AI assistant — not human

55-75% of knowledge workers use unauthorized AI tools. 5-step remediation methodology. Purview DLP + endpoint controls + Copilot as sanctioned alternative.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Shadow AI (BYOAI) — employees using ChatGPT / Claude / Gemini / Perplexity for work — affects 55-75% of enterprise knowledge workers without governance. Six compliance risks: HIPAA violations, MNPI leakage, IP loss, GDPR non-compliance, contract violations, audit trail loss. 5-step remediation: Discover + Policy + Sanction + Block + Educate. Purview enforces via sensitivity labels + DLP + endpoint controls + cloud app governance. EPC Group BYOAI Discovery: $20K/3wk. Full remediation: $60K/8wk. Ongoing governance retainer: $8K-$15K/month.
Shadow AI (Bring Your Own AI) is employees using unauthorized AI tools alongside or instead of enterprise-sanctioned Microsoft Copilot. Common shadow AI: ChatGPT ($20-$30/user/month), Claude Pro, Google Gemini Advanced, Perplexity Pro, Grammarly Pro, Jasper, Copy.ai. Employees pay personally or expense as productivity tools; corporate data flows into these external systems without governance. Industry surveys (Salesforce, Gartner) put shadow AI usage at 55-75% of knowledge workers in enterprises without formal AI governance.
Six specific risks: (1) HIPAA violations — PHI pasted into ChatGPT is a reportable breach. (2) MNPI leakage — non-public financial data in AI tools triggers SEC enforcement. (3) IP loss — proprietary code, contracts, product designs uploaded to external systems. (4) GDPR non-compliance — customer PII processed by AI services outside data residency + retention controls. (5) Contract violations — many enterprise customer + supplier contracts prohibit sharing data with third-party AI. (6) Audit trail loss — regulatory frameworks require audit logs of data processing; consumer AI tools do not provide enterprise-grade audit trails.
Five discovery methods: (1) Microsoft Purview DLP + Cloud App Discovery — scans network traffic + endpoint activity to identify AI service traffic (openai.com, anthropic.com, gemini.google.com, etc.). (2) Corporate credit card + expense report review — search for AI tool subscriptions. (3) User survey — anonymous pulse survey asking employees which AI tools they use for work. (4) Endpoint monitoring (Defender for Endpoint) — flags installations of AI browser extensions + desktop apps. (5) Web filtering logs (Zscaler, Netskope, Defender for Cloud Apps) — categorizes AI tool traffic by user + volume.
EPC Group methodology: (1) Discover — run all 5 discovery methods; quantify usage by tool + user population + data types. (2) Policy — draft BYOAI policy with approved-tool list, prohibited-tool list, escalation contact, disciplinary consequences. (3) Sanction — deploy Microsoft Copilot as the primary approved tool; add specific narrowly-scoped approved third-party tools if needed. (4) Block — deploy DLP + network filters to block unauthorized AI tools from processing regulated data classifications. (5) Educate — mandatory training on approved tools + why alternatives are prohibited + how to request tool additions. Timeline: 6-12 weeks depending on organizational size.
Common approved-list additions to Microsoft Copilot: (1) GitHub Copilot for developers (Microsoft-owned + enterprise-grade). (2) Azure OpenAI Service for custom apps (data stays in Azure). (3) ChatGPT Enterprise for specific power-user cohorts (contract enforced data protection). (4) Anthropic Claude Enterprise via Amazon Bedrock for specific use cases (contract-enforced). (5) Grammarly Business (with DLP restrictions). Prohibited (usually): (1) Personal ChatGPT / Claude / Gemini subscriptions. (2) Consumer AI browser extensions. (3) Unvetted AI writing tools (Jasper, Copy.ai, Writesonic). (4) AI voice/video generation tools without contract review.
Purview's BYOAI enforcement layers: (1) Sensitivity labels — labeled Confidential+ content cannot be copied to unauthorized destinations. (2) DLP policies — block sensitive data patterns (SSN, credit card, PHI, MNPI markers) from being sent to unapproved AI services. (3) Endpoint DLP — prevent copy/paste of labeled content to browser tabs on unauthorized domains. (4) Cloud App Discovery + Governance — monitor + block unsanctioned AI SaaS. (5) Insider Risk Management — flag suspicious patterns (large-volume paste to AI URLs, systematic data exfiltration). Combined: Purview blocks the data flow even if the AI service is technically accessible.
EPC Group BYOAI fixed-fee accelerators: (1) BYOAI Discovery Assessment ($20K, 3 weeks) — runs all 5 discovery methods + quantified risk report + approved-tool list draft. (2) BYOAI Remediation ($60K, 8 weeks) — Purview DLP + policy deployment + endpoint controls + Copilot rollout coordination. (3) BYOAI Ongoing Governance ($8K-$15K/month retainer) — quarterly discovery scans + policy updates + new tool evaluation + user education. Combined with Copilot Readiness Assessment for organizations planning Copilot alongside BYOAI remediation.
$20K/3wk discovery + risk report + approved-tool list. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day