In a lot of companies, someone is already pasting a client contract into an AI tool that never got vetted, with no bad intent, just trying to work faster. Maybe that is happening in yours, maybe it is not. The honest question is whether you could say for sure, and whether you would know what data went in before a customer or a regulator did.

That is the real shift, and it is easy to miss. The question is no longer whether to let your team use AI. They already are. The only real question is whether you can see what they are using and what it can reach. It is information asymmetry in its purest form (link: https://www.google.com/url?q=https://www.6sadvisory.com/blogs/insights/1489206-what-your-business-knows-that-you-don-t&source=gmail&ust=1781622428225000&sa=E), the distance between what your company is actually doing and what you, the person accountable for it, know it is doing.

Before I wrote this, I took a hard look at my own use of AI. The instinct came from ASL. On our biggest custom quotes there, we never let one person sign off alone, because in a room of the right people, someone always caught what a single person would miss. That was a manual review of a high-stakes call, and a discipline I trusted for years. I had just never pointed it at the AI I now rely on. Now I run a business of one, so I do know what my people are doing. Even so, I found more than I expected. The AI tools and the agents I have set up to work alongside me reach my calendars, my inbox, my CRM and my private notes.

The risk is contained, but only because there is one of me and I have put deliberate checks on what those tools can do and send on their own. That is the catch. Those controls exist mostly because there is only one of me. The moment you add people, every safeguard has to become deliberate instead of automatic. Your exposure is not really about the tools. It is about how many hands touch them and how little of it you can see.

WHY THIS IS NOW YOUR PROBLEM, NOT THE IT DEPARTMENT'S

When the board asks who is responsible for how AI is used in the business, there is one chair that question belongs to, and it is the one you are sitting in. Two-thirds of CIOs and CTOs already say they are held accountable for AI systems they do not fully control. If that is true for the people closest to the technology, it is doubly true for you.

The cost of the blind spot is no longer theoretical either. IBM's 2025 breach research found that one in five data breaches now involves shadow AI, tools adopted without the company's knowledge, and that 63% of breached organizations had no AI policy in place when it happened.

It gets sharper with agents. Much of this is still people typing into chatbots, where a human decides what to do with the answer. An agent acts on its own, moving data and taking steps without anyone checking each one. A contract pasted into a chatbot is one exposure. An agent doing that work unsupervised is a much larger one.

THE LAW IS STARTING TO REQUIRE IT

This is moving from a risk problem to a compliance one, closest to home first. In Quebec, Law 25 already requires you to disclose and explain any decision made only by automated processing, which you cannot do for a tool you do not know is running. In Ontario, as of this year, employers with 25 or more people must state in job postings when AI screens candidates, so you need to know whether any hiring tool you use does. If your work touches the United States or Europe, more applies, with disclosure rules in force in Texas, California, and the EU. The common thread is simple: you are increasingly required to know what AI is running in your business and what it touches. Which is exactly what the inventory gives you.

CONTROL IS THE ACCELERATOR, NOT THE BRAKE

Leaders often treat oversight as the thing that slows AI down, so they put it off, because the whole point of adopting AI was to move faster. That gets it backwards, and you already know why from every other system you run. You do not let people spend company money without a budget and call that freedom. The budget is what lets you spend with confidence.

It is the same logic as the ASL quote review, the right people checking a big call before it went out, and it is what governing your AI does now, aimed at a newer risk. The companies pulling ahead did not ban AI, and they did not let it run wild. They made it visible, then put their weight behind it. The early evidence is striking. In IBM's 2026 research, the companies that govern their AI most tightly are not the ones holding back. They run roughly 16 times more AI agents than the firms managing it by hand, and post operating margins about 18 points higher. Control and scale travel together, not against each other.

START WITH SIGHT, AND TAKE IT WIDER THAN YOU THINK

So before you add another tool, run an inventory. You do not need a finished policy first. If you do not have one, this is how you start building it. If you already do, this is what keeps it honest.

The mistake is to ask only about the tool you already know about, the ChatGPT or Copilot subscription that went through procurement. The AI that creates the most exposure is usually the AI nobody decided to buy. The browser extension someone installed last month. The features switched on inside software you already pay for. The notetaker quietly transcribing your client calls.

The details are where it gets real. Many AI notetakers automatically share the full transcript with everyone who was on the call the moment it ends, including the client across the table. If your team does not know that, confidential conversations are leaving the room without anyone deciding they should. Or take something as ordinary as email: are any of your departments using AI to draft customer emails, and is anyone reviewing them before they go out.

This is not about deciding what is right or wrong. A company can look at any of these and decide it is perfectly fine. The point is that you know the feature is on, you accept it on purpose, and you understand the parameters around it, instead of finding out after it has already caused a problem.

One thing to get right before you ask. The moment people sense an audit, they go quiet, and the tools you most need to see are the first to vanish from the conversation. How you set the tone is yours to judge. What works, in my experience, is saying up front that you are after visibility and no one is in trouble. People tell you the truth when the truth is safe to tell, and a half-honest inventory is worse than none, because it leaves you sure about a picture that is wrong.

So make it someone's job to know. Give whoever leads each part of your business three questions to answer for their team:

1. What AI is my team actually using, approved or not, including notetakers, plugins, and free tools nobody expensed.
2. What company data can each of them see, and where does it go after.
3. And if one of them mishandled our information, would I be the one who noticed.

That last question puts ownership where it belongs. Each manager owns the full picture for their people, not just the sanctioned app. You own it for the company. Nobody owns what nobody can see, which is exactly how things slip through.

The questions take about thirty minutes. Give it a week to collect the answers, then sit down with the leadership team to review them and make the calls. Most of what you find, you keep, and you write it down, so it is a decision instead of an accident. Some of it you put guardrails around. Some of it you might turn off.

That is the work, scaled to whatever size you are. A clear picture of what is running, and a deliberate call on each piece. Run it this week, and decide, on purpose, what to do with what you see.

---

Sources: IBM Cost of a Data Breach Report 2025 (with Ponemon Institute). IBM Institute for Business Value, 2026 Tech Leader Study. Regulation: Quebec Law 25, Ontario's 2026 job-posting AI disclosure requirement, the Texas Responsible AI Governance Act, California's AI Transparency Act, and the EU AI Act. All statuses verified June 13, 2026.

---

About the Author: Cole Dolny is the founder of 6S Advisory Inc. and a TEC Canada / Vistage Chair serving growth-minded business leaders. He works with CEOs and owners on leadership effectiveness, talent systems, decision-making, and building healthier, more profitable businesses. Confidential peer groups and trusted one-to-one advisory relationships can help leaders uncover blind spots, improve judgment, and reduce the isolation that often comes with leadership.