No one knows what to put in their AI policy

Whether it’s shadow AI chaos or AI policy confusion, no one knows how to do AI safely – but the pressure to do something grows by the day. But help's on the way

Anthony Woodward

Founder/CEO

September 18, 2025
Get your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.

Subscribe to FILED Newsletter

Get your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

  • 80% of Australians want the govt to regulate AI
  • Hackers target millions of Balenciaga, Gucci and Alexander McQueen customers in an attack
  • 23andMe seeks a new settlement over its 2023 data breach

But first,  

If you only read one thing:  

Waiting for AI governance

It’s rough out there in the AI governance world. While AI adoption is growing in leaps and bounds, governance lags behind. Companies don’t know where to start with governing AI, and as we’ve talked about before in this newsletter, shadow AI is a growing concern for organizations seeking to limit their risk. We hear this when we’re out at events or talking to potential customers, and the data backs it up.

According to a recent Anagram survey, 78% of respondents said they’re already using AI tools on the job, sometimes in the absence of clear company policies, and 45% confessed to using banned AI tools at work. Shadow AI exposes businesses to data risks, compliance breaches, and reputational damage. It’s very easy for an employee to copy and paste customer PII into a free version of an AI tool, as we saw in Australia last year when an employee of Victoria’s child protection agency was found to have entered significant amounts of personal information, including the name of an at-risk child, into ChatGPT.

But having a policy is just one hurdle for organizations seeking to use AI responsibly. While 44% of organizations have AI governance policies according to a report from labor law firm Littler, most lack the infrastructure to enforce them effectively.

In a recent EY survey, just a third of companies said they had responsible controls for current AI models, despite nearly three-quarters having AI integrated into initiatives across the organization.

That’s the current tech, but things don’t look better when it comes to agentic AI. Per that EY study, 76% of surveyed companies are currently using or planning to use agentic AI in the next year, but only 56% are familiar with the associated risks.

Help is coming

The numbers here are illustrative of a broader trend that’s obvious when you talk to any business leader in charge of compliance or governance: AI feels inevitable but impossible to control. We’ve seen this issue and we’ve been working on a solution to help companies of all sizes to not only develop their AI policy but actually enforce it too. It drops next week, and we’re really excited to show you all. We want to help organizations of all sizes to safely get started with AI governance without costly delays or false starts, and we’ve built a tool that’ll help. Watch this space!

🕵️ Privacy & governance

A data broker owned by several United States' major airlines, including American Airlines, United, and Delta, is selling access to five billion plane ticketing records to the US government, for use in warrantless searching and monitoring of peoples’ movements, including by the FBI, Secret Service, ICE, and many other agencies, according to a new report by 404 Media.

The US Homebuyers Privacy Protection Act, signed into law early this month, amends the Fair Credit Reporting Act to restrict the sale of consumer information generated when borrowers apply for residential mortgage loans.

🔐 Security

🔓Breaches

Hackers have stolen the private details of potentially millions of Balenciaga, Gucci and Alexander McQueen customers in an attack.

1.1 million Farmers Insurance customers were impacted by a data breach linked to Salesforce hack.

Skincare giant Clarins was allegedly hit in data breach with 600,000 customers exposed.

Hackers have started leaking New Orleans sheriff ransomware data.

🧑⚖️Legal cases & breach fallout

Genetic testing company 23andMe is seeking a $50 million settlement to resolve claims from its 2023 data breach that exposed genetic and other personal information of about 6.4 million U.S. customers. A $30 million settlement had been reached last September, before the company’s bankruptcy, and won conditional approval from a San Francisco federal judge in December.

Executives of organizations that suffered high-profile, high-impact hacks, recount how the experience impacted them (TLDR: badly!)

Happy birthday, Zero Trust, the cybersecurity concept that turned 15 years old on September 14.

🤖 AI governance

A reassuring 80% of Australians, regardless of age, agree that the government should regulate AI to ensure its ethical use.

OpenAI reveals the top use-cases for ChatGPT – writing and editing copy is very popular, as is using the tool as a search engine, but a lot of people are using it for help making decisions.

The latest from RecordPoint  

🎧 Listen

Are the robots coming to replace records managers? Or are these humans perfectly equipped to help their organizations safely harness AI?  

Anthony and Kris delve into the question with Kaan Volkan, a solutions consultant at ZL Tech and regular ARMA and RIMPA speaker.

bg
bg

Get hooked on FILED

This can be a fast-paced, complex industry and it can get overwhelming. FILED is here to help you navigate it.

Get FILED