Half your team has already tried it
Three weeks ago you would have said that nobody on your team uses AI for client work. Until last Thursday, when you happened to overhear a colleague mention that Claude works fine for drafting quotation letters. One remark. That is where it lives.
Shadow AI is a term you did not coin yourself but that now floats around daily. It describes the pattern in which employees use AI tools to get their work done faster, outside policy and without management or IT being involved. At a marketing agency it is mostly annoying. At a professional-services firm handling client data, it is something else.
What the numbers show
The AI & Digital Marketing Trends 2026 report from Beeckestijn Business School shows that roughly half of Dutch employees use AI at work without always reporting it, and that roughly half of Dutch organisations have no formal AI policy. The report notes a sharp rise in AI use by employees within organisations, from 48 percent in 2024 to 62 percent in 2025. An important nuance: this study covers Dutch employees in the broad sense, not professional services specifically. You will probably recognise the pattern all the same.
The common thread in the report: AI use is growing faster than policy and faster than oversight. Two movements that never quite catch up with each other.
Why it weighs more heavily in your case
In an online retail business, a ChatGPT prompt with product descriptions sits at a 4 on a scale of 1 to 10. In a mortgage firm, the same prompt with a client file sits at a 9. Not because ChatGPT has gotten worse, but because the data you process every day is fundamentally more sensitive.
Think concretely. An insurance adviser simplifying a claim description for an internal note. An estate agent having a valuation report summarised. An accountant having a general-ledger overview structured by an AI. A security firm wanting to write up an incident report more smoothly. In all those examples, personal or business-sensitive data goes through a prompt into a tool you have no data-processing agreement with.
That is not an AI experiment. That is a data breach with a formal reporting obligation.
Why a ban backfires
The natural reaction of an owner-director hearing this for the first time is an email to the team stating that, from now on, AI may no longer be used on client data. That does not solve the problem. It relocates it.
Your team uses AI because the work goes faster. That is not disobedience, it is common sense. A ban does not mean your employees stop, it means they hide it more carefully. You lose visibility, not the usage. And at the same time you lose the productivity you were just as happy about.
The three things that do work
First, take stock. Which AI tools are running at your firm right now, official and unofficial. Not as an interrogation, just as a baseline. People usually answer honestly when they are not punished for it. That list is rarely the list you expected.
Second, a short guideline on paper. Not a 40-page policy, just two pages that say where AI is allowed (draft texts, summaries of public sources, internal brainstorming) and where it never is (client files, financial data, personal data, claims). Everyone reads that. Nobody reads a 40-page AI policy.
Third, an official layer where AI works in your context. Not as a ban on the public tools, but as a better alternative. AI that is allowed to work on your client data because the right data-processing agreement and data transport are in place. Integrated with your systems. With logging, role assignment and rules per data type. Then the creeping usage stops on its own, because the official route is faster than the unofficial one.
What an AIOS does here
That official layer is what we call an AIOS, an AI Operating System that sits on top of your existing systems. It works with your CRM, your case folders, your accounting, your communication stack. It makes sure AI works on data you know the location of, with the rules you have set. An employee no longer needs to go to ChatGPT to summarise a file faster, because the official environment already does that, in your context, on your data.
That sounds big. It starts small. One process, one use case, one integration. From there it grows toward the next.
An honest set of expectations
You do not solve this with an off-the-shelf tool. An AI policy alone does not change the behaviour. You do not build an AIOS in a week. The order is: know what is running, rules on paper, give the first use case an official route, then expand. No revolution, but structure. With that structure, AI that works in your field becomes a factual description instead of a promise.
The first step
In the AI audit we map, per department, which tools are running unofficially, what risks come with them, and which three use cases save the most time once you make them official. Fourteen days from the interview day, a fixed price, a report with clear priorities and a follow-up proposal.
After the audit you know where the ship is leaking and which way the wind is blowing. Two things you do not yet have together.
