🗞️ In The News

• 🤖 ChatGPT Is Coming for Google's Lunch Money (And Your SEO Strategy) (VisualCapitalist)

• 🎯 Meta Just Made Your Facebook Ads About as Precise as a Blindfolded Dart Throw (Meta)

• ⚖️ Europe Decides Your Website Better Be Accessible or Prepare for Legal Pain (Europa.eu)

• 🍺 Gen Z Is Drinking Differently and Alcohol Brands Are Having an Existential Crisis (VogueBusiness)

💼 Case Studies: Case Closed

• 💰️ How One Simple Paywall Tweak Made 23% More People Open Their Wallets (Growth.Design)

• 🎭 Stop Being a Boring Brand: The Art of Actually Having a Personality (SEMrush)

• 🔮 Become a Trend Prophet: Spot Viral Content Before Everyone Else Ruins It (The AI Break)

🧰 You Won’t Blame These Tools

• 🕵️ HypeAuditor: Because Picking Influencers Based on "Vibes" Isn't a Strategy

• 📅 Lunacal: Turn Your Boring Booking Link Into a Sales Machine That Works While You Sleep

• 🎬 Guidde: Create Training Videos 11x Faster (Because Nobody Has Time for That)

THE NEWER AND WEIRDER LITTLE BROTHER 🧛‍♂️ 

If you’ve been in the game long enough to remember “Bring Your Own Device” panic or the Box vs. Dropbox vs. Sharepoint Wars of 2013, congratulations—you’ve seen this movie before.

Shadow IT snuck in because employees were sick of begging for a better way to do their jobs. And they found it, in the form of unsanctioned SaaS tools and browser extensions IT couldn’t block or kill fast enough.

Now we’ve got the sequel. And the stakes are higher.

Shadow AI is the same rebellious energy, but now it’s supercharged with vastly more power. This isn’t just about unauthorised tools exposing a potential hack—it’s about entire decisions, documents, and datasets being pumped into models like ChatGPT, Claude, or Mid-journey without a whisper to IT, compliance, or legal.

That slide deck you saw yesterday? There’s a 50/50 chance its first draft came from a tool your security team’s never heard of.

Estimates suggest more than 10,000 AI SaaS tools launched in 2024 alone 🚀.

The numbers don’t lie. In recent surveys, more than half of employees admitted hiding their AI usage from leadership. And those are just the ones willing to admit it.

Cybersecurity firms are seeing generative AI traffic spike even inside companies with explicit bans. This isn’t fringe anymore—it’s mainstream, silent, and entirely unmanaged.

Medium and large businesses have more to lose than most.

Crown-jewel data? Check. Sensitive customer info? Check.

Employees under pressure to do more with less? Also check.

You’ve got the scale, but you also have the exposure.

And the assumption that “our team wouldn’t do that” is the same one that let Shadow IT run wild a decade ago.

The problem isn’t that shadow AI is happening.

The problem is pretending it’s not.

Ignore it, and you risk leaks, fines, or being outpaced by faster-moving competitors.

Embrace it without structure, and you’ll trip into chaos. But manage it strategically—and you’ve got a front-row seat to the next productivity leap. One prompt at a time.

REBELLION BY DESIGN ✊ 

So we can all agree that deploying a ‘head in the sand’ strategy to Shadow AI is not an option. So how do we tackle this rebellion?

Well the first thing to do is to admit that while there is risk, the fact that it is happening is a good thing.

Your teams are keen to dive in and trial new technology to make their work better, faster and all the other Daft Punk things - this should be applauded.

Here’s a few realities to get your head around:

1. People Will Always Pick Tools That Work
Employees don’t wake up plotting data breaches—they just want to get stuff done. And when a consumer-grade AI tool writes emails faster, generates code cleaner, or summarises 50-slide decks in seconds, it doesn’t matter what the policy says. They’re going to use it.

Blocking access is like banning Post-it notes, because someone once wrote a password on one. You’ll win the battle, but lose the war on innovation.

Real story: A large (un-named) retail brand banned ChatGPT on company machines. Within two weeks, 60% of the marketing team were using it on their phones or home laptops—still feeding it customer insights and campaign copy. Security theatre, meet productivity reality.

2. AI Is a Gateway to Strategic Data Risk
It’s not just speed—it’s spill. Sensitive info gets copied, pasted, and casually lobbed into AI models that weren’t designed to keep secrets. How the information provided to an LLM is regurgitated and re-shared is still a complete mystery to even the inventors of these tools. Wether it’s pricing strategies, client contracts, unreleased product specs… all potentially retrainable, reviewable, or accidentally exposed.

3. Shadow AI = Prototype Engine
These rogue tools aren’t just risky—they’re revealing. The most common use cases? Repetitive workflows that are begging for automation. If employees are using AI to rewrite FAQs, prep slide decks, or triage customer emails, that’s not rebellion—it’s a flashing arrow saying “this task is ready for a bot.”

4. Formalising Shadow AI Doesn’t Mean Killing It
You don’t have to shut it down. You just have to redirect it.

There are proven, private ways to build role-specific, secure chatbots that keep all data in-house—no public APIs, no prompt leaks. Using architectures like Snowflake Cortex or self-hosted LLMs, companies can give teams their own AI tools trained on internal data and backed by audit logs. Same power, none of the panic.

This isn’t about stopping prompts. It’s about owning and unleashing them.

HOW TO RUN YOUR OWN SHOP LIKE SAM A. 🏢 

It’s not about stopping employees from using AI tools. That ship has sailed. The opportunity is to formalise and direct that innovative impulse into secure, value-creating workflows—without stifling the initiative that led them there in the first place.

Here’s a practical, five-step framework to turn uncontrolled shadow AI into structured, secure, and productive AI adoption.

Step 1: Gain Visibility Into Current Usage

Goal: Understand what AI tools are being used, by whom, and for what purpose. It’s a shame many team members won’t readily share with you what they’re using - but that’s a post for another time. Right now you need to see what’s going on.

How to do it:

• Use tools like Cyberhaven, Netskope, or Microsoft Defender to monitor generative AI traffic.

• Set up endpoint logging to detect usage of known AI domains (e.g. openai.com, anthropic.com).

• Interview key departments (marketing, sales, product) about how AI tools are being used informally. This might be tough at first, but by creating an open dialogue and providing a safe space to share welcomed innovation, you can hear directly from the team on what they’re trying to achieve.

Outcome: A clear view of your organisation’s shadow AI footprint—who’s using what, how often, and for which types of tasks.

Step 2: Deploy Secure, Role-Specific AI Interfaces

Goal: Provide officially sanctioned AI tools that meet employee needs while protecting business data.

Options to deploy:

• Option A: OpenAI Teams or Enterprise

  • Quickest path to secure access to LLMs with admin controls.

  • Offers prompt history, usage monitoring, and enterprise-level privacy.

• Option B: Snowflake + Cortex + Streamlit (for existing Snowflake users)

  • Private, internal chatbots trained on highly sensitive organisational data.

  • Medium complexity to deploy with strong governance built-in.

• Option C: Open-source LLMs + RAG Stack (e.g. Llama 3 + pgvector)

  • Full customisability and data sovereignty.

  • Requires more DevOps and ML engineering support.

Best practice:
Create separate chat interfaces for different roles (e.g., “Sales Bot,” “HR Assistant”) trained only on relevant internal data. Limit access to public LLMs for low-risk, non-confidential queries.

Outcome: Employees get tailored, secure AI assistants aligned to their actual workflows—reducing the need to “go rogue.”

Step 3: Start With the Departments Already Using AI

Goal: Prioritise deployment where the ROI and need are highest.

How to choose:

• Look for “power users” in marketing, sales, support, and product.

• Identify repetitive, language-heavy tasks already being AI-assisted.

• Invite those teams to co-design their AI tools and interfaces.

Why it works:
These teams already see value in AI. By formalising their use cases first, you capture early wins, refine governance, and create internal champions to support wider rollout.

Outcome: Faster time to impact, with less resistance and more real-world validation.

Step 4: Integrate Feedback Loops From Day One

Goal: Continuously improve AI outputs and track adoption quality.

How to implement:

• Use thumbs up/down or star ratings to AI-generated outputs.

• Log and review flagged queries or low-quality results.

• Allow users to submit corrections, suggestions, or rephrased versions.

• Put regular time in the diary to run open feedback forums on the toolset.

Use feedback to:

• Tune prompt templates or update RAG pipelines.

• Adjust internal training materials and bot responses.

• Escalate low-performing outputs to human reviewers where needed.

Outcome: AI systems that get smarter with usage—and users who feel heard and supported.

Step 5: Write Your AI Usage Policy Last, Not First

Goal: Create practical, enforceable guidelines based on actual usage—not theoretical fears.

What to include:

• Approved tools and interfaces by use case or role.

• Clear red lines (e.g., no confidential data in public tools).

• Data handling principles, storage locations, and access controls.

• Acceptable prompt practices (“prompt hygiene”) and real examples.

Support it with:

• Micro-learning modules or onboarding videos.

• FAQs that reflect real scenarios from your organisation.

• A lightweight escalation path for uncertain use cases.

Outcome: A policy that supports productive use, reduces risk, and actually gets followed—because it was built after understanding how people already work.

CAN YOU AFFORD NOT TO? 😬 

Let’s address the elephant in the boardroom: “What if something goes wrong?”

It’s a fair concern. Shadow AI use raises legitimate risks like data exposure, copyright violations, biased outputs, regulatory fines. And if legal or compliance teams aren’t already worried, they will be.

But here’s the harder truth: doing nothing doesn’t protect you. It just ensures the risk is invisible and unmanaged.

Your team is already using generative AI. Right now.

They're not trying to be malicious. They’re trying to be more effective. And the longer this behaviour stays in the shadows, the greater your exposure to unmonitored leaks, incorrect information, or poor decisions made with invisible tools.

Tools like OpenAI Enterprise, Snowflake Cortex, and private LLM stacks exist specifically to provide guardrails. You can ensure data stays inside your infrastructure, prompt logs are auditable, and employee usage is observable, not secretive. With the right architecture, you can meet privacy standards, pass audits, and build institutional knowledge while avoiding consumer-grade chaos.

And you don’t need perfection to begin. Start with non-sensitive workflows—like automating first drafts of internal reports, summarising meetings, or handling FAQs. Measure the impact. Tune the experience. Learn from feedback. Then scale.

Every “no” to formal AI adoption is a “yes” to unstructured risk.

The Silent Shame of Using AI

One of the most corrosive forces in all this? The quiet shame.
There’s still a sense—often unspoken—that using AI at work is cheating. That it’s lazy. That it undermines craft or quality.

And that’s partly the fault of leadership *gulp*

When organisations issue vague warnings about AI risk without providing real alternatives, they don’t just block productivity, they reinforce the idea that AI is dangerous or taboo.

They push people to hide their usage, strip away accountability, and stigmatise experimentation.

This has to change.

Generative AI is not going away. It’s no more a trend, than the internet was in the 90’s. It’s not optional. It’s now a fundamental layer of modern knowledge work, like search, spreadsheets, or email.

And while it will always require human oversight, refinement, and domain expertise, the efficiency and cognitive leverage it provides is too powerful to ignore.

The challenge now is not how to prevent shadow AI. It’s how to convert it into secure, smart, and officially supported workflows that make your people better at what they do.

Start by seeing shadow usage not as a threat, but as insight.

Wherever employees are using AI unofficially, they’re pointing to a broken or manual process begging to be automated. Use that signal. Don’t punish it—build on it.

Using the steps laid out previously, deploy private, role-specific tools.

Design systems that learn from feedback. Train your team on what good usage looks like. And then, yes, write the policy - but only after the system is working.

A FINAL WORD ✅ 

The rebellion’s already here. Your team is experimenting, prompting, and iterating—whether you sanction it or not.

You have two choices:
Ignore it, and inherit the risk.
Or lead it, and capture the upside.

If you do it right, shadow AI won’t be a liability. It’ll be the most honest, revealing, and cost-effective transformation engine your business has ever seen.

The only question now is: will you wait for your competitors to make it safe, or get there first and make it work for you?

If you enjoyed this edition, please forward it to a friend who’s looking to sort out their AI situation - they’ll love you for it (and I will too) ⏭️ 💌

PS. When you’re ready here’s how I can help you:

1. Fractional CXO services: Need a top strategic product, marketing and digital transformation mind to grow your brand, but don’t want the hefty price tag? Fractional CXO services allow you to start growing revenue, before your grow your people costs. Limited slots available.

2. Events and Conference Host: Don’t get the guy who last week was MC’ing a carpet industry conference. If you’re in marketing, CX or digital I can help make your conference a memorable delight for your attendees.

Troy Muir | The Ladder