Only 28% of organizations have a formal AI usage policy. The other 72% are flying blind while their employees paste customer names into ChatGPT, run vendor contracts through DeepL, and summarize inboxes with free Copilot accounts nobody in IT approved.
This is "shadow AI" - the AI equivalent of shadow IT that plagued companies a decade ago. But the stakes are higher now, because the EU's enforcement timeline is not slowing down for anyone.
The August 2026 Deadline
The EU AI Act, passed in 2024, uses a four-tier risk classification system for AI applications. The most consequential tier for everyday business use is "high-risk," which includes any AI system used in HR, recruitment, or workforce management. Full compliance requirements for high-risk systems take effect on August 2, 2026.
That is five months away.
The AI literacy obligation already kicked in back in February 2025, meaning companies are technically required to ensure their staff understands the AI tools they use. Most haven't even started.
Meanwhile, GDPR hasn't gone anywhere. Italy's data protection authority fined OpenAI €15 million in December 2024. The 72-hour breach notification requirement applies to AI-related incidents just like any other data breach.
The Actual Risk in Daily Workflows
Here's what makes shadow AI particularly dangerous from a compliance perspective: most employees don't know the difference between personal data and confidential data, and neither category should be going into unapproved AI tools.
Personal data triggers GDPR obligations. When a sales rep pastes CRM records - names, email addresses, order histories - into a ChatGPT prompt, that's a GDPR event. It doesn't matter that it's B2B data. If "[email protected]" is in the prompt, that's personal data tied to an identifiable individual. A generic "[email protected]" is not, but most employees aren't making that distinction.
Free and consumer-tier AI accounts make this worse. Enterprise AI plans from OpenAI, Microsoft, and others typically include Data Processing Agreements (DPAs) - legal contracts that govern how the provider handles your data. Free ChatGPT does not. Every employee using a personal ChatGPT account for work tasks is creating a compliance gap that no DPA covers.
Article 35 of GDPR also requires Data Protection Impact Assessments (DPIAs) for high-risk processing. Running customer data through AI tools qualifies. Almost nobody is doing these assessments for shadow AI usage.
A Translation Problem, Not a Regulation Problem
The core issue isn't that these regulations are unreasonable. GDPR has been law since 2018. The EU AI Act had a long public consultation. The requirements are documented.
The gap is between legal text and actual employee behavior. Compliance teams write policies. Employees ignore them because the policies don't translate into clear rules like "never paste an email address into a free AI tool" or "only use the company's approved Microsoft Copilot account."
Companies that want to close this gap before August need three things: an approved list of AI tools with enterprise DPAs in place, clear rules written in plain language about what data goes where, and actual training that goes beyond a checkbox webinar.
The 72% of companies without any AI policy aren't just behind on paperwork. They're accumulating legal exposure every time someone on their team hits "send" in a chat window.