Nucleo warns Irish firms on public AI governance risks

Nucleo has warned that Irish companies are creating governance risks by allowing staff to use publicly available artificial intelligence tools for work. The consultancy linked the problem to a gap between corporate AI policies and the systems employees actually use.

The Dublin-based data and AI consultancy said many businesses encourage the use of generative AI without providing approved internal tools. As a result, staff are left to choose consumer services themselves, including free public models and individually purchased large-language-model subscriptions.

The warning draws on recent Deloitte research cited by Nucleo, which found that 46 per cent of Irish companies now actively encourage the use of generative AI. At the same time, 65 per cent of workers still rely on free external tools or pay for the language model of their choice.

This pattern suggests that some employers are effectively leaving technology decisions to individual preferences rather than to centralised controls. That approach could expose businesses to risks related to data handling, accountability, and the basis for decision-making.

Irish companies have moved quickly to put formal rules in place. The same survey found that 81% of respondents now have workplace guidance on AI use.

But written policies do not remove the risks associated with unapproved software. Nucleo pointed in particular to tools that fall outside company oversight and can process business information without audit trails for employers to inspect.

"Encouraging AI use without providing governed, paid-for systems is a governance disaster waiting to happen. When 65 per cent of the workforce relies on free, public models to do their jobs, proprietary corporate data is leaving the building every single day. You cannot write a compliance policy and then leave the use of AI unsecured," said Bobby Brown, founder and CEO of Nucleo.

Policy Gap

The issue is not only where data goes, but also how much confidence workers place in machine-generated responses. Nucleo highlighted survey findings showing that more than a third of users consistently believe AI always produces factually accurate responses.

That matters particularly in regulated sectors, where management decisions may need to be explained to auditors, customers or regulators. If staff rely on external tools that cannot be monitored internally, businesses may struggle to show what information was used and whether it was reliable.

"Because so many users trust AI outputs without question, businesses face a liability challenge. We are seeing critical business decisions being made based on un-auditable, potentially hallucinated data from consumer-grade tools that the IT department cannot see or control. Under the EU AI Act regulations and strict GDPR rules, you cannot defend a business decision if you don't know what data informed it. It creates untraceable data silos across the business," Brown said.

The consultancy works with regulated and asset-heavy organisations in sectors including financial services, utilities, homecare and the public sector. These industries tend to face stricter requirements around record-keeping, traceability, and the protection of sensitive information, making oversight of AI systems a more immediate management issue.

Nucleo said companies should respond by replacing ad hoc use of public chatbots with approved internal tools and clearer operational controls. In its view, staff turn to public AI products because they are easy to access and can improve day-to-day productivity when internal alternatives are absent.

Workplace Practise

Nucleo framed the trend as a management problem rather than a purely technical one. Businesses need to align AI use with how staff actually work, rather than relying on rules that aren't supported by practical systems.

That reflects a wider tension in corporate AI adoption. Many employers want staff to experiment with generative AI to improve efficiency, but the market has moved faster than internal procurement, governance and risk controls. As a result, a company may endorse the use of AI in principle while lacking tools that meet its own standards for data protection and accountability.

For Irish businesses, the debate also comes as the EU AI Act begins to shape boardroom discussions about risk, oversight and documentation. Alongside GDPR, the regulation increases pressure on employers to understand where data is processed, who has access to it and how outputs influence decisions.

Nucleo said the answer is not to block AI use outright, but to bring it within formal company systems. "Irish firms must overcome 'Bring Your Own AI' workarounds. Staff are bypassing IT because they want to be productive, but you cannot run a secure business on consumer-grade chat bots. To protect data and ensure accurate decision-making, businesses must stop relying on external tools and deploy secure, enterprise-approved systems that actually reflect how their staff work," Brown said.