ChatGPT is now present in 71 percent of IT environments across the UK and US, yet formal governance measures are lagging dangerously behind, according to a new survey from cybersecurity firm Heimdal. The study, conducted in June 2026 among 1,000 IT and security professionals, paints a stark picture of a workplace AI revolution outpacing the controls designed to keep it safe—and Windows shops are on the front lines of this collision.

Microsoft Copilot and ChatGPT have become embedded in daily workflows faster than virtually any technology in recent memory. But the Heimdal data suggests that while employees and IT teams alike rush to embrace generative AI, the security frameworks, policies, and technical guardrails needed to prevent data leaks, compliance violations, and shadow AI usage are often missing. For Windows-focused enterprises, where Copilot is deeply integrated into the operating system and Microsoft 365 suite, the governance gap is especially urgent.

The Gap Between AI Adoption and Security

The Heimdal survey underscores a fundamental mismatch. The 71 percent figure for ChatGPT presence is eye-catching, but it’s what lies beneath that should alarm CIOs and CISOs. The preliminary findings, shared exclusively with windowsnews.ai, indicate that a significant portion of those same organizations have no dedicated AI usage policy, no data loss prevention (DLP) rules tailored to generative AI, and no clear process for vetting—or even detecting—third-party AI tools.

“We’re seeing a classic adoption curve where the productivity benefits of AI are being seized upon immediately, while the security implications are addressed later—if at all,” said a senior threat analyst familiar with the data. “Windows environments, because of how tightly Copilot is woven into the OS, are uniquely vulnerable to this gap.”

For IT teams, the challenge is twofold. First, employees are using ChatGPT and similar tools with corporate data, often against policy or without knowing the risks. Second, even approved AI tools like Copilot for Microsoft 365 need careful configuration to prevent oversharing of sensitive information across the Microsoft Graph—the very engine that makes Copilot so powerful.

Inside the Heimdal Survey

Heimdal’s research targeted 1,000 IT and security professionals evenly split between the United Kingdom and the United States. The sample spanned industries from finance and healthcare to education and government, with a heavy representation of organizations running Windows and Microsoft 365.

The headline number—71 percent of respondents confirming ChatGPT’s presence in their IT estate—likely includes both sanctioned and unsanctioned usage. Notably, the survey also found that only about a third of those organizations had performed a formal AI risk assessment, and fewer than one in five had rolled out any form of AI-specific security training for end users.

While the full report won’t be published until later this summer, early glimpses suggest that Copilot adoption is also surging. Within the Windows ecosystem, Copilot is not just a standalone chatbot; it’s now a system-level feature, accessible from the taskbar, Office apps, Edge, and even the Settings panel. That ubiquity makes it both a productivity boon and a potential governance nightmare.

Why Windows Shops Need AI Governance

The phrase “AI governance” can sound academic, but in a Windows-centric organization, it’s a practical necessity. Without clear rules, businesses risk exposing customer data, intellectual property, and regulated information to public large language models (LLMs) that may retain and train on inputs. With Copilot, the risk moves inside: if a user hasn’t been assigned proper file permissions, Copilot can surface confidential documents in a chat without any malicious intent.

Consider a real-world scenario: a financial analyst at a Windows 11 desktop uses the built-in Copilot to summarize a client’s portfolio. If that analyst has inadvertently been granted broad SharePoint access, Copilot might pull in salary data, HR records, or past merger details. No breach occurred in the traditional sense—the tool simply answered a question using available data—yet the fallout can be catastrophic.

“Governance in a Windows shop means understanding your data estate first,” said one Microsoft MVP specializing in compliance. “You can’t govern what you can’t see, and Copilot accelerates visibility across Microsoft 365. If your data labeling and DLP aren’t already mature, you’re playing with fire.”

Copilot and the Microsoft Ecosystem

Microsoft has undeniably invested in security features for Copilot. Microsoft Purview provides data classification, sensitive information types, and DLP policies that can extend to Copilot prompts and responses. Role-based access controls (RBAC) and conditional access policies in Azure AD can limit which users can even use Copilot features. And the company’s recent announcement of Copilot for Security offers a dedicated AI assistant for defenders.

Yet the Heimdal survey hints that many organizations aren’t taking full advantage of these controls. The gap between what’s possible and what’s implemented is often wide. Configuring Purview for comprehensive data protection requires deep expertise, and the sheer volume of data in a typical Windows enterprise makes prioritization daunting. For small and midsize businesses, the resources simply aren’t there.

This creates a two-tier risk landscape: large enterprises with dedicated compliance teams can, in theory, lock down Copilot appropriately, but they may still struggle with shadow ChatGPT usage. Smaller firms, meanwhile, may not even realize they need to configure Copilot’s data access, assuming Microsoft’s defaults are safe—which, from a data exposure standpoint, they are not.

Shadow AI and Data Leakage

“Shadow IT” used to mean employees signing up for cloud services without IT’s knowledge. Now, it’s “shadow AI.” The Heimdal research indicates that even in organizations that have officially adopted Copilot, a significant percentage of workers still turn to free or personal ChatGPT accounts for tasks Copilot can’t handle—or simply out of habit. Those external sessions often receive the most sensitive data, because employees aren’t thinking about governance when they’re trying to solve a problem quickly.

From a Windows security perspective, this is a nightmare. Endpoint detection and response (EDR) tools can monitor process execution and network traffic, but they can’t easily parse what an employee pastes into a browser-based chat. Microsoft Defender for Endpoint can detect patterns and set up indicators of compromise, but the subtlety of data exfiltration via plaintext pastes is notoriously hard to catch. The only reliable defense is a combination of policy, training, and—where feasible—blocking access to unsanctioned AI domains at the network layer.

Building a Governance Framework

So what does effective AI governance look like for a Windows shop? Drawing from best practices and the emerging discipline of AI TRiSM (Trust, Risk, and Security Management), the path forward typically involves several layers:

  • Discovery and inventory: Use tools like Microsoft Defender for Cloud Apps (formerly MCAS) to discover which AI apps are in use. Log endpoint activity with Defender for Endpoint to spot browser-based AI usage.
  • Data classification and labeling: Implement sensitivity labels across SharePoint, OneDrive, and endpoints. Ensure labels propagate to content that Copilot might index.
  • DLP policies: Create DLP rules specifically for Copilot interactions, preventing sensitive data types (PCI, PHI, PII) from being surfaced or shared with external LLMs.
  • Access controls: Restrict Copilot capabilities via Microsoft 365’s built-in controls (e.g., allow only web-grounded responses, disable plugin access). Use Conditional Access to limit access to managed devices only.
  • Training and policy: Establish an acceptable use policy for AI tools, conduct regular training, and enforce through disciplinary measures. Make it clear which data may and may not be fed into public AI models.
  • Continuous monitoring: Set up alerts for anomalous Copilot activity, such as a user suddenly querying large numbers of sensitive files. Monitor for data uploads to unauthorized AI sites.

Microsoft is also building governance directly into its platform. The upcoming SharePoint Advanced Management and Microsoft 365 Copilot extensibility controls promise finer-grained administration. For now, however, the Heimdal findings suggest that many organizations are still in the earliest stages of this journey.

The Road Ahead

AI governance is not a one-time project. As Copilot and other Windows-integrated assistants evolve, the risk surface will shift. New features, like Copilot’s ability to take actions across apps or soon control system settings via voice, will demand even tighter controls. And with every Windows update—now delivered in a continuous innovation model—IT teams must reassess.

The Heimdal survey, limited though the preview is, serves as a wake-up call. 71 percent of environments already have ChatGPT; that number will only grow. Copilot’s penetration is likely not far behind, especially as Microsoft pushes the assistant into every corner of the Windows experience.

For Windows enthusiasts and IT pros, the message is clear: the productivity gains of AI are real, but they come with a security debt that must be paid. Start with a comprehensive AI governance plan today. The cost of delay could be a data disaster that makes the previous era of cloud shadow IT look trivial.