Nobody wrote the AI rules your employees are breaking

A member of your team pasted a customer contract into Copilot this week to get a quick summary. They didn't question it. Not because they're careless, but because nobody ever told them whether that was smart or a fireable mistake. So they guessed.

That guess is happening thousands of times a day across your company, and it's a communication failure long before it's a security one.

The numbers are not subtle. Roughly 90% of employees now use AI tools to get their work done. Only about a quarter of organizations have a clear, enforced AI policy. Axios HQ's 2026 internal communications research lands in the same place from the employee side: just 26% of staff say their company has clear AI rules, and that missing guidance is one of the top things slowing their own adoption down.

So leadership is running two campaigns at once. The first one says "use AI, be faster, don't fall behind." The second one says "we never told you how, so you're on your own if this goes wrong."

What people do when no one gives them a path

They improvise. This is what competent people do when they are handed a goal and no instructions - it’s not a character flaw.

And this is where the "but I trust my people" line falls apart. Trust isn't the issue. A sharp, careful employee still can't know that the contract they summarized counts as confidential, that the approved tool keeps data in-house while the free one trains on it, or that legal drew a line nobody ever published. Good judgment can't apply a rule it was never given. You can trust every person on your team and still have a serious problem, because what they're missing isn't character. It's information, and supplying it is your job.

A Gusto survey found 45% of US workers have used AI at work without telling their manager. Close to half of generative AI users are getting there through personal accounts, outside anything IT set up. The work is happening either way. The only question is whether it is happening somewhere you can see.

Security teams call it shadow AI, and they tend to frame it more as a discipline problem: employees going rogue, ignoring the rules, creating risk. IBM's breach research gives that framing some truth. One in five organizations had a breach tied to shadow AI, and it added as much as $670,000 to the average cost.

But look at the actual behavior research and the discipline story starts to fail. When companies give people an approved, capable AI option, unauthorized use drops. When they don't, people keep using whatever works, and no policy changes that. You cannot police your way out of a gap you created by staying quiet.

That is the part communicators should sit with. Shadow AI is not mostly a rebellion. It is a vacuum. And vacuums are our department.

Why this is important for internal comms

The CEO announces an AI push. IT picks some tools. Legal drafts a policy that may or may not exist in a readable or searchable form. And the actual job of telling thousands of people what changed, in language they understand, falls to whoever owns employee communication. This is you.

Except most IC teams get pulled in for the "drive adoption" half and never see the "here are the rules" half. You are asked to generate enthusiasm for a thing the company has not finished deciding how to govern. So the message employees receive is energy without instruction. Use it more. Use it for what? Use it how? Silence.

The employee on the receiving end is not confused about whether AI matters. They have heard that part loudly. They are confused about whether the thing they did yesterday, pasting a client document into a chatbot to summarize it, just put their job at risk. Nobody told them. They guessed. They will guess again tomorrow.

What closes the gap

This is not a call for a forty-page policy nobody reads. It is the opposite.

Translate the policy into plain answers. Most AI policies are written to protect the company in a lawsuit, not to help an employee make a decision at 2pm on a Tuesday. Your job is the second one. What can I put into an AI tool? What can I never put in? Which tools are approved? Who do I ask when I'm not sure? Four questions, four real answers, in the words people actually use.

Name the safe path before you name the rules. Behavior research is clear that people stop reaching for random tools when a good approved one exists. So lead with "here is the tool we trust and here is what it's for," then cover the limits. Rules without an alternative just push the behavior further into the dark.

Make "I'm not sure" a normal thing to say. Right now the smart move for an anxious employee is to stay quiet and hope. Change that. Give them a name, a channel, a Slack room, anywhere they can ask without feeling like they are confessing. Every question someone asks out loud is one they did not answer alone with your data.

Stop selling adoption you can't support. If the governance isn't ready, that is worth saying to leadership plainly. Pushing "use more AI" into an organization with no guardrails is not a comms win. It is a liability you helped distribute.

The companies getting this right are not the ones with the strictest rules or the flashiest tools. They are the ones whose employees can answer a simple question: what am I allowed to do? If your people can't, that is not their failure to follow the rules. It is your organization's failure to communicate them. And that gap has a clear owner.