Two studies published in the last month bracket what is actually happening with AI inside UK businesses. Glean's Work AI Institute surveyed digital workers in the UK, US, and Australia. Asana surveyed UK IT leaders. The two sit on opposite sides of the same conversation, and put together they sketch a fairly honest picture.
The headlines are familiar. AI is everywhere. Productivity is up. We need more of it.
The numbers underneath are different.
What workers are actually doing
The Glean study found that 90% of UK digital workers use AI daily, and 77% report increased productivity. The same workers spend an average of 6.4 hours per week on what the report calls "botsitting": feeding the model context it lacks, checking what came back, debugging confidently-wrong answers, rerunning prompts, and cleaning up. Nearly a working day per week per person, after the time saved.
The same workers reported saving twelve hours a week from automation. Net of botsitting, that is about five and a half hours of actual gain. The remaining seven hours of the alleged saving are spent on the AI itself.
There is a darker number in the Glean data. 69% of respondents admitted to "botshitting", which Glean defines as "shipping AI-generated work that workers haven't reviewed, don't fully understand, or couldn't defend if asked". The figure is high partly because the survey was anonymous, and partly because every reader of this filing will recognise themselves in it, at least occasionally. The risk is not that some staff are doing this. The risk is that almost all of them are, and that nobody knows which outputs are which.
Only 18% of respondents said AI had "significantly improved" their organisation's overall performance. That is the survey answer to the underlying question: is your firm getting back what it is putting in. For most, the honest answer is "yes but less than you think".
What IT leaders are actually paying
Asana's polling of UK IT leaders, run in the same window, is the spending half of the picture. Over 80% of UK IT leaders said they had encountered unplanned AI cost increases in the past twelve months. The number is high in part because the costs hide in unfamiliar places: per-token API charges, "enterprise" upgrades that get triggered automatically, paid features inside tools the business already buys, and the long tail of individual SaaS seats with AI bolted on.
The example Asana cited was Uber, which exhausted its entire annual AI budget within four months of the year starting. Uber is a useful example because it is large, has IT discipline most SMEs do not, and still got it wrong by a factor of three.
The rest of the numbers fit the same theme:
- 30% of new AI tools introduced to the business lack formal IT review or approval.
- 25% of workers frequently use non-approved AI tools.
- 38% of workers regularly use personal AI accounts for work tasks.
- 53% of IT leaders reported that AI tools or agents caused financial, legal, reputational, or compliance harm in the past year.
- 46% of IT leaders said AI initiatives stall because the AI lacks the context of the organisation it is running in.
The personal-account number is the one to dwell on. More than a third of staff are putting work content into ChatGPT, Claude, or Gemini on accounts the business cannot see, cannot audit, and cannot revoke when the person leaves. Most of those accounts have no data-processing agreement, no UK GDPR posture statement, and no record of what was sent. The information is gone from the firm and has left no trace.
Why governance lags
Christina Francis at Asana summarised the gap: "The challenge now is turning that into measurable business value, without losing the governance." The governance is hard for three structural reasons.
AI adoption is not happening through IT. It is happening through finance, marketing, HR, customer support, and operations, in roughly that order. By the time IT hears about a tool, the business is already using it for a real workflow. Saying "no" after the fact is more expensive than saying "yes" was at the start.
The procurement loop is too slow. A senior person needs to draft an email, and the loop from "I want to write better drafts" to "I have a tool" is twenty seconds and a personal credit card. The firm's procurement process takes weeks. The structural answer is to make the firm's process not take weeks. The tactical answer is to make it cheap to opt in to an approved tool.
Cost shows up after use, not before. Token-priced services bill in arrears. The bill arrives three months in. By then the contract is signed, the workflow depends on it, and the price negotiation is a captive one. We covered the broader version of this in Gov.uk Pay swapped Stripe for Adyen, read the exit clause. The same dynamic applies here, faster and at smaller scale.
What an SME should do this quarter
Nothing in the studies points to "ban AI use". Nothing in them supports "let it run". Three concrete actions split the difference.
Pick a sanctioned tool, pay for it properly, and pre-approve common uses. One paid Copilot, Claude, or ChatGPT Enterprise account, with single sign-on, the data-processing agreement signed, and a one-page list of things staff are allowed to use it for without further sign-off. Drafting external emails, summarising meeting notes, rewriting documents in a different tone. The list does not need to be long. The point is to give staff a clearly-OK option, because the alternative is what is already happening.
Decide what stays out of any AI, full stop. A two-line policy that lists the categories: customer personal data, client confidential material, regulated financial data, anything covered by a non-disclosure agreement, and code that contains secrets. The list should be short enough to remember without re-reading. Our existing filing on what an AI policy should say covers a longer version of this.
Get visibility into what is being spent. Ask the finance team for last three months of expense claims with "AI", "GPT", "Claude", "Copilot", "Gemini", "Perplexity", or "Anthropic" in the description. The personal-account number from Asana suggests you will find more than you expect. The follow-on action is to swap the personal subscriptions for one or two firm-managed accounts. The saving is sometimes meaningful, the visibility always is.
A fourth, harder action is worth flagging. Build the workflows around the AI, not the other way around. The 46% number in Asana's poll, the "initiatives stall because the AI lacks organisational context" finding, is mostly a workflow problem. A model trained on the open internet does not know your contracts, your customers, your products, or your style. The firms getting real value from AI are spending most of their effort feeding it that context: connecting it to the document store, the CRM, and the knowledge base, in a way it can actually use. That is months of work, not afternoons. It is also the difference between five hours of gain a week and twelve.
The shipping-without-reading problem
Almost as a footnote, the 69% figure deserves a moment. Shipping AI-generated work that the worker has not reviewed is the operational version of the prompt-injection risk we covered in prompt injection is not the new SQL injection. The defect is not in the model. It is in the workflow that puts the model's output in front of a customer or a regulator with no checkpoint in between.
The fix is mostly about where in the process the human review sits. If the human reviews the AI's draft before it is sent, the risk is bounded. If the AI's draft is sent and the human reviews it after a complaint, the risk is unbounded. Most firms have not made that choice consciously, and the default is the second one.
A sensible position for a board: any output that goes outside the business should have a named human who has read it. Internal drafts, brainstorming, code in a sandboxed branch, all fine. Customer email, contract drafts, financial filings, anything that lands in front of a regulator: someone signs it.
How Steelwise can help
Writing the short AI use policy, building the sanctioned-tool list, and finding what your firm is actually spending on shadow AI is the kind of practical work we do with clients. Get in touch.