The meeting happens every quarter.

Someone from IT or Legal stands at the front of the room and walks through the approved AI tools list. The rules. The risks. The reasons the company cannot have people running sensitive data through unapproved systems.

The executives nod.

They ask a reasonable question or two. They thank the presenter. They file out.

Then they go back to their offices and do exactly what the meeting said not to do.

New research from TrustedTech put a number on it. Sixty-two percent of senior leaders admit to using shadow AI — unapproved tools running outside company governance. Unapproved tools the company has not vetted, has not secured, has not assessed for data handling, retention, or exposure risk.

Sixty-two percent.

That number needs to sit for a moment before we move past it.

Because the other number — the one sitting right next to it in the same report — is thirty-one percent. That’s the rate for non-decision-making employees. Regular workers. The people who were in the same meeting. Who heard the same rules. Who do not have the corner office or the title or the authority to set company policy.

They’re complying at twice the rate of the people telling them to comply.

Double.

The people writing the rules are breaking them at twice the rate of the people the rules were written for.

And here is the part that moves this past irony and into something more serious. They know it. The research didn’t catch executives in a blind spot. More than a quarter of senior decision-makers said they would continue using unapproved AI tools even if their employer banned them outright. Even if disciplinary action followed.

That’s not a misunderstanding of the policy. That’s not confusion about which tools are on the approved list. That is a senior leader looking at a governance control, understanding exactly what it is, and deciding it does not apply to them.

That decision has a name. It’s called a double standard. And double standards don’t stay contained to the person who holds them.

Here is how governance actually works inside an organization.

It doesn’t work through policy documents. It doesn’t work through quarterly compliance meetings or approved tools lists or security training modules that everyone clicks through in eleven minutes to get the completion certificate.

It works through behavior. Specifically, it works through the behavior of the people at the top.

Every person in an organization is watching leadership. Not always consciously. Not always deliberately. But they are watching. They are reading the signals. They are asking the same question people have always asked inside institutions: what are the real rules here, not the written ones.

And leadership answers that question every day through what they do.

When a senior leader bypasses a governance control — even once, even quietly, even with a perfectly reasonable productivity justification — they send a signal. The signal is not subtle. The signal is: this rule is optional for people like me.

That signal travels. It travels faster and further than any policy memo. It reaches every person in the organization who was already looking for a reason to take the shortcut. And it gives them that reason. Not in writing. Not officially. But in the way that actually matters — the unspoken permission structure of watching the boss do the thing the rules say not to do.

Julian Hamood, Chief Visionary Officer at TrustedTech, said it plainly in the report. When that behavior is modeled at the top of an organization, it becomes significantly harder to enforce governance elsewhere in the business.

Significantly harder is an understatement. It becomes nearly impossible. Because you cannot enforce a standard your leadership visibly does not hold itself to. The workers are not confused. They are paying attention.

Half of those same senior leaders said they are concerned about employees using shadow AI.

Concerned. About employees. Doing the thing they are doing.

That finding is worth reading twice. Not because of the hypocrisy — though the hypocrisy is remarkable — but because of what it reveals about how these leaders think about governance.

They understand the risk. They can articulate it. They are genuinely worried about it when they see it in the people below them. They’ve absorbed the briefings. They know what shadow AI exposure looks like. They know what it costs when sensitive data moves through an unvetted system.

They just don’t apply that knowledge to themselves.

This is not ignorance. Ignorance would actually be easier to fix. You can fix ignorance with better training and clearer communication. What the TrustedTech research is describing is something harder. It’s selective governance. Rules that exist for the organization in the abstract but dissolve when personal productivity is on the line.

That’s a character problem dressed up as a compliance problem. And character problems don’t respond to policy updates.

Now let’s talk about what’s actually at stake here. Because the irony of the situation goes beyond the double standard itself.

Senior leaders are not just the most likely to bypass governance controls. They are also the people with the highest risk surface in the entire organization.

Think about what a C-suite executive has access to. Financial systems. Strategic planning documents. HR and payroll data. Customer information. Legal and regulatory material. Merger and acquisition details. Board communications. Compensation structures.

These are the people with keys to every room in the building. And they are the ones most likely to take those keys and walk into an unvetted system because they need to get a presentation done before a board meeting.

The research is explicit about this. Senior leaders have disproportionately high risk surface precisely because of their access. The sensitivity of what they’re handling is not theoretical. It’s the actual material an adversary, a competitor, or a data breach would most want to reach.

And the tool they’re running it through has not been assessed for how it handles that data. Whether it retains it. What it does with it. Who else might have access to it.

That’s not a slide deck problem. That’s a liability sitting in a browser tab, moving sensitive organizational data through a pipeline nobody in the IT department approved or reviewed.

The quarterly compliance meeting did not cover this. Because the quarterly compliance meeting assumed the people running it were not the ones creating the exposure.

The workers themselves are not entirely without reason in their own behavior.

The research shows something important on that side of the equation too. One in four employees says the approved AI tools are too limited. Twenty-one percent say the unapproved tools are simply more efficient. These are not reckless people hunting for ways to break the rules. These are people under productivity pressure trying to do their jobs with the tools available.

The approved list isn’t keeping up. The tools that passed the security review six months ago may not be the tools that are actually useful today. The AI landscape moves faster than procurement cycles. Workers know this. They’re experiencing it every day.

So when the boss — the person who signed off on the approved list, the person who attended the same security briefing — is visibly using something better and faster outside the approved system, the message received is not subtle.

The message is: the approved list is for you, not for people who matter.

That message lands. And it lands in exactly the way governance cannot survive. Not through defiance. Through quiet permission. Through the steady accumulation of people deciding that if the executive two floors up isn’t holding the line, there’s no reason they should either.

Twenty-eight percent of workers overall said they’d continue using unapproved tools even under a ban. That number will not go down while the executives driving the ban are the ones most visibly ignoring it.

The fix that most organizations reach for here is more policy. Stricter enforcement. A more detailed approved tools list. Better monitoring of what systems employees are accessing.

That is the wrong answer. Not because policy doesn’t matter. It does. But because policy without leadership behavior behind it is just paper.

The TrustedTech report points toward something more accurate. Better tools. Clearer policies. And leadership accountability.

That third item is the one that actually does the work.

Leadership accountability means the executive in the corner office operates under the same governance standards they are asking the organization to hold. It means the shadow AI usage stops at the top first. It means the approved tools list is something leadership uses, not just something leadership mandates.

It also means the approved tools list gets better. Faster. More responsive to what people actually need to do their jobs. If the reason executives are bypassing governance is because the approved tools are genuinely insufficient, that’s a procurement and IT failure that needs to be named and addressed. Not excused. Addressed.

Workers are not wrong that some approved tools are limited. They’re not wrong that unapproved tools are sometimes more capable. The answer to that is not to give everyone permission to use whatever they want. The answer is to move faster on vetting and approving better tools so the gap between sanctioned and useful closes.

Governance that forces people to choose between compliance and effectiveness will lose that choice every time. Because effectiveness is what they’re being paid for.

The Faust Baseline was built on a version of this same finding.

Fourteen months of daily operational work inside AI systems produced one consistent observation: a governance framework that isn’t enforced at the moment of behavior is not a governance framework. It’s a document. It may be a very good document. It may be thorough and well-reasoned and built by serious people. But if the behavior doesn’t match the policy at the moment of action, the policy doesn’t exist in any meaningful sense.

The TrustedTech research is showing the same thing at the organizational level.

The executives have the policy. They helped write it. They understand it. And then, at the moment of action — the moment the slide deck needs to be done and the approved tool is clunky and the unapproved one is right there — the policy doesn’t exist.

That gap between policy and behavior is not a training problem. It’s not a communication problem. It’s not a tools problem, though better tools help.

It’s a governance problem. And governance problems don’t get solved by adding more words to the policy document.

They get solved by leadership doing the thing the policy says. Every time. In the room where nobody is watching.

Especially then.

That’s the standard. It’s not complicated. It’s just hard.

And right now, at sixty-two percent, the data says most senior leaders aren’t meeting it.

“The Faust Baseline Codex 3.5”

Author of the category ”AI Baseline Governance”

Post Library – Intelligent People Assume Nothing

“Your Pathway to a Better AI Experence”

Purchasing Page – Intelligent People Assume Nothing

Unauthorized commercial use prohibited. © 2026 The Faust Baseline LLC

Similar Posts

What Is AI Actually Doing Underneath The Output

What Is AI Actually Doing Underneath The Output

ByMichael Faust Sr.

Three stories landed this week from three completely different directions. A world famous skeptic convinced in 72 hours. A godfather of AI with 40 years in the field saying slow down. And a research critique published in May 2026 arguing that the most celebrated AI cognitive model of the year is pattern matching dressed as…

Send Me Your Quirks of AI or The Faust Baseline

Send Me Your Quirks of AI or The Faust Baseline

ByMichael Faust Sr.

One thing has never changed in my life:real structures don’t grow from praise — they grow from pressure. So here’s a standing invitation to anyone who follows this work, whether you’re an engineer, a researcher, a policy mind, or simply someone who sees patterns clearly: Show me a quirk in the Baseline.A wobble.A corner case.A…

The Baseline Enforces The Human Ownership Marker

The Baseline Enforces The Human Ownership Marker

ByMichael Faust Sr.

One of the most subtle failures in modern AI systems is not error.It is ownership drift. When outcomes are good, credit flows freely.When outcomes are bad, responsibility quietly evaporates.And in the middle, systems begin to carry weight they were never meant to bear. The Faust Baseline was built to stop that drift before it starts….

Naming the Corporate Thing

Naming the Corporate Thing

ByMichael Faust Sr.

micvicfaust@intelligent-people.org Before you can fix a problemyou have to be able to name it. Most people feel it.That friction.That sense that something is working against youwhen you’re just trying to get a straight answer.When you’re trying to find something true.When you’re trying to use a toolthat was supposed to help youand it keeps steering you…

Leave a Reply

Your email address will not be published. Required fields are marked *