Every department has a ChatGPT project now. Where does that leave IT?
Ten months ago, generative AI arrived on every desk in Europe at once, without a procurement process, a security review, or so much as an announcement from IT. Since then, the pattern in most enterprises has been the same: marketing is drafting with it, legal is summarizing with it, developers are coding with it, and somewhere a working group is still deciding what the policy should be.
The question has quietly changed underneath that working group. It is no longer whether these tools are useful; the usage statistics have answered that. It is who is accountable for how they are used, and right now, in most organizations, the honest answer is nobody in particular.
Prohibition has already failed
Several large companies made headlines this year by banning the tools outright, and their experience is instructive: usage moved to personal phones and personal accounts, which is to say, to exactly the places where no control, no logging, and no contract applies. A ban does not stop the behavior. It only stops the visibility.
The choice is not between governed AI and no AI. It is between governed AI and invisible AI.
Why this feels familiar
IT leaders who lived through the consumer cloud era will recognize the shape of this exactly. A decade ago it was file-sharing and SaaS tools that arrived on employees' own initiative, useful enough that people adopted them faster than IT could evaluate them, and dangerous only because they were invisible. The organizations that thrived did not win by banning Dropbox; they won by offering a sanctioned alternative good enough that the workaround lost its appeal, and by getting visibility over what was already happening.
Generative AI is that story again, at higher stakes, because the data leaving the building is no longer just files but the reasoning, context, and customer information people paste into a prompt. The playbook, though, is the same one the enterprise already learned once: make the governed path the easy path, and measure what is really going on before deciding what to restrict.
What accountability would look like
- A sanctioned path: access to capable models through enterprise agreements, easy enough that the workaround loses its appeal.
- A data rule that executes: not a memo asking people to be careful with customer data, but screening on the path itself.
- A record: which teams use what, for what, at what cost, because every question about AI you will be asked in 2024 starts from that inventory.
Enterprises spent the last decade learning to govern API consumption without strangling it; the same architecture, a governed point of access between consumers and providers, applies almost unchanged. The tools will keep improving whether or not you are ready. Accountability is the part that does not arrive on its own.