You wrote an AI policy at some point in the last year. It covers which tools are approved, what staff can and cannot share, and who to contact if something goes wrong. You sent it round, people acknowledged it, and many of them went back to using ChatGPT for anything that saves them time.
The question founders tend to arrive at eventually is a quiet one. How would you even know if someone had pasted a client’s confidential documents into a consumer AI tool? And what would you do about it?
That gap between having a policy and knowing whether anyone follows it is what AI use monitoring is built to close.
What does “watching AI use” actually mean?
Watching AI use means tracking how your staff interact with AI tools, which ones they’re using, what data they’re putting into them, and whether that matches what your policy says. In practice, this ranges from reviewing your admin logs for unapproved tools to checking whether confidential files are being uploaded to consumer AI accounts. It is governance work, not a surveillance operation.
The term “AI surveillance dashboard” turns up in vendor pitches and implies you need a dedicated monitoring system. For a small team, that framing sets the bar in the wrong place. The threshold for proportionate monitoring is lower than it suggests. You need visibility at the right level: whether your approved tools are in use as intended, and whether sensitive data is flowing to places it shouldn’t.
The distinction matters because over-monitoring can create its own problems. The ICO’s employment practices guidance applies to any technology used to watch what workers do, which includes AI-powered activity tracking. Installing a monitoring system that goes further than your business can justify creates a different compliance risk, not a solution to the one you started with.
Why does AI monitoring matter for your business?
The gap between policy and practice in UK workplaces is wider than many leaders expect. A 2024 Microsoft study found 71% of UK employees had used unapproved consumer AI tools at work, with 51% doing so every week. A separate 2024 survey of UK firms reported that 67% of C-suite leaders believe their organisation has already experienced a data leak caused by an employee using an unapproved AI tool.
The more counterintuitive finding is that the highest-risk users are often the people at the top. Research reported by Workplace Insight in 2024, drawing on a La Fosse survey, found that nearly three-quarters of UK C-suite executives had uploaded confidential company data to AI tools, compared with 42% of entry-level employees. Senior leaders are also more likely to use AI for tasks they haven’t been trained on, and to act on AI output that later turns out to be inaccurate.
The other pressure point is reporting culture. A survey of UK firms found that 30% of employees who had seen an AI tool produce dangerously wrong or unethical results didn’t feel safe raising the issue, citing fear of retaliation. A policy that staff won’t challenge has limited value. It records what you intended, not what’s actually happening.
Where will you actually see AI policy problems appearing?
AI policy breaches in small teams tend to cluster around a few predictable patterns: staff pasting client names and correspondence into a public chatbot to draft a reply, someone sharing a file with personal data to a consumer AI account that processes it on external servers, or a meeting bot joining a call and sending a transcript to a third-party service the business hasn’t vetted.
The University of Oxford’s information security team has published specific guidance on the last scenario. Their advice flags that unapproved AI meeting bots can join online meetings, record content, and transmit it to external providers, creating both confidentiality and UK GDPR risks. Oxford now bans unapproved bots from its meetings entirely. The same logic applies to any AI note-taking or transcription tool your team uses without a data processing agreement in place.
Finance is a higher-risk area than many founders expect. In the Microsoft research, 22% of employees reported using AI tools for finance-related tasks. If someone on your team is pasting salary data, client billing information, or cash-flow projections into a consumer AI tool, the UK GDPR exposure is real. When that data is compromised or shared with a third party, the ICO’s personal data breach reporting obligations apply in exactly the same way they would for any other kind of data incident.
When does active AI monitoring make sense?
The question of whether to monitor is partly a legal one. The ICO’s guidance on monitoring workers makes clear that any technology used to monitor staff activity must be justified, proportionate, and clearly communicated. If you’re considering logging every AI prompt your team submits, you’d need to demonstrate that level of surveillance is necessary for a specific, identified purpose, and that you’ve weighed the impact on workers’ rights.
A proportionate approach for a small business looks quite different from what vendors suggest. Many of the controls you need are already available in your existing tools. Enterprise versions of Microsoft 365 and Google Workspace both include admin settings that restrict data from leaving your tenancy, log access to third-party apps, and flag when sensitive files are uploaded externally. Configuring these correctly, and then reviewing the exceptions that surface in your admin logs, gives a small team much of the visibility it needs without a dedicated monitoring system.
Active monitoring makes clearer sense in specific situations: when your team works with regulated data such as personal data under UK GDPR, client financial information, or legally privileged material; when the FCA’s Consumer Duty or operational resilience rules require you to evidence oversight of AI-assisted processes; or when you’ve had an incident and need to understand what happened. The UK government’s Hidden AI Risks Toolkit recommends testing AI tools against human baselines and tracking the impact of AI on work quality and accuracy, a form of oversight any team can apply without heavy investment.
What else should you look at alongside this?
AI use monitoring connects directly to several areas you’re probably building at the same time: your AI policy and whether it covers the tools staff are actually using, your UK GDPR baseline and breach-reporting obligations, and your incident response plan. The Cabinet Office’s Hidden AI Risks Toolkit is a useful practical reference across all three, and it’s free.
If you’re building out your incident response plan, a few additions are worth making. Include a step to identify whether AI tools were involved in an incident. Add a process for preserving the relevant admin logs. Clarify who decides whether a breach is notifiable to the ICO. The 72-hour reporting window in UK GDPR doesn’t stop while you work out whether a consumer AI tool was the cause.
The La Fosse research on leadership risk is worth keeping in mind as you design any monitoring or training programme. If your training is aimed primarily at the team and not at the people running it, you may be looking in the wrong direction. The data suggests executives need the same structure and the same policy expectations as everyone else, and possibly more scrutiny than they typically receive.
One area where the evidence points toward culture rather than controls: 30% of UK staff don’t feel safe reporting dangerous AI outputs. Admin logs and data loss prevention alerts catch some things, but they can’t replace a team confident enough to raise a concern when something looks wrong.
The practical starting point is less complicated than the phrase “AI monitoring” tends to suggest. Audit which tools your staff are currently using, including the ones you haven’t approved. Check the admin controls available in your existing Microsoft 365 or Google Workspace account. Add a section to your incident response plan that covers AI-related data exposure. And check that your senior leaders, in particular, have actually read it.
