It usually starts with a specific moment rather than a general concern.
Someone on the leadership team notices that three different departments are using three different AI tools. Or a manager realizes a vendor agreement was drafted with AI assistance and nobody reviewed it properly before it went out. Or an employee mentions, offhandedly, that they have been pasting client data into a chatbot for months because it saves time.
None of these moments feel alarming on their own. But they tend to land the same way: a quiet recognition that something has been moving faster than the organization has been paying attention to it.
Those are the moments that tend to start a conversation with us. And across the nonprofits, construction firms, and manufacturers we support here in Maryland and throughout the Mid-Atlantic, we are hearing versions of the same questions more and more often. We are sharing them here because if you are asking them too, it helps to know you are not alone, and it helps to know what working through it actually looks like.
The Questions We Hear Most
“We don’t actually know what AI tools our team is using. Should we be worried?”
This is the most common starting point, and the honest answer is that it is less alarming than it feels. AI adoption in most organizations does not begin with a decision. It begins with individuals finding tools that make their day easier and using them without much fanfare. By the time leadership becomes aware, the tools are already embedded in daily workflows. That is a very human way for things to develop.
The reason it is worth understanding is not that people are using AI. It is that without visibility, there is no way to know what data is being shared with which platforms, whether those platforms meet your security or compliance standards, or whether two teams are duplicating effort without knowing it. Getting that picture clear tends to feel like a relief rather than a reckoning. That is something we can work through together.
“An employee has been putting client information into an AI tool. How do we handle that?”
It depends on the tool, how it handles data, and what kind of information was shared. In some cases it is a straightforward situation with no further action needed. In others, depending on your contractual obligations or the nature of the data involved, there may be steps worth taking.
What matters most at this point is understanding exactly what happened, which tools were involved, and whether those tools retain or train on user inputs. We work through that assessment alongside the teams we support and help determine whether any remediation is needed. It is also a useful moment to put some clearer guidance in place so the next person who finds a helpful AI tool has a framework for using it well.
“We have AI built into tools we already use, and we’re not sure how it’s configured. What should we know about our AI policy?”
These two concerns often sit together, so it makes sense to address them that way.
On the tools side: platforms like Microsoft 365 and various project management tools have been rolling out AI features that are on by default. Most are designed with reasonable security standards, but default settings are not always the right settings for every organization. Some features involve data handling that warrants a closer look before they are left running across your environment. We review these as part of how we look after the platforms your team runs on and flag anything that needs adjusting.
On the policy side: most of the organizations we work with did not have a formal AI policy until recently, and a number still do not. What matters more in the short term is a shared understanding. Who uses what tools, what data should never go into an AI platform, and what the process is if something unexpected comes up. We help teams build that understanding in a way that fits where they actually are. For a thirty-person nonprofit in Annapolis, that looks different than for a mid-size manufacturer in Frederick. The principles are the same. The shape of it reflects the organization.
“How do we know if AI is actually helping or just creating more work?”
This is a question worth sitting with. AI adoption that happens without structure tends to produce uneven results. Some people find genuine efficiency. Others spend more time reviewing and correcting AI output than they would have spent doing the work directly, without always realizing that is what is happening.
When AI is embedded in workflows we manage, we pay attention to whether it is producing reliable output or quietly generating rework. That kind of ongoing attention is part of making sure the tools are genuinely serving the organization rather than just running in the background unchecked.
What Working Through This Looks Like
When AI starts showing up in ways that feel harder to track, there are four things we focus on together with the organizations we work with.
We work to build visibility into what AI tools are being used and how they interact with your environment, because that picture changes frequently and most teams do not have a natural way to track it. We review the AI features built into the platforms we manage to make sure they are configured in a way that fits your organization rather than running on defaults. We help develop clear, workable guidance around data handling so that when someone on your team discovers a useful AI tool, they have a clear basis for using it safely. And we pay attention to the downstream effects, whether AI-generated output is being reviewed appropriately, whether it is creating any compliance exposure, and whether it is actually reducing workload or simply moving it somewhere less visible.
None of this requires a formal project or a significant disruption to how you work. It is the kind of thing that happens gradually and collaboratively, which in our experience is what tends to stick.
A Familiar Pattern
One organization we support, a construction firm in the Mid-Atlantic, had several project managers using AI tools to draft subcontractor communications. The tools were saving real time and the outputs were generally solid.
What nobody had mapped out yet was that project details, site specifics, and in some cases pricing information were being included in those prompts. The tools being used did not retain data in a way that created immediate risk, but the habit had formed around a tool that easily could have.
We worked with the leadership team to review what was being used, develop some simple guidance around what should and should not go into an AI prompt, and identify a preferred tool that met a clearer security standard. The project managers kept using AI. The process just had a little more thought behind it, and the team felt more settled for it.
That is usually how it goes. The goal is not to slow things down or create uncertainty around tools that are genuinely useful. It is to make sure what is already moving has enough structure around it that it keeps working in your favor.
Why We’re Sharing This
AI is not slowing down, and neither is the pace at which it is showing up inside the organizations we support. The questions above are not signs that something has gone wrong. They are signs that an organization is paying attention, which already puts you in a better position than most.
If any of them are questions you have been sitting with, it is worth a conversation. More often than not, the situation is more manageable than it feels from the inside, and having someone walk through it with you tends to make the path forward a lot clearer.
FAQ
Is it too late to get a clearer picture of AI usage if it has already spread across our team?
It is rarely as developed as it feels. Most situations we step into are manageable once there is a clear picture of what is actually being used. Getting to that picture is usually the work of days rather than weeks, and it tends to feel much less daunting once it is laid out in front of you.
Do we need to tell clients if their data was put into an AI tool?
It depends on the nature of the data, your contracts, and which tool was involved. We work through that assessment with you carefully. In some cases there is no obligation. In others there may be steps worth taking. The right answer always starts with understanding exactly what happened, and that is something we can help you work out.
What is the biggest area of focus with unmanaged AI in our type of organization?
For our clients in nonprofits, construction, and manufacturing, the most consistent area to pay attention to is how sensitive information is being shared. Client information, project details, donor data, or proprietary processes finding their way into platforms that were not evaluated for security or compliance is where things most often need attention. It is also one of the more straightforward things to address once it is visible.
What does getting a handle on this actually feel like in practice?
Generally it feels like a conversation first, then a clearer picture, then some practical steps that fit how your organization actually works. We are not coming in to overhaul anything. We are here to help you understand what is happening and make sure it is working in your favor. Most people find that things are rarely as complicated as they appear once someone is looking at them alongside you.