Agency owners, Shadow AI is the silent leak in your operation. Learn how to spot it, stop it, and still let your team use AI safely.

Agency owners, here’s the stat that should stop you mid-scroll: MIT’s Project NANDA found 95% of organizations are getting zero return on GenAI investment (MIT, Project NANDA “State of AI in Business 2025”).
My take: AI isn’t failing, Shadow AI plus weak foundations are.

Even if your agency hasn’t “implemented AI,” your team already has. Microsoft reports 75% of knowledge workers use AI at work, and 78% of AI users bring their own AI tools to work (Microsoft Work Trend Index, 2024). That’s Shadow AI, people using AI outside IT/security visibility.

Insurance agencies are uniquely exposed because our daily workflows touch sensitive data: loss runs, policy docs, claim notes, COIs, driver/VIN info, payroll/class codes, and more.

Now add the visibility problem: corporate data is flowing into AI tools in ways most leaders never see, often through personal logins. Cyberhaven found 73.8% of workplace ChatGPT usage is through non-corporate accounts, and that corporate data sent to AI tools surged dramatically year-over-year (Cyberhaven, Q2 2024 AI Adoption & Risk Report).

And it’s not slowing down. Netskope reports growing genAI data policy violations at scale across organizations (Netskope Cloud & Threat Report, 2026).

Here’s what should worry you: non-corporate AI accounts and personal AI apps typically don’t include enterprise safeguards like enforced SSO, DLP, audit logging, access controls, and contractual privacy terms. And depending on the provider and settings, what people paste into consumer AI tools can be used to improve/train models (OpenAI consumer data-use policy; business offerings differ).

That’s one of the biggest reasons AI ROI stalls. If we can’t trust the foundation, we can’t safely connect AI to real agency workflows, so we get stuck in pilot purgatory.

For agencies, ROI breaks down when:

• Data is scattered (AMS, CRM, carrier portals, email, shared drives)
• Permissions/rights aren’t clean (“who can see what?”)
• Security controls aren’t enforced (identity, DLP, logging)
• AI isn’t embedded into repeatable workflows

A solid data security + permissions + security-controls foundation is fundamental—not just for safe AI, but for an AI implementation that actually delivers on the ROI promise.

So what can an agency do this month to make sure AI is secure and ROI-positive?

1. Run an “AI reality audit” (no blame): tools, use cases, data types
2. Publish a plain-English AI policy: what’s never allowed + what tools are approved
3. Fix the foundation: role-based access, least privilege, logging, DLP
4. Train your team using agency scenarios (renewals, claims, COIs, proposals)

Closing:
Done right, AI absolutely produces real ROI in an insurance agency, starting with simple wins like better emails, faster summaries, cleaner proposals, and quicker renewal prep with large language models your team can prompt confidently. Then it scales into AI agents and automated workflows that reduce touches, speed up service, and improve consistency. But you only get that ROI if the foundation is in place: secure, organized data + clean rights/permissions + strong security controls + a clear AI use policy + oversight + training.

That’s exactly why we built our Agency AI Foundation and AI Agency Roadmap—to take agencies from “everyone’s experimenting in the shadows” to a safe, governed rollout that actually sticks. We help you map the use cases, organize the data structure, lock down security rights and permissions, set the policy and guardrails, train the team, and run the change management so adoption is real and measurable.

If you want to stop guessing and start getting ROI from AI the right way, contact me directly.
Jerry Fetty is the Founder of SMART Services and has spent 35+ years helping independent insurance agencies modernize their technology, strengthen cybersecurity, and operate more efficiently. Today, his focus is helping agencies adopt AI the right way, with a secure foundation, clean data structure, clear policies, and real-world training that produces measurable ROI.

References (with links)

• MIT Project NANDA, State of AI in Business 2025 (GenAI Divide report):
  https://mlq.ai/media/quarterly_decks/v0.1_State_of_AI_in_Business_2025_Report.pdf
• Microsoft, 2024 Work Trend Index (AI at work):
  https://www.microsoft.com/en-us/worklab/work-trend-index/ai-at-work-is-here-now-comes-the-hard-part
• Microsoft blog, 2024 Work Trend Index (75% use AI, 78% BYOAI):
  https://blogs.microsoft.com/blog/2024/05/08/microsoft-and-linkedin-release-the-2024-work-trend-index-on-the-state-of-ai-at-work/
• Cyberhaven, Q2 2024 AI Adoption & Risk Report (non-corporate accounts, sensitive data):
  https://info.cyberhaven.com/hubfs/Content%20PDF/Cyberhaven%20Q2%202024%20AI%20Adoption%20and%20Risk%20Report%20052024.pdf
• Netskope, Cloud & Threat Report 2026 (genAI data incidents):
  https://www.netskope.com/resources/cloud-and-threat-reports/cloud-and-threat-report-2026
• OpenAI, How your data is used… (consumer vs business training posture):
  https://openai.com/policies/how-your-data-is-used-to-improve-model-performance/