A CTO at a Dubai private equity told me their AI usage went from 160 thousand requests a month to 1.8 million in under a year. None of it was sanctioned by IT. Employees were pasting client data into Claude, ChatGPT, Gemini, anything they could access from a browser. The bank had a policy. The policy was being ignored at scale because the productivity gains were too obvious to walk away from. They managed to track the requests based on active browser sessions. The actual reality is shadow AI use exploding inside every regulated institution while compliance teams pretend it is not happening. The banks figuring this out first are not banning AI. They are giving employees a governed alternative such as NodeShift that is faster and easier than the shadow tools, with full audit trails and UAE PDPL compliant redaction underneath. That is what NodeShift was built for
This is also just the beginning. The more people that trust AI (still think many are early on this journey) the more the useage and dependence is going to become. Productivity levels should increase fairly drastically. The big question many orgs will fail to answer is accountability, does this fall on AI or employee if the employee is using AI to make the core recommendations and even decisions in some cases. Mega exciting times ahead but also a load org mindset resets required to maximise the resources they will have within AI. Great post and example though, very interesting indeed!
This same thing was happening in my company also. My company works in ESG Reporting and we collect emission and other important data of clients, and consultants were using ChatGPT or Anthropic. So I created a resource in Azure Foundry and then deployed gpt 4.1 and setup an azure entra ID application for my organization only and then created a fork of LibreChat (https://github.com/danny-avila/LibreChat), and over a weekend, worked on it, deployed it on VM in Azure and showed it to my product manager, he loved it, my manager loved it, gave a KT to the team, that wasn't easy, some tried to make it their own project, but in the end, my company was using it. After a year of working on it, adding TTS and STT models, and adding mistral OCR in it, the project inspired agentic ai application in my company, which I was able to work on.
One of the biggest challenges emerging across regulated sectors is that AI adoption is happening much faster than governance frameworks can evolve. In healthcare especially, the future will likely depend on creating systems where productivity, compliance, privacy, interoperability, and structured clinical workflows can coexist rather than compete with each other.”
I’d challenge the narrative that these 'productivity gains' are a net positive. When employees are pasting sensitive client data into any browser tool they can access, they aren't just 'working faster' they are accumulating massive, hidden liabilities that far outweigh any temporary speed boost.
Putting client data into Claude, GPT or any LLMs which are on public cloud big mistake I understand they need a quick task done but a huge risk, I use LMStudio these days for anything like this, it at least runs locally on your computer completely safe for any sensitive information related work.
Don't all LLM providers, or at least the big ones' have business and corporate account that don't leak/save the data you give it?
That’s why we are working on Nexusdesk.io, helping regulated institutions track their AI data.
Yes, many organizations still underestimate how much sensitive enterprise data employees are sharing with AI tools during everyday work. The challenge is no longer just malware or phishing. It’s understanding how enterprise data moves through browsers and AI applications in real time.
160K to 1.8M requests in a year tells you everything, doesn't it. People paste client data into a browser tool because the productivity gain is real and immediate, and nothing sanctioned comes close. A policy ignored at that scale was never a control. it was a hope. And it isn't only banks. The same thing is happening inside ministries and public sector entities too, possibly with citizen data instead of client data. The stakes are higher and the visibility is lower.