Your Best People Are Breaking Your AI Rules | QuantalAI
Home Insights The people bending your AI rules are usually the ones getting the most out of AI, which makes their workarounds worth reading.
AI Governance

The people bending your AI rules are usually the ones getting the most out of AI, which makes their workarounds worth reading.

By QuantalAI Solutions Team · 13/07/2026

The 2026 Work AI Index shows your best staff break AI rules most. Here's why those workarounds are a signal to read, not a problem to shut down.

Somewhere in your business, your most capable person is using an AI tool you never approved, in a way your policy doesn’t allow, and they haven’t told you. When a leader finds this, the instinct is to clamp down. Lock the tool, restate the rules, and remind everyone what they signed. The 2026 Work AI Index suggests that instinct gets it almost exactly backwards, because the people most likely to break your AI rules are the same people getting the most real value out of AI in the first place.

If you run a small or mid-sized business, this is a signal worth reading rather than a problem to stamp out. When a strong performer routes around the tool you gave them, they’re showing you something that tool couldn’t do. The useful response isn’t to catch them. It’s to find out what they found, and build your support around it.

Your best people are the ones breaking the rules

The report draws a clean line between two kinds of AI user. There are people who get faster, and there are people who get faster and better at the same time. That second group, the ones who report gains in both their productivity and the quality of their work, are your high achievers. When you look at how they actually work, almost none of it matches the obedient power user a policy imagines.

They’re more sceptical, not less. In the past month, 79% of high achievers caught and fixed an error the AI made, against 64% of low achievers. They’re also 18% more likely to decide a task is better done without AI at all. They treat the tool as something to supervise, not something to trust.

They’re also the most likely to colour outside the lines. More than half of them, 54%, use tools their employer hasn’t approved or use approved tools in ways the policy forbids, and 36% hide how much AI is really helping them. They aren’t cutting corners. They’re working around an official setup that’s too slow, too narrow, or too far from the actual work to be worth using.

Picture a professional services firm of [14 people]. (The figures in this example are illustrative, not from the report.) Their best consultant has quietly started using an AI tool nobody signed off on to draft the first pass of client reports. She reformats the data by hand each time to feed it in, on her own time, and she doesn’t mention it, because the approved tool sits untouched in a browser tab while hers actually helps.

This is a governance gap, not a discipline problem

If that sounds like something to train out of people, look at who does the most of it. It isn’t the juniors. Executives are more likely to work around their own AI rules than the people below them, 54% against 48%. The people who wrote the policy are the most confident it doesn’t apply to them when a deadline is close. So much for the idea that workarounds are a junior compliance issue.

This is the difference between having an AI policy and having AI governance, and most businesses are stuck in the gap. Half of all workers admit to using unapproved AI tools. Two in five say their company’s policy is never reviewed or updated, and 14% have never read it at all. A policy is a document somebody posted to the intranet. Governance is what actually happens at five o’clock, when the approved tool is clunky and the unapproved one just works. In most companies those two things aren’t the same, and everyone except the leadership team seems to know it.

There’s a real risk in here, and it’s worth naming plainly. When your consultant pastes client details into a tool you haven’t checked, your obligations under the Privacy Act 1988 and the Australian Privacy Principles still apply. That’s the genuine exposure. But the deeper cost is quieter. Your best people are carrying a load of unrecognised, unrewarded work to make AI useful, and slowly deciding the business neither sees it nor values it. People who carry that load without thanks don’t carry it forever. First they get tired, then they get cynical, then they start looking for an employer who has worked this out.

Smaller businesses can build around what works

Smaller businesses have an odd advantage here, because most of them never built the bureaucracy in the first place. There’s no thick AI policy to defend and no committee invested in protecting it. That means a smaller firm can do the sensible thing without dismantling the unsensible one first. It can build its governance around what already works, instead of around what someone imagined would work.

The payoff shows up in the numbers. In organisations where the information people need is actually reachable by their AI, unapproved tool use falls to 21% from 53%, hidden AI use drops to 19% from 43%, and low-quality AI work halves to 26% from 54%. When the sanctioned path genuinely works, people stop leaving it. It’s also worth measuring the right thing. Three in four workers say AI makes them more productive, yet only 13% say their organisation performs meaningfully better, and firms that measure quality alongside speed report higher quality gains, 83% against 68%, than those watching output alone.

So the sensible move is to stop treating each workaround as something to catch and start treating it as something to read. When a strong performer drops the tool you provided for one you didn’t, the interesting question isn’t how to stop them. It’s what yours failed to do. Find out which information the official path couldn’t reach, which step it made slower, and which output it made worse. Back at that advisory firm, the honest answer was that the approved tool couldn’t see the client files at all, which is why their best consultant was copying data across by hand. So they built an agent that could reach those files properly and drafted reports inside the workflow the team already used. The workaround became the supported path. That’s the sort of work AI agents built for professional services are suited to, and it’s worth revisiting often, because the tools and the work both move faster than any document will.

What this means for you

Your shadow AI users have run an experiment for you, at their own risk and on their own time. They’ve tested which tools survive contact with a real deadline and which ones don’t. The waste isn’t that they broke a rule. The waste is having that result sitting in front of you and choosing to write another rule instead.

Read the workarounds, promote the ones that work, and you keep two things at once: the productivity your people have already found, and the people themselves. If you want to see what that looks like built around how your business actually runs, take a look at how we approach AI agents on our website.

Frequently asked questions

What is shadow AI?
Shadow AI is when employees use AI tools their employer hasn't approved, or use approved tools in ways the policy doesn't allow. The 2026 Work AI Index found that half of all workers do it. It usually isn't rule-breaking for its own sake, but people reaching for a tool that helps when the official one doesn't.
Is shadow AI always a security problem?
Not always, though the risk is real. If staff paste client or customer details into a tool you haven't vetted, your obligations under the Privacy Act 1988 and the Australian Privacy Principles still apply. But the report suggests the bigger cost is often losing your best people, who quietly carry the extra work of making AI useful and burn out when it goes unnoticed.
Does having an AI policy count as AI governance?
No. A policy is a document. Governance is what actually happens when the approved tool is slow and an unapproved one works better. The Index found that two in five companies never review their policy and 14% of workers have never read it, which is how a policy and real behaviour drift apart.
How can a small business handle shadow AI well?
Smaller firms have an advantage, because they never built heavy AI bureaucracy to defend. That lets them build governance around what already works. When a strong performer adopts an unapproved tool, treat it as a test result, then find out what your approved tool couldn't do and support the better path.
Where should we start with AI governance?
Start by reading your workarounds instead of banning them. Look at which tools your best people reach for and what the official option failed to do, whether it couldn't reach the right information or made a step slower. Then promote what works into the path you support, and revisit it regularly as the tools change.