes. Access to certain tools like ChatGPT or DeepSeek is also blocked on the internal network. Many users express a desire for more features than the basic in-house chat UI provides. Prominently mentioned wishes include improved chat history and search functionalities, access to advanced reasoning models, document upload capabilities, and image generation. The availability of these features in free or $20/month external tools significantly contributes to what we term "gray usage." Specifically, 21% of employees use LLM chatbots on their private phones for work-related queries, 10% use unauthorized web-based LLM chatbots (not all of which are blocked), and 3% engage in both. While not all unauthorized usage may pose high risks (e.g., many programming questions can be asked without exposing company intellectual property), data exfiltration via chat UIs remains a genuine concern, particularly given the activity of certain dubious entities in this domain.