The New, Unsanctioned Coworker
Employees across India are discovering that generative AI can dramatically speed up their work. Tools like Google's Gemini are being used to summarise long reports, write code, draft client communications, and brainstorm marketing ideas. This surge in use is often
a grassroots movement, happening without official IT approval or oversight. An employee finds a tool that solves a problem, tells a colleague, and soon an entire team is feeding company data into a platform with opaque data handling policies. This phenomenon, sometimes called 'Shadow AI', creates individual productivity gains but also introduces significant, often invisible, corporate risk.
The Hidden Risks of AI Assistance
The convenience of generative AI masks several profound risks for businesses. The most immediate is data security. When an employee inputs confidential information—such as client data, financial projections, or proprietary code—into a public AI model, that data can be exposed. There is a significant risk of inadvertently leaking trade secrets or breaching client confidentiality agreements. Furthermore, the intellectual property (IP) of AI-generated content exists in a legal grey area. Under India's Copyright Act, 1957, copyright requires human creativity, making it unclear who owns purely AI-generated work, even if produced by an employee. Finally, these models can be confidently incorrect, producing plausible-sounding but factually wrong information, known as 'hallucinations', which can lead to poor business decisions if not carefully verified.
Why an Official Policy is Non-Negotiable
Relying on unwritten rules or assuming common sense is not a viable strategy. Without a formal, documented AI usage policy, organizations expose themselves to legal and regulatory jeopardy. In India, laws like the Digital Personal Data Protection Act, 2023, place the onus on organisations to protect data, regardless of the tools employees use. A formal policy provides clear guardrails, ensuring consistent and safe behaviour across the company. It defines what is acceptable and what is prohibited, creating a defensible position in case of a data breach or compliance issue. This is not about restricting innovation; it is about creating a safe framework for it to flourish.
Building Your Generative AI Guardrails
A robust AI policy should be clear, practical, and enforceable. It needs to start by defining what constitutes AI and listing company-approved tools. This prevents the proliferation of unvetted applications. The core of the policy must be a section on data handling. It should explicitly forbid entering any personally identifiable information (PII), client secrets, or confidential company data into public AI platforms. The policy should also mandate human oversight, making it clear that AI is a tool to assist, not replace, human judgment. All AI-generated work, especially for external or critical use, must be reviewed, fact-checked, and edited by a human. Finally, it should outline consequences for violations and include a plan for regular review, as AI technology and regulations are constantly evolving.
Beyond the Rulebook: Fostering a Culture of Smart AI Use
A policy document alone is not enough. Effective implementation requires ongoing training and open communication. Companies must educate employees not just on the rules, but on the reasoning behind them. This includes training on the risks of data bias, the importance of prompt engineering, and how to critically evaluate AI output. Rather than simply banning tools, leading organisations are providing enterprise-grade, secure AI solutions and teaching their teams how to use them effectively. The goal is to cultivate a culture where employees view AI as a powerful but complex instrument—one that requires skill, responsibility, and critical thinking to use well. This proactive approach ensures that the adoption of tools like Gemini becomes a strategic advantage, not an unmanaged liability.
















