AI Is Entering Organisations from the Bottom Up

For some, artificial intelligence (AI) is the latest technological trend. For others, it is simply another buzzword. But for many employees, AI has already become an integral part of everyday work. People use AI to draft emails, summarise information, translate texts, analyse data, and automate routine tasks. In itself, this is not a problem. What is concerning, however, is how organisations approach security. A recent study by Helmes Latvia found that 43% of employees in Latvia use free AI tools of their own choosing at work, while only 7% use paid AI solutions provided by their employer.

Employees Are Finding Their Own Solutions

A similar pattern can be seen across the Baltic States. In Estonia, 32% of employees use self-selected free AI tools, while only 6% use company-provided paid solutions. In Lithuania, 47% rely on free AI tools they have chosen themselves, whereas just 6% use paid tools supplied by their employer. These figures clearly show that AI is entering organisations from the bottom up. In many cases, companies are not introducing AI through a structured strategy or governance framework. Instead, employees independently discover useful tools and begin incorporating them into their daily work. This demonstrates people's ability to adapt quickly to new technologies and their desire to work more efficiently. At the same time, it creates significant risks related to security, data protection, and governance.

Cutting Costs Today May Cost More Tomorrow

Many organisations are still reluctant to invest in AI training, develop clear guidelines for AI usage, or purchase paid versions of the tools their employees actually need. The old saying, “buy cheap, buy twice”, applies perfectly here. The real cost is not the software licence itself but the potential consequences of uncontrolled AI use. This does not mean organisations should rush to purchase every available AI solution simply because it exists. AI should not be adopted for its own sake. Instead, business leaders should work closely with employees to understand how AI is already being used and where it genuinely adds value. By analysing which tools employees rely on in their daily work, organisations can make informed, evidence-based decisions about where investments will deliver the greatest return.

Using AI Without Considering the Consequences

Free AI tools are often used spontaneously. An employee opens a website, pastes company information into a chatbot, and receives the desired result. But this raises several important questions: Where does that information go? Is it stored? Could it be used to train future AI models? Does the organisation even know what kind of data its employees are entering into external AI platforms?

Many people do not perceive AI tools as a potential cybersecurity risk. They seem no different from search engines or office software. The critical difference, however, is that users often enter information into AI systems that they would never intentionally upload to a public platform, including customer data, contract excerpts, financial information, internal documents, or elements of business strategy. This has created a paradox within many organisations: AI adoption is accelerating rapidly, while security policies and employee awareness are struggling to keep pace. Our research found that only 8% of workplaces in Latvia have clearly defined AI usage policies accompanied by employee training. The figure is 6% in Estonia and just 5% in Lithuania. In other words, AI is being used in the vast majority of organisations without a consistent governance framework or clearly defined boundaries.

People Remain the Greatest Security Risk

Paid AI solutions do not guarantee complete security. However, enterprise-managed platforms typically provide stronger controls, including better data protection, centralised access management, stricter privacy settings, and compliance with higher security standards. Even the most secure technology, however, becomes vulnerable if employees do not know how to use it responsibly. Cybersecurity professionals have long recognised that people represent the greatest security risk, and in the age of AI, this observation is more relevant than ever. This does not mean employees deliberately act irresponsibly. The challenge is that AI technologies are evolving much faster than organisations can establish governance frameworks, develop internal policies, and train their workforce. Over the coming years, the defining question will not simply be whether organisations use AI, but whether they use it safely, responsibly, and strategically.

Organisations need clear AI policies, practical guidelines, regular employee training, and a shared understanding of what information may - and may not - be entered into external AI tools. Without these foundations, businesses risk data breaches, reputational damage, and a workplace where AI adoption develops in a fragmented and uncontrolled manner.