Book now
/ Insights/ AI Consultancy/ Commentary/ SME

You might be more exposed than you think.

Martin Lulham
The word EXPOSED set in heavy outlined capitals, with a thick red horizontal line running across the frame behind the letters.

A manager pastes a draft client email into ChatGPT to make it read better. A salesperson drops a pricing sheet into Gemini to build a comparison table. A paralegal puts a contract clause into Claude for a plain-English summary.

All three are trying to do a good job. All three have just moved company data — some of it almost certainly personal data — into a tenancy nobody in the organisation controls. And none of them are going to mention it.

The question the organisation can't currently answer is: where did any of it go?

Most organisations we talk to don't know which AI tools their staff are using this week. They know some people use ChatGPT. Beyond that, it's guesswork. That's the starting point for most of these conversations, and it's more common than it should be.

It keeps happening because of three comfortable beliefs, and all three are wrong.

The first is that there's an AI policy. There usually is. It's usually a PDF written before GPT-4, silent on the fifty new AI tools that shipped last quarter, and read by nobody. A policy isn't a control. It's evidence of awareness, which tightens your accountability posture later without changing what's happening now.

The second is that the staff are sensible. They are. Sensible people also paste things into AI tools when the shortcut is too good to resist — especially when nobody is looking, and nobody has told them not to, and the output genuinely is useful.

The third is that IT would have blocked it. They can't block what they can't see, and most tenancies have no visibility into which AI apps staff are actually using. For the many organisations whose IT is an outsourced provider, the generative-AI governance conversation often sits above the BAU waterline — patching, backups, support and baseline security are a big job done well, and the AI-app catalogue is newer than most MSP runbooks. That's not a failing; it just means the conversation doesn't start unless someone on the inside raises it.

The things you can't see right now are fairly specific. Which AI apps your staff opened this week. Which of them have been granted tenant-level OAuth permissions through a casual "sign in with Microsoft" at some point in the last year. How much labelled or labellable data has left the tenancy through a browser paste. And — once it's left — where it ended up when the summariser was done with it. Most organisations can't answer any of those four questions today, which means they can't answer the question underneath them: what, if anything, has actually leaked?

Ignorance is exposure

Here's where the stakes harden, because this stops being an operational housekeeping problem the moment personal data is involved — and personal data is involved more often than people think.

Two problems sit underneath that. One is Art. 6 — the lawful-basis requirement. The other is Art. 28 — the sub-processor obligation. Your clients agreed to the sub-processors on your DPA. They did not agree to OpenAI, Anthropic or Google being added to that chain by a staff member at three o'clock on a Tuesday afternoon. That's a breach of your contractual chain with your clients before it's anything else.

It's also almost always an international transfer. Most consumer AI runs on US infrastructure. Without standard contractual clauses, a transfer impact assessment and adequate safeguards, the transfer itself is questionable under Art. 44 onwards. And the tier matters more than most people realise: free and paid ChatGPT, Claude and Gemini can use your prompts for training by default on consumer plans. The enterprise tiers — ChatGPT Team and Enterprise, Claude for Work, Gemini Enterprise — don't, and ship with proper data-processing agreements. If your staff are on personal accounts, your client data may already be in a training set you have no way to reach.

Then there's the cascade. Individual rights — access under Art. 15, erasure under Art. 17, portability under Art. 20 — become extremely hard to honour once personal data is in a consumer LLM. The unauthorised disclosure of personal data is a breach under Art. 4(12), which starts a 72-hour notification clock under Art. 33 the moment a senior person becomes aware — which is often the moment they read something like this. And under Art. 35, adopting AI triggers a DPIA requirement, which the ICO's generative-AI guidance is explicit about. The hub is public and quotable. "We didn't realise AI counted" has stopped being a defence.

None of this is a reason to stop using AI. It's a reason to know what you're doing with it — the value still lives in the boring joined-up work, but now it lives inside a tenancy you can defend.

Which is why "just ban it" doesn't work. Blanket bans push use onto personal devices, personal accounts and off-corp networks. The shadow gets deeper, not thinner, and the staff most willing to find a way round the policy are often the ones doing the most valuable work.

The defensible answer isn't prohibition. It's visibility plus selective control: you can see which AI apps staff are using — by telemetry, not by survey. You can tell the difference between "useful and safe" and "useful and dangerous" at the policy layer, on an app-by-app basis. Labelled content doesn't leave the tenancy without someone signing for it. OAuth consents are reviewed on a schedule, not granted forever. And there's an audit trail you can hand to a regulator, a client or a board when the question comes.

The controls scale to you

That shape is the same for everyone. How you deliver it isn't.

If you're a sole practitioner or a small team of up to ten people, you are your own IT. The fix is procurement, not architecture. Pay for enterprise-tier AI with a real DPA — ChatGPT Team or Enterprise, Claude for Work, Gemini Enterprise. Verify the training opt-outs in writing. Keep a one-page register of which tools your practice uses for what. That isn't a heavy lift, and it moves you from "we didn't know" to "here's our position" in an afternoon.

If you're a small firm with an outsourced IT provider, raise this with them. The test isn't whether they deploy a governance tandem tomorrow. It's whether they can name Microsoft Purview and Defender for Cloud Apps, tell you what each one does, and say which Microsoft 365 licence tier unlocks session-layer policy. If the answer is a blank look, that's not a failure on their part — it's a signal that the conversation needs to happen, and that you need someone alongside your provider who's already in it.

If you're mid-market on Microsoft 365, the tandem is directly applicable. Purview classifies your data; Defender for Cloud Apps decides where it's allowed to go and which AI apps it's allowed near. The AI security perimeter page on this site lays out the shape in full.

If you're enterprise, the gap usually isn't awareness — it's cadence. DPIA cycles, Art. 30 records kept current, a tuning loop on the generative-AI app catalogue as new tools appear, and a regulator-ready audit trail that doesn't need someone to rebuild it from scratch every quarter.

The questions are universal. Only the controls scale.

There are three things you can do this week that don't require buying anything. Ask your IT provider for a list of the SaaS AI apps seen on your network in the last thirty days — even the attempt to produce it will reveal where the blind spot is. Ask whoever owns your Microsoft tenancy whether any sensitivity labels are propagating into Defender for Cloud Apps session policies; if the answer is "what session policies?", you've already learned something. And resist the urge to publish a new AI policy before you've done either of those, because a policy written from ignorance is worse than no policy at all.

We're not outside this. We run our own business, and we've had to do this work on ourselves first — which is partly why we find ourselves having the same conversation with other organisations a week later.

"We didn't know" is the answer that's getting organisations into the most trouble right now. Better to find out first, while the only person asking the question is you.

/ Battle cards

Pick the card that fits you.

Staff in every organisation are pasting client data, pricing sheets and draft emails into consumer ChatGPT, Claude and Gemini. The business can't see it happening — and under UK GDPR, that's exposure before it's anything else. What to do next depends on your size.

  1. Sole practitioner · 1–1001

    Buy enterprise-tier AI and keep a register.

    You don't have IT to deploy controls. Procurement is the lever you do have.

    • Move off free and personal ChatGPT, Claude and Gemini — the consumer tiers can train on your prompts by default and don't ship with a data-processing agreement.
    • Pay for ChatGPT Team or Enterprise, Claude for Work or Gemini Enterprise — all come with proper DPAs and training opt-outs written in.
    • Keep a one-page register of which AI tools you use, for what, and whether they see client data.
    Good looks like

    We know which AI tools we use, for what, and where the data goes.

  2. Small firm · 10–50, outsourced IT02

    Test whether your IT provider is in this conversation.

    Your provider keeps the lights on. Generative-AI governance is newer than most MSP runbooks.

    • Ask them for the list of SaaS AI apps seen on your network in the last thirty days — producing it reveals where the blind spot is.
    • Ask whether they can name Microsoft Purview and Defender for Cloud Apps, and say what each one does.
    • If the answer is a blank look, bring in someone who can engage alongside them — not replace them.
    Good looks like

    Our IT provider is having the AI governance conversation with us, not avoiding it.

  3. Mid-market · 50–500, Microsoft 36503

    Turn on Purview and Defender for Cloud Apps.

    You already pay for the controls that stop labelled data being pasted into ChatGPT. Most tenancies haven't configured them.

    • Classify your sensitive data with Microsoft Purview so the sensitivity label travels with the file.
    • Use Defender for Cloud Apps session policies to block labelled content from upload to unsanctioned AI tools in a browser tab.
    • Start with a readiness review — licence tier and configuration gap first, before buying anything new.
    Good looks like

    Sensitivity-labelled content can't leave our tenancy without a signature.

  4. Enterprise · 500+04

    Move from one-off controls to a running programme.

    You already know about shadow AI. The gap is cadence, not awareness.

    • Keep your DPIA and Art. 30 records current, not rebuilt from scratch every year.
    • Run a tuning loop on the generative-AI app catalogue as new tools ship.
    • Maintain a regulator-ready audit trail that doesn't need reassembling under deadline.
    Good looks like

    Our audit trail would survive a regulator asking tomorrow.

/ Start a conversation

Let's talk about what you're trying to build.

Book a discovery session and we'll walk through the workflow, the systems and the shape of the solution.

Book a discovery sessionTalk through a challenge