Artificial intelligence is no longer a specialist tool. It has slipped into office suites, customer platforms, HR software, and productivity apps, often invisibly. Staff may work with AI without ever realizing it. This creates a new governance challenge: the difference between known and unknowing AI use, and the distinct risks each brings.
What counts as “known” and “unknowing” use?
Known AI use happens when employees are fully aware that they are using an AI tool. They might open ChatGPT to draft a report, run an AI-powered transcription tool, or use a customer service chatbot built into their workflows. In these cases, the presence of AI is clear, and ideally supported by policy, training, and oversight.
Unknowing AI use, by contrast, occurs when employees interact with AI without being aware of it. Sometimes this happens because vendors quietly add AI features into everyday software. Other times, staff misremember whether something was generated by themselves or by AI, a phenomenon researchers call the “AI memory gap.” In both cases, people act as though they are using a standard tool, not an AI system with different implications for accuracy, privacy, and compliance.
The risks of unknowing AI use
The greatest danger of unknowing AI use is that people do not adjust their behaviour to manage the risks. They may paste sensitive information into a system that quietly routes through an external AI provider. They may assume an answer is human-curated when in fact it comes from a model prone to hallucinations. And they may rely on outputs without question, unaware of the biases or data practices underpinning the tool.
Unknowing use also undermines accountability. If a flawed decision traces back to AI involvement that nobody realized or remembered, who is responsible? Regulators, particularly under the EU AI Act, expect organizations to disclose and document AI use. Hidden or forgotten AI undermines this transparency and exposes organizations to compliance failures.
Why awareness matters
The distinction between known and unknowing use boils down to awareness. Risks escalate when staff do not know they are using AI, because they are less likely to apply caution, follow policy, or ask questions. Conversely, when AI use is recognized and declared, risks can be managed, but the responsibility to prove governance increases.
How organizations can respond
The first step is visibility. Organizations should map where AI appears in their environment, including embedded features in vendor software, and unofficial “shadow AI” tools used by staff. Policies should then require disclosure of AI use, so unknowing use becomes known.
Education is equally important. Staff need simple, role-specific training that explains not just how to use AI effectively, but how to recognize when they are using it at all. Vendors should be pressed to disclose where AI is embedded, so buyers are not left in the dark.
Finally, governance needs to be operational. Approved tool lists, usage monitoring, and learning are lightweight measures that help organizations meet regulatory expectations.