AI tools are entering the workplace faster than most IT teams can respond. What began as experimental use cases is now widespread day-to-day reliance and often without oversight.
We surveyed IT and security professionals to understand how their teams are approaching AI: what tools they're using, how policies are evolving, and where the biggest gaps and pressures lie.
The bottom line: While 76% of organizations allow all employees to use AI tools, only 39% have well-defined policies with clear use cases. The result? A perfect storm of shadow IT, data leakage concerns, and compliance headaches that IT teams are scrambling to address.
This report surfaces one clear theme: AI is not just another trend to manage - it's a shift in how work gets done. And IT's role isn't about restriction. It's about redefining enablement, visibility, and safety at scale.
Our survey captured perspectives from IT and security professionals across organizations of varying sizes. The majority of respondents (44%) identified as IT Admins, followed by IT Managers and Directors (38%), and Security/Compliance professionals (12%).
Most represented small to mid-sized organizations: 42% work at companies with 1-100 employees, while 38% are at organizations with 101-500 employees. The remaining respondents came from larger enterprises, with 10% at companies with 501-1,000 employees, 7% at organizations with 1,001-5,000 employees, and 3% at companies with 5,000+ employees.
AI governance is a challenge for companies of all sizes but it’s especially urgent for smaller IT teams, who have to juggle innovation and security without the resources of large enterprise IT and security teams.
The survey paints a picture of AI tools becoming as common as email in modern workplaces. 77% of organizations allow all employees to use AI tools, with only 1% blocking them entirely. This represents a dramatic shift in enterprise software adoption. Such rapid, organization-wide deployment of a new technology category is really rare.
Despite concerns about data leakage, compliance, and tool sprawl, AI is widely in use:
As one respondent described their usage: "I use AI in everything I do. From summarising documents to drafting policies to writing code”
Another noted using AI for "brainstorming, talking through ideas, primary drafting from notes, improving sheets formulas, scripting, and more."
But this reliance brings new questions: How do we verify outputs? What training is required? When is automation helpful and when is it risky?
And policy hasn't kept up:
One respondent put it: "Our CEO gave everyone a budget to buy whatever tools they want. No oversight." This gap between adoption and governance creates the perfect conditions for shadow IT to flourish.
When asked about their primary concerns, 78% cited data leakage as their top worry - significantly outpacing other security considerations. This is followed by compliance or regulatory risk (48%) and shadow AI/lack of visibility (42%).
These concerns are well-founded. Multiple respondents highlighted specific risks around proprietary information being absorbed by large language models, with one noting: "Company IP is being absorbed by the LLMs." Another emphasized the challenge of "preventing staff from putting client data into tools without mature privacy measures/guarantees."
From open-text answers, some consistent themes emerged:
Some teams reported investing in enterprise tools with SSO or auditing features but others said price, complexity, or unclear ROI were blockers. As one respondent noted: "Price plans with SSO are expensive. We want to use many different tools to use the best for the use case and also personal preference."
Nearly 30% of respondents identified lack of user training or awareness as a significant concern. This aligns with the qualitative feedback, where "training" emerged as the most frequently mentioned solution. As one respondent advised: "Training is the most critical thing you can do."
The challenge isn't just technical. Organizations are struggling to help employees understand both the benefits and risks of AI tools. Several respondents mentioned the need for comprehensive education programs that go beyond simple do's and don'ts.
The most common safeguard is internal policy or usage guidelines (73%), followed by security training for AI use (52%). However, technical controls lag behind: only 36% have implemented OAuth or SSO-based monitoring, and just 33% are blocking tools via MDM or firewall.
This policy-first approach may reflect the speed at which AI tools have proliferated - it's easier to write a policy than to implement comprehensive technical controls across diverse AI platforms.
When asked what would help them manage AI more effectively, 79% of respondents wanted better visibility into usage. This was followed by stronger admin controls from AI vendors (64%) and clearer policies or internal guidance (49%).
The visibility challenge is particularly acute given the browser-based nature of most AI tools. Unlike traditional SaaS applications that can be easily monitored and controlled, AI tools often operate through standard web interfaces, making them harder to track and govern.
Survey responses ranged drastically from playing it safe to fully embracing AI:
The Embracers: "Embrace it. As an org you will be left behind if you do not. But provide the training, policies, tools, etc. Make sure people understand that the org is still in charge."
The Realists: "People are going to use AI whether you want them to or not, so find out how you can manage it safely to minimize harm/risk."
The Overwhelmed: "Good luck. Web access alone is all users need. They will find it."
The Strategic: "You need strong policies and warnings from the executive level (and reinforced by senior leadership) dictating how AI should be used via officially sanctioned apps only."
Before you can manage what you can't see, invest in tools and processes that provide visibility into AI tool usage across your organization. This might include DLP solutions that can detect AI-related traffic, browser monitoring tools, or even simple surveys to understand current usage patterns.
While 71% of organizations have AI policies, the gap between policy existence and policy effectiveness is clear. Focus on creating policies that are:
The most successful organizations appear to be those that combine clear boundaries with comprehensive education. Help employees understand not just what they can't do, but why certain restrictions exist and how to use AI tools effectively within those boundaries.
As one respondent noted: "Generally speaking, AI is a fad and most of it will pass in time. What remains will become part of our regularly managed tools." We’re not quite sure about that. While AI hype may fade, AI capabilities will become embedded in the tools we already use. Plan governance frameworks that can adapt as AI becomes less of a separate category and more of a feature.
Looking Ahead
The AI governance challenge isn't going away - it's evolving. As AI capabilities become embedded in existing enterprise tools (Microsoft 365, Google Workspace, Salesforce, etc.), the challenge will shift from managing standalone AI tools to governing AI features within trusted platforms.
Organizations that establish strong governance frameworks now, while AI tools are still largely external and identifiable, will be better positioned to maintain control as AI becomes more pervasive and integrated into their existing technology stack.
The survey results make one thing clear: AI in the workplace is no longer a question of "if" but "how." The organizations that figure out the "how" part, balancing innovation with security, enabling productivity while protecting data, will be the ones that thrive in an AI future.
This report is based on a survey of IT and security professionals conducted by Kandji in June 2025.