Your AI policy might be the electric fence in Jurassic Park.

Explore our weekly delivery of inspiration, insights, and exclusive interviews from the global BHMEA community of cybersecurity leaders.

Keep up with our weekly newsletters on LinkedIn — subscribe here. 

Change your perspective and build cyber resilience with the global Black Hat MEA community – in your inbox every week. 

This week we’re focused on…

The dinosaurs. And why they were never the real problem. 

What dinosaurs? 

The ones in Jurassic Park. 

Because in Jurassic Park, the real problem was the belief that a complex system can be perfectly controlled because somebody wrote enough rules and installed enough fences. Fictional chaos theorist Ian Malcolm spends most of the film warning that life does not stay neatly inside the boundaries designed for it.

Three decades later, cybersecurity teams are having their own Jurassic Park moment with AI.

Because organisations approach workplace AI with the same instinct: lock it down, narrow the approved pathways, and hope employees stay inside the fence. But employees are already showing us that when governance feels too restrictive or too disconnected from how work actually happens, people route around it.

Shadow AI is what happens when policy ignores reality

According to Harmonic Security’s 2026 AI usage index (which we wrote about in more detail on the blog this week, by the way), 64.5% of activity on personal and free-tier AI accounts is business use. Employees are using personal ChatGPT, Claude and Copilot accounts to write emails, summarise meetings, review contracts, and debug code.

They’re not being reckless – they’re just trying to get their work done. 

Companies used to worry about employees using corporate systems for personal activity, but now they have to worry about personal tools being used for work. 

And there’s irony here: policies designed to reduce AI risk may be increasing visibility gaps instead.

The Harmonic report found that 74.6% of all classified AI usage was business-related, while only 13.3% was personal use. This isn’t fringe behaviour – AI has become infrastructure for everyday work. The issue is whether organisations acknowledge that reality openly or force it underground.

The work happening in AI tools is often sensitive

Legal teams were the single largest AI users in Harmonic’s dataset, accounting for 19.5% of AI hours. Go-to-market teams dominated free-account activity. These are functions handling contracts, customer data, pricing strategies, proposals and intellectual property.

And while that’s happening, security teams are still debating whether employees should use AI at all.

So let’s return to the Jurassic Park analogy here. The park failed because the designers assumed control was static. But complex systems evolve. Human behaviour adapts – and friction changes incentives.

The same thing happens inside enterprises.

• If the approved enterprise AI tool is clunky while the personal version is already logged in and remembers previous conversations, employees will choose convenience.
• If policy language feels punitive or unclear, people stop asking questions.
• If governance is framed entirely around restriction, employees associate transparency with risk.

The result is shadow AI. Employees don’t want to hide, but the workflow itself pushes them there. 

Let’s have a music lesson…

The music industry is another recent, real-life example of this. Piracy declined when streaming platforms like Spotify became easier than downloading audio files from questionable forums. The convenience changed user behaviour more effectively than punishment ever did. 

Security teams should take that music lesson seriously. The safest AI environment is the one where employees feel comfortable using approved tools openly. 

Control is not the same thing as trust

Most importantly, organisations need to stop treating AI usage as evidence of misconduct.

Because if employees believe admitting AI use creates risk for them personally, they’ll stop admitting it.

And unlike in Jurassic Park, there is no dramatic T-Rex breakout scene to announce the failure. Just a slow drift of contracts, code snippets, customer data and strategic discussions into unmanaged personal accounts.

By the time organisations notice, the electric fence has already failed.

Or, to borrow the film’s broader point: control is an illusion. So the organisations that succeed with AI will not be the ones building the tallest fences – but the ones creating environments where employees do not feel the need to climb over them.