Artificial intelligence guardrails in the workplace

Is the use of artificial intelligence (AI) on the rise among employees? It depends on the workplace. According to Gallup, the technology, chiefly generative AI, is more prevalent in “knowledge-based industries,” such as education and finance.

Yet across all sectors, Gallup found a gradual increase in adoption among all users — a trend “on par with the expansion of frequent workplace AI use reported throughout 2025.”

Will the momentum hold this year? The signs currently point to yes. That’s why workplaces must set clear guardrails for AI integration. These processes should “work in alignment with organizational standards, policies and values,” according to McKinsey & Company, and reflect businesses’ desire to use — or even prohibit — the technology in their workplaces. 

If AI is allowed, companies must determine for whom, when and where. Implementation often operates like a ripple effect. The more businesses use AI, the more it needs to be governed and the more complex the policies will be. So how can companies get started?

Establish a clear purpose. Leadership should first ask how using AI could benefit employees and operations. Clarity on application will help businesses pinpoint the right tools to implement while preventing the all-too-common mistake of “using AI just to use AI.” If businesses determine that AI is not useful and thus not permitted, corporate policies should explicitly state this and spell out the consequences of unauthorized use.

Vet and select platforms. As we often say in the cybersecurity field, if you are not paying for the product, you are the product. With free personal accounts, user data is often the cost of using the platform. Business accounts offer greater transparency and security, enabling companies to restrict data access and monitor usage. Providing regular, relevant employee safety training can further reduce risk.

Set clear restrictions on data submission. Policies should specify what types of input employees can include in GenAI prompts. Do employees have to use generic information, or can they use redacted files? If redacted, what do users need to hide, and how? If employees must work with sensitive data, an experienced cybersecurity professional can help determine how to prevent sensitive details from entering large language models (LLMs) while still reaping the benefits of AI tools, such as leveraging the LLM to generate code for processing.

Review and regularly update security controls. With any technology, a “set it and forget it” mentality is risky. The security landscape is ever-evolving, and cybercriminals are continually adapting their tactics to catch users off guard. Just as companies should regularly update and patch their software, they should also evaluate the security settings of their AI platforms to address potential vulnerabilities and protect users and data.

Start small to measure progress and make improvements. Companies shouldn’t feel pressured into blanket adoption of AI. Rather, businesses should pick a pilot and document small processes and expectations to measure impact. Leadership may find that the promised outcomes were another case of AI hype. However, if implemented strategically, companies will likely see at least some gains from AI-based platforms, indicating the use case is worth pursuing.

The bottom line? AI is not a silver bullet that can — or should — handle any workplace task or fix any problem. Sometimes, simple automation may work just as well — or better — without the potential risk. If companies decide to implement AI, it’s crucial to remember that guardrails aren’t failsafe. Safeguarding user and company data while using AI is simply one piece of a comprehensive cyber resilience puzzle.

Editor’s note: Chris Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm that provides cybersecurity, information technology, and security compliance services. The opinions expressed are those of the author.