AboutBlogBusiness First AIFounder FreedomBook a conversation

Find the shadow AI in your agency before a client's data leaks through it

Two people at a conference table, one looking at a laptop screen with a concerned expression
TL;DR

Agency teams are among the heaviest informal AI users, and their specific risk runs beyond their own data. When creatives and account managers paste client briefs, brand guidelines, and unreleased campaign material into consumer AI tools without data agreements, they may already be in breach of their client confidentiality contracts under UK law. Finding that footprint before a client notices is the first task of any AI mandate at an agency.

Key takeaways

- Shadow AI in agencies carries higher risk than in many other owner-managed businesses because the data going into consumer tools often belongs to clients, not to the agency itself. - Consumer AI tools without Data Processing Agreements are, under UK GDPR, third-party processors, which means pasting client material into them may already breach your client confidentiality clause before any data incident occurs. - Agency teams typically introduce client material to AI tools at the brief, mood board, and competitor research stage, making those the specific points to audit for third-party data exposure. - An audit for shadow AI use doesn't require formal investigation; structured conversations with team leads across creative, account, and strategy functions typically surface enough of the footprint in a day to act on. - The fix is a short sanctioned tool list with data agreements in place and enterprise tiers funded where needed, so teams keep the speed that made shadow AI attractive without the legal and contractual exposure.

You’ve just learned the design team has been running unreleased client creative through a free AI image tool for the past six months. They use it to build mood boards in an afternoon instead of a week. Nobody told the client. The account director knew it was happening but didn’t think it was her call to stop it.

This is the moment many delegates hit a few weeks into an AI mandate at an agency.

What is shadow AI doing in your agency right now?

The entry points follow a consistent pattern once you start looking. A copywriter pastes a client’s brand tone guidelines and six competitor ads into ChatGPT to draft a campaign headline shortlist. A designer uploads mood board images and a client brief PDF to a free image generation tool. An account manager runs the competitor intelligence section of a pitch deck through a summarisation tool to speed up a landscape analysis.

Shadow AI, in plain terms, is any AI tool your team uses without IT approval, data agreements, or leadership sign-off. McKinsey’s 2025 State of AI survey found that 88 per cent of organisations are now regularly using AI in at least one business function. Research tracking how that adoption plays out in practice suggests the number of employees using personal AI tools alongside any sanctioned work tools is well above 90 per cent. In agencies, the motivation is clear. Client briefs are long, reference libraries take time to search, and copy rounds move slowly. A free tool that cuts an afternoon’s work to 20 minutes is going to get used, policy or no policy.

What makes agencies distinct from many other owner-managed businesses is what goes into those tools.

Why does client data make this exposure so much worse?

In many owner-managed businesses, shadow AI runs on internal data. Your schedules, HR records, and draft reports are sensitive, but they’re yours to manage. In agencies, the material that ends up in consumer AI tools often belongs to someone else, including a client’s unreleased campaign strategy, their brand guidelines under NDA, and a product launch brief marked strictly confidential.

That matters for two related reasons. The first is contractual and regulatory. Consumer AI tools, including free ChatGPT tiers and similar platforms, typically have no Data Processing Agreement with your business. Under UK GDPR, processing personal data via a third-party service without a DPA is already a compliance issue. When the data belongs to your client, the exposure widens further, because you’re also potentially in breach of your client confidentiality agreement.

The second reason is reputational. A professional services firm that leaks client data through informal AI use faces regulatory scrutiny. An agency faces something additionally sharp: losing the client, losing the pitch references, and the story moving through a sector where relationships carry a great deal of weight.

The British Chambers of Commerce 2026 survey found half of UK businesses are already using AI, with governance frameworks trailing well behind tool adoption. In agencies, that lag lands hardest where it matters most, in the data belonging to the clients paying your invoices.

Where does client material actually enter the tools?

Agency AI tool use follows a logic that team members rarely examine. When a designer uploads a client brief to a free image generation tool, the tool handles that data according to its own terms. It may retain the data, use it for model training, or share it with third-party services in its processing chain. Competitor ads, brand guidelines, and campaign strategy documents all go through the same logic when pasted into consumer AI tools.

Goldman Sachs research from 2026 found 76 per cent of small businesses are using AI, with training and governance support struggling to keep pace with adoption. The OECD’s 2025 SME AI adoption report identified data governance as the primary gap between where firms have deployed AI and where that deployment is genuinely safe. In agencies, that gap tends to be filled by client material.

The audit question this creates is practical. Which tools are your team members using day-to-day, and what material is going into them? Surfacing this does not require forensic investigation. Structured conversations with team leads across creative, account, and strategy functions typically surface enough of the footprint to act on within a day.

When does shadow AI in an agency become a contract breach?

Agency client agreements almost always contain a confidentiality clause covering all forms of disclosure of the client’s confidential material to third parties. A consumer AI tool with no data processing agreement is, in the relevant legal sense, a third party. Pasting a client’s unreleased campaign into such a tool without the client’s knowledge or a DPA may already breach that clause, regardless of whether an incident occurs.

The ICO’s guidance on UK GDPR is direct on this point. When personal data is processed by a third-party service on your behalf, you need a written Data Processing Agreement with that processor. Free consumer AI tools, including the default tiers of the major AI platforms, do not provide these agreements. That creates genuine legal exposure, not just a future compliance task. The Law Society of Ireland’s generative AI guidance notes that professional service firms using consumer AI tools for client work risk breaching both their confidentiality obligations and their data protection duties at the same time.

The practical implication for agencies is that every time a team member pastes client material into a tool the agency has no agreement with, the agency is potentially in breach of its client contract and its data protection obligations simultaneously. Given the prevalence of personal AI tool use across creative teams, the footprint almost certainly exists already. The only open question is how wide it is.

For a delegate handed an AI mandate at an agency, surfacing this exposure is week-one work, before any new tool gets approved or any AI rollout gets announced.

How do you surface the footprint and build a sanctioned tool set?

The audit that finds shadow AI use in an agency doesn’t need to be a formal investigation, and it shouldn’t feel like one. The goal is to find which tools touch client data, which of those have appropriate data agreements, and what the exposure looks like. A half-day of structured conversations with leads across creative, account, and strategy functions is usually enough to map a substantial share of the footprint.

What you are looking for are two lists. The first is every tool a team member uses that has any contact with client material, from free image generators to personal ChatGPT accounts. The second is which of those tools have a DPA your agency can point to.

For tools on the first list that aren’t on the second, the answer is straightforward. Get the DPA, move to a version of the tool that provides one, or stop using that tool for client work. Enterprise tiers of the major AI platforms do include DPAs. The upgrade cost is typically modest against the contract risk it removes.

The harder part is making the sanctioned list practical enough that people actually use it. If the only approved tool for image generation is one that teams find slow or limited, they will use the fast free tool anyway. Compliance that is slower than the workaround does not hold.

The OECD’s 2025 SME AI adoption report flags governance as the key barrier to scaling AI responsibly, and the same pattern plays out in agencies directly. Governance that asks teams to trade speed for safety, without replacing the underlying need, tends to break down within weeks. The goal is a short approved list, with the data agreements signed and the enterprise tiers funded where needed, so the speed that made shadow AI attractive carries forward without the liability.

If you’re working through an AI mandate at an agency, Book a conversation to map the shadow AI footprint before it becomes a client issue.

Sources

- McKinsey (2025). The State of AI: Global Survey. 88% of organisations regularly using AI in at least one business function; two-thirds not yet scaling beyond initial pilots. https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai - British Chambers of Commerce (2026). Half of SMEs Using AI, with Limited Headcount Impact So Far. UK survey showing widespread AI adoption with governance frameworks trailing behind tool use. https://www.britishchambers.org.uk/news/2026/03/half-of-smes-using-ai-with-limited-headcount-impact-so-far/ - Goldman Sachs (2026). Small Businesses Embrace AI but Need Training and Support to Fully Harness It. 76% of US small businesses using AI; uncontrolled informal adoption common without governance infrastructure. https://www.goldmansachs.com/pressroom/press-releases/2026/small-businesses-embrace-ai-but-need-training-and-support-to-fully-harness-it - OECD (2025). AI Adoption by Small and Medium-Sized Enterprises. Data governance and compliance identified as primary barriers between initial AI deployment and safe, scalable use. https://www.oecd.org/content/dam/oecd/en/publications/reports/2025/12/ai-adoption-by-small-and-medium-sized-enterprises_9c48eae6/426399c1-en.pdf - ICO (2025). Guide to Controllers and Processors under UK GDPR. Requirement for written Data Processing Agreements when personal data is processed by a third-party service on your behalf. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-processors/ - Law Society of Ireland (2024). Generative AI Guidance. Professional obligation to maintain client confidentiality when using AI tools; consumer AI platforms not suitable for privileged or confidential client material without explicit agreements. https://www.lawsociety.ie/artificial-intelligence-ai/generative-ai-guidance/ - Tess Group (2026). AI Compliance for UK Businesses: 2026 Guide. Consumer versions of ChatGPT and similar tools do not provide DPAs and are not suitable for processing client personal data under UK GDPR. https://tessgroup.co.uk/blog/ai-compliance-uk-businesses-2026-guide.html - HBR (2025). AI Is Changing the Structure of Consulting Firms. Professional service firms using AI in client-facing work face distinct confidentiality risks when client data enters general-purpose AI systems. https://hbr.org/2025/09/ai-is-changing-the-structure-of-consulting-firms - LogixGuru (2025). The Board Wants an AI Strategy by Tuesday: A CIO's Survival Guide. Over 90% of employees already use personal AI tools for work, creating a gap between the sanctioned AI footprint and the actual one. https://www.logixguru.com/post/the-board-wants-an-ai-strategy-by-tuesday-a-cios-survival-guide

Frequently asked questions

What is shadow AI and why does it matter specifically for agencies?

Shadow AI is the use of AI tools by employees without IT approval, data agreements, or leadership knowledge. For agencies, it matters more than in many other owner-managed businesses because the material your team pastes into consumer tools often belongs to your clients. When that happens without a Data Processing Agreement between your agency and the tool provider, you may already be in breach of both your client confidentiality agreement and UK GDPR obligations, regardless of whether data is subsequently misused.

Does using free ChatGPT for client work count as a data breach?

If client material that includes personal data is pasted into a consumer AI tool with no Data Processing Agreement, this is likely a breach of UK GDPR even if no data is later misused. Beyond GDPR, your agency's client agreement almost certainly contains a confidentiality clause covering disclosure of client material to third parties. Consumer AI platforms with no DPA in place qualify as third parties in the relevant legal sense. The breach may already have occurred before you have discovered it.

How do I audit shadow AI use in my agency without making it feel like a witch hunt?

Frame the audit as a tool inventory rather than an investigation. You are trying to understand which AI tools touch client data and whether those tools have data agreements, not to identify who is using what. Structured conversations with team leads from creative, account, and strategy functions, or an anonymous survey, typically surface enough of the footprint in a day to act on. The goal is to build a sanctioned list that people will actually use, not to penalise the team members moving fastest.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two colleagues in a meeting room reviewing a printed data classification table on a conference table

A four-tier data map so your team knows what AI can touch

A single-page data classification table that maps four data tiers to the AI tools allowed to process each one, so every team member knows the rule before they paste.

An experienced factory worker showing a younger colleague how a piece of equipment works at a workshop bench

Capture the shop-floor knowledge before it retires

The real asset in a specialist manufacturer is rarely on the balance sheet. It lives in the heads of your most experienced operators, and when they retire, it goes with them unless someone has captured it.

Person reviewing paper records at a workshop bench with industrial machinery in the background

Why AI stalls in manufacturing when the data lives on paper

In specialist manufacturing, the data that AI tools need is often on paper or trapped in systems that have never been connected, and that is what stalls the programme, not the technology.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd