What your organization is already doing with AI, and why leadership is the last to know

AdaptAI | June 2026

There is a pattern we encounter consistently enough in our work with organizations that it has started feeling like a feature more than just a finding. When we ask employees about their AI use (not what was sanctioned, but what is actually happening), the answers are detailed, specific, and largely invisible to the people at the top. And when we ask the same questions through an anonymous channel, it becomes clear that most employees feel like they are not doing anything wrong. They are operating in a gray area that nobody has defined for them, using tools that seem fine, doing work that seems useful, carrying a faint background sense that what they are doing might not be fully approved, without that sense being strong enough to stop them.

It is what happens when capable people are given access to powerful tools and left to work out the edges on their own, which is not the same as a concerted act of
defiance.

It matters because it is a governance problem, but even more so because it is the primary reason most organizations are not capturing the full return on their AI
investment.

What the data shows

In a recent audit we conducted across a 136-person organization, the findings were consistent with what we see broadly:

• 83% of leaders reported limited or no visibility into what AI tools their teams were actively using
• 78% of one team had already shared customer data with AI platforms, including sensitive personal information carrying legal protection obligations
• 38% of technical staff had shared internal code or credentials with external AI services
• Not a single person, across any team, was aware of an AI policy governing any of this

Everything we learned of the organization before this audit suggested it was not negligent. It was a well-run company with capable leadership and an engaged workforce. The gap we detected in the data was likely a byproduct of the absence of infrastructure that would make this information visible, basically the systems in place that prevent non-intentional bad acting or counterproductive behaviors.

The fog employees are actually working in

When employees in our audits are given the opportunity to speak candidly and anonymously, what emerges is rarely a picture of deliberate circumvention. It is something more structurally significant: a widespread, low-level uncertainty about what is and is not sanctioned, combined with a working judgment that what they are doing is probably fine.

They are not confident they are in the clear. They are just not confident enough that they are not to stop.

This is the fog that most AI governance conversations miss. The policy debate tends to position the problem as a binary, as though employees either know the rules or they do not, when the more accurate picture is that most employees are making continuous, contextual, largely unarticulated judgments about acceptable risk, in the absence of clear organizational signals about where the line is. Those judgments are usually reasonable. They are also uncoordinated, and the aggregate of individually reasonable decisions can accumulate into significant organizational exposure that no one intended to create.

Why this is predictable, and how it produces shadow AI

The AI intelligence gap emerges from a set of organizational conditions, and the behavioral science here is fairly clear.

The first is what we think of as implicit governance, the organizational assumption, rarely stated but widely held, that experienced people will naturally catch problems, that good judgment will prevail, that the important things will surface. This assumption creates a permission vacuum. Nobody has said yes to a tool, but nobody has said no either, and in that vacuum people make their own calls. The vacuum actively shapes behavior, and the shape it produces is shadow AI, meaning individual, uncoordinated, legitimate-feeling adoption that accumulates without organizational visibility.

The second is the effort heuristic, the cognitive pattern by which we read polished, fluent, well-structured output as the product of genuine effort and sound reasoning. AI produces exactly this kind of output regardless of whether the underlying logic is correct. In practice this means employees are often trusting the output of tools they are not sure are approved, in ways that outpace their ability to verify it. Knowing that AI errors exist does not make you immune to this pattern.

The third is role drift, the gradual erosion of what human oversight actually looks like in practice. When AI handles the generation and a person handles the approval, the approval step migrates, over time and under volume, from substantive review toward a scan for obvious problems toward a signature. The control remains on the org chart. The scrutiny has moved elsewhere.

These three conditions describe why shadow AI is the near-inevitable outcome when capable organizations adopt AI without building the intelligence infrastructure to understand what adoption actually looks like on the ground.

What it actually costs

The AI intelligence gap tends to arrive in leadership conversations as a risk management problem, and it is one. It is also, in most cases, a larger opportunity problem than that framing has room for. There are three kinds of exposure worth naming explicitly.

The compliance exposure is the most legible. In the audit we referenced, the customer data shared with external AI platforms included information in protected categories under European data law, information for which the organization had a legal obligation it was, unknowingly, not meeting. The regulatory consequences of this kind of exposure are not abstract. They are significant, and they arrive after the fact, when the options for managing them have already narrowed considerably.

The strategic exposure is less visible but in many cases more costly. When leadership is making decisions about AI investment, policy, and organizational capability on the basis of an inaccurate picture of what is actually happening, those decisions are systematically disconnected from reality. The governance frameworks that get written do not match the practices that exist. The training that gets designed does not address the tools people are actually using. The returns that get projected do not account for the adoption that has already happened, unacknowledged, or the risk that has already accumulated, unmeasured.

The opportunity exposure is the one that tends to get missed entirely. Shadow AI, for all its governance risk, is also a signal, real-time and employee-generated, about where AI capability is creating genuine value inside the organization. The teams using unsanctioned tools are, in many cases, doing exactly what the organization hoped AI investment would enable. Without the infrastructure to surface that activity, organizations lose not just the governance benefit of visibility but the strategic benefit of knowing where their own AI capacity actually lives.

What a protocol failure looks like

Consider a scenario that is not unusual. A customer-facing team begins using an external AI tool to draft communications at scale. The outputs are good, the work is faster, and nothing obviously bad happens, so the practice spreads. Nobody flags it, because nobody has been asked to, and because the people doing it are not confident enough that it is a problem to make it one. Six weeks later, the organization publishes its AI governance framework, specifying that customer data should not leave internal systems without formal review. By the time that policy is published, the exposure has already accumulated. There is no log, no way to scope what moved and when, and no record of what decisions were made by whom. The policy, when it arrives, is reasonable. It is also six weeks late, and written against an imagined picture of AI use that does not match the one that actually
exists.

The protocol failure is in the sequence, not the intention.

Why good governance is an accelerant, not a brake

The preconditions for upside AI value are not immediately obvious. The organizations that are seeing a healthy and productive relationship with AI tend to share a characteristic that is easy to miss: their governance did its work before people started, rather than arriving as a correction afterward, which means controls were upstream of behavior, defaults were oriented toward safe conditions, and the risks had been designed out at the source rather than policed away afterward. Inside that boundary, people can move with genuine freedom and speed.

Governance designed around how people actually work, shaped around the behavioral conditions that produce shadow AI in the first place, removes the genuine friction points, clarifies the fog, and makes it possible to scale what is already working while containing what is not. Teams operating in gray areas become teams operating with explicit, well-supported permission to do what they were already doing. That is a meaningful shift in both the risk profile and the pace of adoption.

Closing the intelligence gap ahead of your competitors means you are positioned to move faster, with better information, not because you are the most cautious, but because you are the best informed.

What to do about it

The right first move is an honest assessment of what is actually happening. That means finding out, with specificity rather than assumption, what tools are in use and why, what data is moving and where, and where the pressure is concentrated enough that people have found their own solutions. It means treating that activity as the most accurate real-time signal available about where the organization’s AI capacity actually lives, and designing governance from that foundation rather than from an assumed picture of what AI adoption looks like.

From that foundation, governance becomes something you can design rather than perform. Controls can be built around how people work. And the intelligence gap, which is ultimately a gap in organizational self-knowledge, closes in a way that makes everything that follows more grounded.

About AdaptAI

AdaptAI works at the intersection of behavioral science and AI governance. We help organizations understand how people are actually using AI, and design governance, readiness, and adoption programs that work with human behavior rather than against it.

The findings in this brief are drawn from a real organizational assessment, anonymized and aggregated. The patterns are not unique to one organization. They are what we find, with consistency, when organizations invite honest scrutiny.