In many companies, artificial intelligence is not currently being introduced as a single major technology project. It is making its presence felt much more quietly: through a feature in a CRM system, a marketing tool, an HR application, a spreadsheet, a messaging app or a public chatbot that an employee uses to prepare an analysis, a quote or a meeting summary more quickly. From the board’s perspective, this is a significant shift. AI isn’t always where the IT budget suggests it is. Increasingly, it’s found where people are trying to speed up their day-to-day work.
That is why the question about AI in a company is increasingly rarely: ‘Are we implementing it?’. A far more interesting and practical question is becoming: ‘Where is it actually already in use?’. The answer is not always obvious. An organisation may have an AI strategy and several official pilot projects, yet still lack a complete picture of how individual teams are using AI-based tools. It is precisely this gap between the official project and day-to-day practice that is beginning to have business significance.
This is not about fostering an atmosphere of suspicion towards staff. The informal use of AI, often referred to as ‘shadow AI’, can be a problem, but it can also be a sign. It shows where employees are looking to boost productivity, where processes are too slow, and where official tools are failing to keep up with real business needs. If someone uses AI to summarise documents, prepare a draft presentation or analyse sales data, they are usually not doing so to bypass the organisation. They do it because the technology is accessible, fast and useful.
The risk arises when a company does not know what data is fed into these tools, in which processes AI is beginning to support decision-making, and who is responsible for the outcome of its use. There is a difference between using AI to generate a neutral draft of marketing text and using it to analyse CVs, assess customers, process financial data or summarise documents containing confidential information. This is no longer merely a matter of convenience at work. It is a matter of responsibility, data quality, security and trust.
An additional factor is the AI Act, which emphasises the importance of transparency, risk assessment, documentation of uses and oversight of AI systems. This does not mean that every instance of AI use within a company immediately becomes a major regulatory project. Rather, it means that it is increasingly worthwhile for organisations to know where AI is being used, for what purpose, on what data, and with what impact on people, processes or decisions. Without such an overview, it is difficult to discuss both compliance and the responsible scaling of the technology.
A practical starting point could be an AI usage register. However, it is crucial not to treat it as just another spreadsheet created for an audit. A well-designed register is not a list of trendy tools. It is a map of where artificial intelligence is actually being used within the organisation. It should answer not only the question ‘which solution are we using?’, but above all: in which process, on what data, for what purpose, with what level of automation, and under whose responsibility.
Such a map helps to distinguish low-risk applications from those requiring greater attention. AI used to organise meeting notes carries a different weight than a system supporting HR, credit or procurement decisions, or complaint handling. Thanks to the register, it is easier to see which initiatives can be developed more quickly, which require additional safeguards, and which are worth understanding better first. This tool does not have to stifle innovation. On the contrary, it can facilitate its safe scaling.
It is equally important to determine who is responsible for this AI landscape within the company. The weakest approach would be to shift the entire responsibility solely to IT or solely to compliance. AI is simultaneously a technology, a component of a business process, a data risk and a tool that influences the way people work. That is why a model of shared responsibility works best. The board sets the direction and expects transparency. The business is responsible for specific applications, as it is the business that benefits from the results of AI. IT and cybersecurity manage the architecture, integrations and protection of systems. Legal, compliance and the DPO help to assess risks related to data, regulations and liability.
In practice, the most important thing is to move away from the mindset that AI governance begins with bans. A far more useful approach is for a company first to try to see how AI is already operating within its structure. Only then can a sensible decision be made as to where rules are needed, where better tools are required, where education is needed, and where stronger oversight is required.
Mapping AI usage does not have to start with a major transformation programme. Sometimes, a well-formulated question is enough: where is AI already helping people work faster today, and where is it beginning to influence data, decisions and accountability? Companies that can answer these questions gain more than just control. They gain a better starting point for the wise, safe and more informed use of artificial intelligence.
