Safe use of AI in companies: how to speed up work and not lose control over data

Why AI is no longer just a technological novelty, but a topic of security, compliance and risk management in companies 

What risks the uncontrolled use of AI tools brings and why companies are increasingly struggling with the phenomenon of shadow AI 

How to prepare an organization for the AI Act and set up a safe, auditable and demonstrable use of AI 

Artificial intelligence is no longer just a technological experiment. Employees use it when writing emails, summarizing documents, preparing offers, translating contracts and working with data. This creates a new opportunity for companies to speed up their work, but also a new risk: sensitive content can go outside the controlled environment, AI outputs can be inaccurate, and the use of tools is often not provable. Therefore, the goal is not to ban AI. The goal is to get it into safe, controlled and auditable operation. 
 

AI is already in the company. You just don't see it often. 

Generative AI has one crucial feature that sets it apart from many previous technological changes: a very low barrier to use. An employee doesn't need a big project, budget, or formal implementation. All you need is a web service, a browser add-on, or a feature built into a tool you're already using. 

AI can now be found in personal assistants such as ChatGPT, Copilot or Gemini, but also directly in common corporate applications. It can be part of an email, office suite, CRM, HR system, customer support, marketing tools, or analytics. In addition, agent-based AI is also rapidly emerging, which not only responds, but can schedule tasks, call APIs, run processes, and act within a specified goal. 

For the company's management, this leads to a simple conclusion: the question is no longer whether you encounter AI in the company. The question is whether you know where, with what data, for what purpose and under whose responsibility. 
 

The greatest risk often arises from good intentions 

Most of the problems around AI do not arise because employees want to harm the company. Often the motivation is the opposite: they want to be faster and more efficient. A salesperson wants to improve the offer, HR wants to compare CVs, a lawyer wants to shorten a contract, a project manager wants to summarize the minutes of a meeting, and a developer wants to check part of the code. 

The risk arises when content is inserted into an AI tool that the company does not control. This can include personal data, client documents, internal emails, trade secrets, pricing models, source code or internal methodologies. The employee sped up the work, but the company lost track of where the data went, who processed it, whether it was stored, whether it was used to improve the model, and whether the use was in compliance with contractual and regulatory obligations. 

A rule of thumb for everyday use is: what you wouldn't send to an unknown supplier via email, don't put in an unapproved AI tool. 
 

RULE OF PRACTICE
What you wouldn't send to an unknown supplier by email, don't put in an unapproved AI tool. 

 

Shadow AI: a problem that does not report itself 

One of the most common risks is the so-called shadow AI, i.e. the use of AI tools outside the company's oversight. In practice, these can be public chatbots, translators, text generators, document tools, or AI features built into apps that have not been formally approved. 

The problem is that shadow AI does not report itself. The company often does not know how many tools employees actually use, what documents they put into them and whether there is a contractual or technical control. There is a lack of inventory, logs, approvals, retention rules, supplier assessment and proof that the use was safe. 

A blanket ban on AI usually does not work in the long run. The need for efficiency will not disappear, it will just move out of official supervision. A better way is to offer approved tools, clear rules, training, a process for new use-cases, and technical boundaries to help people use AI safely. 
 

AI Act: inventory and classification first, then obligations 

The European AI Act builds on a risky approach. It is not true that every use of AI has the same administrative burden. The specific purpose of use, the type of data, the impact on people and the roles of the organization are decisive. The same tool can be low-risk for internal brainstorming, but sensitive or high-risk in HR, employee evaluation, credit scoring, or when making decisions about access to services. 

Therefore, the first step is not to write a long directive. The first step is to inventory AI systems and use-cases: what tools the company uses, who owns them, what data enters them, who sees the outputs, whether the output affects customers or employees, and what the role of the organization is. Only then can the risk category be assessed and specific obligations assigned. 

The AI Act is being applied gradually. However, it is already advisable to build the foundation: inventory, classification, AI literacy, internal rules, approval processes, supplier control, logging and evidence trail. These elements cannot be created well within one week before the audit. 

 

AI governance meets cybersecurity, GDPR and customer requirements 

In practice, companies do not deal with just one regulation. AI governance is intertwined with personal data protection, cybersecurity, supplier management, internal audit, and customer contractual requirements. In addition to the AI Act, we therefore often get to GDPR, NIS2/ZKB, DORA, NIST CSF, ISO 27001 or SOC 2. 

This shift is important: compliance is no longer just a defense against fines. It becomes part of business trust. Clients, groups, auditors, and security teams will increasingly ask: What AI tools do you use? Do you process personal data? Do you have an AI policy? How do you train employees? How do you assess suppliers? Can you prove that the data isn't being used to train the model? 

Those who can answer these questions in a structured and demonstrable way gain an advantage. Those who look for answers only during an audit or customer questionnaire usually find that they lack not only documentation, but mainly evidence. 

 

What every company that wants to use AI safely should have 

The foundation of trustworthy AI is not complex, but it must be connected. A directive alone is not enough. Training without checks is also not enough. And inspections without evidence are not auditable. 

The first element is AI policy: short and easy-to-understand rules that say what tools are allowed, what data doesn't belong in them, who approves new use, and when human oversight is required. The second element is AI literacy, i.e. practical training of employees. People need to know what AI can do, what it can't do, why it can hallucinate, and when it can't use the output without verification. 

The third element is technical boundaries: approved tools, enterprise licenses, DLP rules, sensitivity labels, access control, MFA, monitoring, audit logs, and secure tenant settings. The fourth element is vendor due diligence, i.e. checking suppliers in terms of data, subcontractors, incidents, model training, and audit rights. 
 

Where AI companies typically start 

Good first AI projects are not the biggest and riskiest. The best pilot usually solves a small, specific, and measurable problem. It has a clear owner, available data, reasonable risk, quick feedback and a person who verifies the output. 

In practice, companies often take one of several paths. The first is an internal knowledge assistant that searches for guidelines, manuals, internal know-how and FAQs. The second area is documents and administration: summaries of meetings, preparation of documents, research, comparison of versions or e-mail drafts. The third area is customer support, such as ticket sorting, response suggestions, or request routing. 

Other suitable areas are back-office and finance, HR and internal service, or compliance and audit records. It is important to start where AI designs and a human approves. Only after verifying the benefits and risks does it make sense to add a higher degree of automation or agent-based behavior. 
 

The most common mistakes when using AI in companies 

Very similar mistakes are repeated in practice. The company does not have a central inventory of AI tools and use-cases. AI is only addressed as an IT topic, even though it affects GDPR, contracts, HR, security, audit, business communication, and reputation. The directive does exist, but employees do not know it or do not know how to apply it in a specific situation. 

Another common mistake is the lack of human verification. AI outputs are taken over because they look professional, not because they have been verified. Suppliers are not assessed from the perspective of AI and data risks. Logs, DPIA, approvals, training, and audit trail are missing. And the wait-and-see strategy is also very common: the company waits for regulation instead of starting to prepare the system today. 

A simple self-check is: do we know how many AI tools employees actually use? Do we have a clear rule on what must not be inserted into AI? Can we document AI literature? Do we have an approval process for new AI use-cases? Can we show proof: policy, log, review, contract or DPIA? If the answer is uncertain on two or more points, this is a good first scope for AI governance. 
 

The most important principle 
Without evidence, there is no governance. It's just a good intention. 

 

From a one-time audit to a live system 

Many companies today manage compliance in spreadsheets, emails, and shared folders. Excel is a good place to start, but it's not enough for an audit trail, document versioning, task ownership, and linking to specific evidence. A one-time audit provides a snapshot of the status, but after it ends, the documentation ages again. A generic AI chatbot can help with text, but without a scope, evidence framework, versions, and human review, it can create a false sense of security. 

The target state is the evidence engine: a system that connects documents, requests, evidence, questions, tasks, and reports. For each inspection, it is clear what requirement is being evaluated, what evidence exists, how strong this evidence is, what is missing, who should take the next step and by when. 

The basic product rule of such an approach can be summed up simply: no green without proof. AI must not just claim that the check is met. They must show the document, the relevant citation, the strength of the evidence, the limitation, and in case of uncertainty, mark the result for human review. 
 

How BDO can help 

BDO helps companies connect the business benefits of AI with security, governance, and demonstrable compliance. It's not just about choosing an instrument. It is important to choose the right use-case, assess risks, set rules, technical boundaries, responsibilities and an evidentiary trail. 

A typical first step can take the form of a two- to four-week discovery. In the first week, there will be interviews with management, IT/security, privacy and business owners, and a quick collection of AI tools and scenarios. In the second week, the classification of value, data, risks, regulatory sensitivity and supplier setup follows. In the third week, the basic rules, roles, approval process, training and technical boundaries are proposed. In the fourth week, a pilot roadmap, quick wins, a managerial output and a decision point for the next step are created. 

Specifically, we can help with assessing the potential of digitization and automation, developing automation using AI, AI strategies and safe rollout, AI systems security, AI Act readiness, AI systems audit, and preparing an evidence map. The goal is for AI to bring a measurable impact to the company, but at the same time be manageable, secure and auditable.
 

STEP ONE
Choose one pilot scope and create your first AI map of opportunities, risks, quick wins, and evidence in a matter of weeks. 

 

Conclusion: safe AI is a prerequisite for growth 

AI compliance is not a brake on innovation. It is a seat belt that allows a company to accelerate without unnecessary risk. AI is already in companies — even where it is not yet formally managed. Shadow AI is a reality, not an exception. 

The biggest risks are not just about technology. They concern data, intellectual property, suppliers, uncontrolled outputs, lack of accountability, and lack of evidence. Therefore, the AI Act and related cyber regulation move AI governance into a provable, auditable system. 

A company that wants to use AI really safely should start simple: map out the real use of AI, set rules for data, select the first suitable pilot, set up an approval process, train employees, and start collecting evidence. It's not about creating multiple documents. It's about creating a system that allows AI to be used with confidence. 
 

Quick checklist for business management 

• Do we have a central inventory of AI tools and use-cases? 
• Do we know what data enters AI tools and who owns them? 
• Do we have a clear AI policy and do employees know it? 
• Do we have a process for approving new AI use-cases? 
• Do we have human supervision set up for sensitive outputs? 
• Do we assess suppliers in terms of data, security and audit rights? 
• Can we provide training, approvals, logs, DPIA or security review? 
• Do we know which first AI pilot has a clear benefit and a reasonable risk?