AI Governance: Controlling Employee AI Usage at Work

Your employees are already using AI. Whether you authorized it or not, they're pasting emails into ChatGPT, summarizing documents with Claude, analyzing spreadsheets with Gemini. According to a 2025 Salesforce study, 52% of employees use generative AI tools at work, and more than half do so without explicit company approval.

The problem isn't that people use AI. The productivity value is real. The problem is that this usage happens outside any governance framework, exposing your company to data leakage, regulatory non-compliance, and unmanaged technology dependencies.

This article explains how to regain control over AI usage in your organization using three layers of protection: browser controls, cloud AI gateways like Cloudflare AI Gateway, and enterprise solutions like AWS Bedrock.

Why uncontrolled AI usage is a major risk

Sensitive data leakage

Every prompt sent to ChatGPT, Claude, or Gemini travels through external servers. When an employee pastes a client contract, financial report, or proprietary code into these tools, that data leaves your security perimeter.

OpenAI states clearly in their terms of service that conversations may be used to train their models unless you explicitly opt out or use their Enterprise API. Result: your trade secrets could end up in the training data of a public model.

In 2024, Samsung banned ChatGPT after engineers leaked confidential source code by asking the chatbot to optimize it. Three separate incidents were identified within a single month. The engineers did not intend to leak data; they simply wanted to improve their code. But the consequences were severe: Samsung had to investigate the extent of the exposure, notify affected parties, and implement emergency policies.

This pattern repeats across industries. A 2025 Cyberhaven study found that 11% of data pasted into ChatGPT is confidential. For companies in regulated industries like finance, healthcare, or legal services, this creates significant liability exposure.

Regulatory non-compliance

For Moroccan companies working with European clients, GDPR imposes strict obligations on transferring personal data to third countries. Using ChatGPT to process client data without proper contractual frameworks constitutes a potential violation.

Morocco's CNDP (National Commission for Personal Data Protection) has also strengthened its data protection requirements since 2024. Under Law 09-08, organizations must implement appropriate technical and organizational measures to protect personal data. Uncontrolled AI usage directly contradicts this requirement.

The penalties are not theoretical. In 2025, Italian authorities fined a company 15 million euros for GDPR violations related to AI data processing. The company had allowed employees to use ChatGPT for customer service without implementing adequate safeguards.

Shadow IT and technical debt

When every employee uses a different tool, you create invisible technical debt. Workflows become dependent on unvalidated tools. Institutional knowledge fragments. And when one of these tools changes its terms or pricing, you have zero visibility on the impact.

Shadow AI creates additional risks beyond data leakage. Employees may rely on AI outputs without proper verification, leading to errors in customer communications, financial calculations, or legal documents. When something goes wrong, there's no audit trail to understand what happened.

Level 1: Browser-level controls

The first line of defense involves controlling access to generative AI sites directly at the browser and network level.

DNS and proxy blocking

For company-managed devices, you can configure DNS filtering rules to block access to:

• chat.openai.com
• claude.ai
• gemini.google.com
• poe.com
• perplexity.ai

Solutions like Cloudflare Gateway, Cisco Umbrella, or Zscaler let you create centralized blocklists and generate usage reports. These tools integrate with your existing identity management systems, enabling policies like "allow AI access for engineering team, block for finance team."

Implementation typically takes 2 to 4 hours for a small organization. You configure the DNS filtering at your network edge or through endpoint agents, then create category-based policies for AI sites.

Windows/macOS group policies

On devices managed via Microsoft Intune, Jamf, or classic GPOs, you can deploy policies that:

• Disable AI-related browser extensions
• Block installation of desktop apps like ChatGPT or Claude
• Restrict site access via whitelists

For Microsoft 365 environments, you can also use Conditional Access policies to require specific conditions before accessing AI services, such as device compliance, location, or multi-factor authentication.

Limitations of this approach

Pure blocking has several drawbacks:

• Employees work around it with personal phones
• You lose the productivity value of these tools
• It creates a culture of distrust rather than accountability

Studies show that overly restrictive IT policies increase shadow IT usage by 40%. Employees who feel blocked will find workarounds, often using less secure methods than the tools you originally tried to block.

This is why blocking alone is usually not the right answer. It must be accompanied by validated alternatives.

Level 2: Cloudflare AI Gateway as an intelligent proxy

Cloudflare AI Gateway represents a more sophisticated approach. Rather than blocking AI, you channel it through a central control point.

How it works

AI Gateway acts as a proxy between your applications and AI providers (OpenAI, Anthropic, Google, etc.). All requests pass through Cloudflare, giving you:

• Complete visibility: logs of all requests, tokens consumed, models used
• Cost control: spending limits per user, team, or application
• Smart caching: responses cached to reduce costs and latency
• Content filtering: rules to block certain types of requests

The architecture is straightforward. Your applications call the Cloudflare endpoint instead of the AI provider directly. Cloudflare handles authentication, logging, caching, and rate limiting before forwarding requests to the actual AI service.

Deployment for an SME

To deploy AI Gateway, you need to:

1. Create a Cloudflare account (free plan available)
2. Enable AI Gateway in the dashboard
3. Configure your applications to route API calls through the Cloudflare endpoint
4. Define filtering rules and budgets

Cost starts at $0 for 100,000 requests per month, which easily covers an SME's testing needs. The Pro plan at $20 per month adds advanced analytics and higher limits.

For organizations building internal AI tools, this means you can create a centralized API that all employees use. The API handles authentication, tracks usage, and enforces policies. Employees get the productivity benefits of AI while you maintain control.

Concrete use case

A 25-person Moroccan communications agency deployed AI Gateway in January 2026. Results after three months:

• Visibility on 47,000 AI requests per month
• Identified 3 employees generating 60% of costs
• Caching reduced costs by 23%
• Zero data leakage incidents detected

The agency now has clear policies about what data can be submitted to AI tools. Employees have access to approved AI capabilities through internal tools, reducing the temptation to use unauthorized services.

Level 3: AWS Bedrock for total control

For companies with high security requirements or significant volumes, AWS Bedrock offers maximum control.

Bedrock advantages

Bedrock is a fully managed generative AI platform from AWS that lets you access models from Claude (Anthropic), Llama (Meta), Mistral, and others while keeping your data in your AWS account.

• Data isolation: your prompts never leave your VPC
• No training on your data: AWS and model providers commit contractually
• IAM integration: granular access control by user and role
• Compliance: SOC 2, ISO 27001, HIPAA certifications available
• Guardrails: configurable filters to block sensitive content

Bedrock Guardrails deserve special mention. You can configure filters that automatically block prompts containing personally identifiable information, financial data, or other sensitive content. If an employee accidentally pastes a customer's social security number, the system blocks the request before it reaches the model.

Recommended architecture

For a robust implementation:

1. Private VPC: deploy Bedrock in a VPC without direct internet access
2. Internal API Gateway: create a custom API that wraps Bedrock calls
3. CloudWatch logging: trace all requests with detailed metrics
4. Secrets Manager: manage API keys centrally

This architecture ensures that all AI interactions are logged, auditable, and compliant with your data governance policies. Integration with AWS CloudTrail provides a complete audit trail for compliance reporting.

Costs for a Moroccan SME

AWS Bedrock charges by usage. For Claude 3.5 Sonnet (the most popular model):

• Input: $3 per million tokens
• Output: $15 per million tokens

An SME with 50 employees using AI moderately can expect a monthly bill of $200 to $500. That's a reasonable investment compared to the risks of uncontrolled usage. The predictability of usage-based pricing also helps with budget planning.

4-step deployment strategy

Step 1: Audit existing usage (week 1-2)

Before deploying anything, understand current usage:

• Analyze DNS/proxy logs to identify AI site access
• Survey teams about their usage and needs
• Identify high-value use cases vs frivolous usage
• Map potentially exposed sensitive data

This audit often reveals surprises. Many organizations discover that AI usage is 2 to 3 times higher than expected, concentrated in specific departments, and already integrated into critical workflows.

Step 2: Define the policy (week 3)

Write an AI usage policy that defines:

• Authorized and prohibited tools
• Data types that can or cannot be submitted
• Validation processes for new use cases
• Consequences for non-compliance

The policy should be practical, not just prohibitive. Include examples of approved use cases and clear guidance on how to request exceptions. Involve department heads in the drafting process to ensure the policy reflects real business needs.

Step 3: Technical deployment (week 4-6)

Depending on your maturity level and requirements:

• Basic level: DNS blocking + written policy
• Intermediate level: Cloudflare AI Gateway + training
• Advanced level: AWS Bedrock + internal API + monitoring

Start with the level that matches your current capabilities. You can always upgrade later as your needs evolve.

Step 4: Training and support (ongoing)

Technology alone isn't enough. Train your teams to:

• Recognize sensitive data that shouldn't be shared
• Use validated tools effectively
• Report needs not covered by current policy

Regular refresher training and clear communication channels ensure that employees understand and follow the policy. Consider appointing AI champions in each department who can answer questions and escalate issues.

What this means for your business

AI governance is no longer optional. Companies that ignore this issue face growing risks: data leaks, regulatory non-compliance, uncontrolled costs.

But the answer isn't to block AI. It's to channel it. The three levels presented in this article (browser controls, AI Gateway, AWS Bedrock) let you choose the control level suited to your context.

For Moroccan SMEs, we recommend starting with Cloudflare AI Gateway: it's free to start, simple to deploy, and provides immediate visibility into usage. You can then evolve to Bedrock if your security or volume needs justify it.

At ClaroDigi, we help Moroccan businesses implement their AI governance. Our digital strategy consulting service includes a complete audit of your AI usage and a tailored roadmap.

For companies looking to industrialize their AI usage, our AI automation solution natively integrates the security best practices presented in this article.

FAQ

Can I use ChatGPT Plus or Claude Pro securely for business?

Individual subscriptions (ChatGPT Plus, Claude Pro) don't offer sufficient contractual guarantees for professional use. Your data may be used for training. For secure usage, prefer ChatGPT Enterprise, Claude for Business, or a solution like AWS Bedrock that provides clear contractual commitments.

Does Cloudflare AI Gateway work with all AI providers?

AI Gateway supports major providers: OpenAI, Anthropic (Claude), Google (Gemini), Azure OpenAI, Hugging Face, and others. The list expands regularly. For unsupported providers, you can use "universal" mode which routes any endpoint.

What's the total cost for a 30-person SME?

For an intermediate approach with Cloudflare AI Gateway: $0 to $50 per month for the gateway, plus underlying AI API costs ($200 to $500 per month depending on usage). Total budget of $300 to $600 per month. For AWS Bedrock, expect $300 to $800 per month all-in, but with a higher security level.

How do I manage employees using AI on personal devices?

You can't technically control personal devices. The solution comes through policy and training: explain the risks, provide attractive validated tools, and hold teams accountable. If an employee prefers using their personal phone for work tasks despite secure alternatives, that's a management problem, not a technology one.

Has Morocco's CNDP issued guidelines on AI usage?

CNDP hasn't yet published specific guidelines for generative AI, but existing principles from Law 09-08 apply: consent, purpose limitation, proportionality, security. Any transfer of personal data to US AI providers must be governed by standard contractual clauses or equivalent guarantees.