Why Your IT Department Is Your Biggest AI Adoption Bottleneck

Ethan Mollick, a professor I follow closely, recently noted that an astonishing number of companies he talks to "STILL have AI effectively blocked by IT and legal departments for out-of-date reasons." He's right. And I see it from the other side -- as the person who walks into these companies to train their teams.

Here's the pattern. A company hires me for corporate AI training. I show up. Half the tools I need are blocked on the corporate network. Employees can't access ChatGPT, Gemini, or Perplexity from their work machines. Meanwhile, every single one of them is using these exact tools on their personal phones during lunch. The "security" that IT implemented didn't prevent AI usage. It just moved it to unmonitored, unsecured personal devices.

The Shadow IT Problem Is Already Here

At one manufacturing client, the IT director admitted something revealing during our pre-workshop meeting: "I don't know what to block." His team had no AI governance framework. No tiered data policy. No approved tool list. So their default was to block everything and hope for the best.

The result? Staff were uploading internal documents to free AI tools on their phones. The security risk IT was trying to prevent was being actively created by the blocking policy itself.

The Fix: A 3-Tier Security Framework

Every successful AI training engagement I've run has started with the same conversation -- not with HR, but with IT. Here's the framework that works:

Tier 1 -- Public information. Market research, industry trends, competitor analysis using publicly available data. Any AI tool is safe for this. No restrictions needed.

Tier 2 -- Internal non-sensitive. Email drafting, meeting summaries, formatting, code syntax. Data that wouldn't cause harm if leaked. Enterprise AI tools (Microsoft Copilot within the tenant, etc.) are appropriate here.

Tier 3 -- Confidential. Customer data, financial records, strategic plans, HR records. Off-limits to any AI tool unless using a private, enterprise-grade deployment with data residency guarantees.

When I establish this framework before training begins, two things happen. First, the IT director relaxes because there's a clear boundary. Second, employees stop using their phones because they now have sanctioned tools and clear guidelines.

Win Over IT, Win the Organization

The mistake most companies make is treating AI training as an HR initiative and keeping IT out of the conversation. Flip that. Make IT your first ally.

At BOCHK, where I trained 1,500 bankers, the security framework was established before a single employee opened an AI tool. At Chow Tai Fook, VPN issues nearly derailed the first session -- a problem that would have been avoided if IT had been involved from day one.

The IT department isn't the enemy of AI adoption. They're the unaddressed dependency. Solve the security conversation first, and the training conversation becomes dramatically easier.

Your IT department doesn't want to block AI forever. They just need someone to tell them what "safe" looks like. That's not a technology problem. It's a communication problem.