The Finding That Should Reframe the Conversation

A recent report found that two-thirds of workers are secretly using AI applications their employers have explicitly banned, and a substantial portion of those workers are feeding sensitive organizational data into tools like ChatGPT in the process (Business Insider, 2025). The instinctive corporate response has been to frame this as a governance failure, a matter of policy enforcement and employee training. That framing is wrong, and getting it wrong has real organizational consequences.

What this data actually describes is a coordination failure, specifically the kind that emerges when an organization's formal structure cannot keep pace with the informational environment its workers already inhabit. The workers are not acting against organizational interests. Most of them are attempting to do their jobs more effectively. The gap between what is permitted and what is used reflects a mismatch between where competence now lives and where institutional authority still assumes it resides.

Shadow AI as Endogenous Competence Development

The Algorithmic Literacy Coordination framework I am developing treats platform competence as something that develops endogenously through participation, not something organizations can distribute from the top down through policy documents (Kellogg, Valentine, and Christin, 2020). When two-thirds of your workforce has already built working knowledge of a tool through unsanctioned use, you are looking at a population that has undergone informal schema development. They have constructed mental models of what these systems do, where they are useful, and how to prompt them effectively. That knowledge did not come from a compliance training module. It came from experimentation.

This creates a specific organizational irony. The workers most likely to be using banned AI tools are also, by the logic of endogenous competence development, the workers who have developed the most actionable literacy about those tools. Punishing or restricting that population through enforcement does not reduce AI risk in any meaningful sense. It removes the people best positioned to help the organization understand what it is actually dealing with.

Why "AI Literacy Training" Will Not Fix This

The corporate reflex, once governance failures become visible, is to deploy training. Expect a wave of mandatory AI literacy modules and acceptable use policy refreshers across enterprise organizations in the coming quarters. The research literature gives us strong reasons to be skeptical about whether these interventions will produce behavior change. Algorithmic awareness and operational competence are not the same thing (Gagrain, Naab, and Grub, 2024). Workers can pass a quiz about what AI does and still have no improved capacity to use it appropriately or evaluate its outputs critically.

The distinction that matters here is between routine and adaptive expertise (Hatano and Inagaki, 1986). Procedural training, which is the kind most corporate AI programs deliver, produces workers who can follow a checklist in familiar contexts. It does not produce workers who can make sound judgments when they encounter a novel situation, which is precisely what working with generative AI systems requires on a daily basis. The workers who built competence through unsanctioned use likely have more adaptive expertise than those who completed the official training and then stopped engaging with the tools.

The Structural Schema Organizations Are Missing

Gentner's (1983) structure-mapping theory holds that transfer occurs when learners develop accurate relational schemas rather than surface-level familiarity. Applied to the shadow AI problem, this means organizations are not losing control because workers lack awareness of the rules. They are losing control because neither the workers nor, frankly, most of the compliance teams setting the rules have an accurate structural understanding of how these tools process, retain, and potentially expose data. Folk theories about AI risk, individual impressions formed without systematic investigation, are driving both the overcautious bans and the casual disregard for them (Hancock, Naaman, and Levy, 2020).

The security literature referenced in recent reporting supports this. Bolted-on AI features are generating high-severity vulnerabilities that are being remediated more slowly than other vulnerability classes. That pattern is consistent with an organization that is reacting to AI capability without having developed the structural understanding needed to evaluate risk accurately. The compliance regime and the shadow usage are, in this sense, two symptoms of the same underlying deficit.

What Organizations Should Actually Do

The workers already using these tools are not the problem. They are an organizational asset that is currently being misclassified as a liability. A more theoretically coherent response would involve bringing that informal competence into sanctioned channels, studying what those workers have actually learned, and using that information to build schema-level understanding across the organization rather than procedural policy compliance. Rahman (2021) describes how algorithmic environments create invisible constraints that workers navigate without institutional support. The more productive question is not how to stop that navigation, but how to make it structurally visible so organizations can learn from it.

The two-thirds figure is not a warning about rogue employees. It is a measurement of how far organizational policy has already fallen behind the informational environment. Treating it as a compliance problem delays the more important reckoning about what coordination actually looks like when the tools are smarter than the rules written to govern them.