AI at Work: Why Habits Cause More Risk Than Hackers

Employees are already using AI at work. The harder truth is that 57% of them are concealing it from their employers, according to KPMG and the University of Melbourne's 2025 global study on trust in AI.

That gap between what's really happening on a team and what leadership thinks is happening is where almost every preventable AI incident now begins.

After years of working with organizations on human risk in cybersecurity, I've noticed a pattern: the biggest AI risks rarely look like the ones leadership prepares for. The risk isn't usually a sophisticated attacker. It's a well-meaning employee, on a tight deadline, pasting the wrong thing into the wrong tool.

In Canada, IBM's 2025 study on shadow AI found that 79% of office workers now use AI tools at work, but only one in four use enterprise approved AI solutions. Adoption is racing ahead of governance, and the gap is widest in small and mid-sized businesses.

The good news: most AI mistakes are habit-based, which means they're also fixable.

The Everyday Mistakes That Cause The Most Damage

The patterns are mundane.

Someone copy-pastes an internal document into a public AI tool to tighten the wording. It might be a customer complaint, a draft proposal, or meeting notes.

Someone uploads an entire spreadsheet when one paragraph would have answered the question.

Someone assumes every AI tool offers the same privacy protections, not realizing the difference between an approved enterprise platform and the public version of the same brand. The public version of ChatGPT and an enterprise ChatGPT deployment, for example, handle uploaded data very differently: one may train on it, the other typically does not.

Underneath all of it sits deadline pressure. KPMG Canada's Generative AI Adoption Index found that users save one to five hours per week with AI. That time savings is real, and it's exactly why caution loses to convenience in the moment.

What “Sensitive” Actually Looks Like At Work

Sensitive data usually brings to mind passwords, banking details, or health records. But the riskiest information in most businesses is the kind that looks ordinary:

Customer names, emails, and addresses; pricing proposals and quotes; HR conversations and feedback; sales pipeline notes; financial forecasts; legal drafts and contracts; source code and product roadmaps.

Globally, nearly half of employees have uploaded company data into public AI tools, often as part of routine work (KPMG/University of Melbourne, 2025). For Quebec businesses operating under Law 25, the stakes are concrete: every uploaded customer record is a potential compliance issue.

None of these data points feels dramatic in isolation. Together, they reveal how a company operates, who its customers are, and where its weaknesses lie.

What This Looks Like Inside A Small Business

Picture a 20-person eCommerce retailer. The customer service manager is buried in refund tickets. To move faster, she uploads a spreadsheet into a public AI tool and asks it to surface refund trends and draft response templates.

The file contains customer names, addresses, order values, purchase history, and complaint notes. The incident leaves no trace: no alert, no breach, no audit trail.

But sensitive customer data has now left the company's environment, and leadership will likely never know.

What could she have done instead?

A few small adjustments would have eliminated the risk: strip the names and addresses before uploading, share only the columns relevant to the question, and use the company’s approved AI platform rather than a public one.

Do not put regulated, customer, HR, financial, legal, or proprietary data into public tools. If a public tool is unavoidable, minimize, anonymize, and use settings only as an extra safeguard.

The job still gets done in 20 minutes. The data stays inside the business.

A Practical Framework You Can Start Tomorrow

You don’t need a formal program to dramatically reduce AI risk. You need three habits and one reflex.

1. Strip identifiers first.

Remove names, account numbers, addresses, and confidential references before any prompt.

2. Share less, ask better.

Instead of uploading a full file, ask a narrower question with a relevant excerpt. The quality of the AI’s output usually improves as a result. For example, instead of uploading an entire contract and asking, “Can you review this?”, paste only the relevant clause and ask, “Can you summarize the renewal terms in this paragraph?”

3. Default to approved tools.

If your company has an internal or sanctioned AI platform, start there. If it doesn’t, that’s a leadership conversation worth having this quarter.

The reflex that ties them together is a single question, asked silently before clicking send: Would I be comfortable emailing this exact content to an outside third party?

If the answer is no, rewrite the prompt or stop. That one pause prevents more incidents than any technical control.

A One-Page AI Policy is Enough

Small businesses don’t need a 20-page document. They need a one-page guide people will actually read. A useful starting point covers allowed uses, restricted uses, approved tools, human review, and escalation.

Allowed uses: drafting, brainstorming, and summarizing non-sensitive material. Restricted uses: customer data, HR files, financial records, contracts, credentials, and proprietary code. Approved tools should be named explicitly. AI output should be reviewed before it is sent or published. The guide should also name the person to ask when someone is unsure.

If a policy is too complex, it gets ignored. If it fits on one page, it gets used.

The Culture Piece Most Companies Miss

Policy and tools matter, but culture decides what really happens. When employees fear blame, they hide their AI use. Behind the 57% concealment rate sits unclear leadership. Teams that thank people for asking “is this okay to use?” learn about issues early.

AI literacy is becoming as fundamental as learning to use the internet 20 years ago. The organizations that build these habits now, before an incident forces the conversation, will not just be safer. They will be faster, and they will keep the trust of their customers.

Tools can support these habits at scale, but they cannot replace them. The priority is still to build clear behaviours around what people share, check, and approve when using AI.

In a follow-up piece, we’ll look at AI agents, where the same principles apply, but the risks and consequences become much larger.

Sanitized AI is a security platform that helps organizations adopt AI tools safely by flagging and redacting sensitive content before it leaves the company environment.