Your reps are using AI. Just not yours.

They’re copying territory lists into ChatGPT on their phones. Pasting customer segments into free AI tools. Asking bots to help interpret sales figures. Not because they’re careless - because they’re trying to do good work faster. The challenge for commercial leaders isn’t stopping that behaviour. It’s channelling it into systems where you can see what’s happening and stand behind the outputs.

What the Research Shows

Surveys from 2024 consistently found that a large majority of employees - in some studies more than four in five - use AI tools that haven’t been formally approved by their organisations. Many don’t mention it to their managers. The driver is simple: the approved tools often don’t meet daily work requirements, so people find workarounds.

This isn’t a discipline problem. It’s a supply problem. And in pharmaceutical commercial operations, where customer data, prescriber segments, and territory plans are involved, unmanaged AI usage creates real compliance exposure.

Eighteen Months Preparing - Not Experimenting

We spent 18 months preparing for AI. Not experimenting. Preparing.

When we started evaluating platforms for processing client commercial data, the questions that kept us up at night were straightforward:

  • Where does the data sit?
  • Who can access it?
  • What happens to it after processing?
  • Can we prove what happened if something goes wrong?

I suspect many of you are asking the same questions.

We selected a platform with isolated environments, audit-grade change logs, and a contractual guarantee that client data never trains AI models. Not because we’re risk-averse. Because we wanted to be confident. That confidence is what allows us to move quickly where hesitation would otherwise slow things down.

The Samsung Lesson

Samsung faced this directly. Within weeks of allowing ChatGPT access, multiple separate data incidents occurred. Their response was instructive: rather than tightening restrictions, they built a governed in-house alternative that met the same needs safely.

Restrictions without alternatives push usage underground. Governed enablement brings it into the light.

The pharmaceutical companies that are getting this right are proving the same point - governance frameworks don’t slow things down. They remove the friction of uncertainty. When teams know the boundaries, they move confidently within them.

Four Principles We Settled On

Our practice runs on four:

Humans lead, data informs. AI generates options and surfaces patterns. Humans make decisions. Every insight we deliver comes with clear reasoning a Commercial Director can interrogate and own.

Transparency over opacity. If we can’t explain how we reached a conclusion, we don’t present it.

Client data stays client data. No commingling. No training. No enrichment.

Governance enables speed. The controls remove the friction of uncertainty - they don’t add to it.

These aren’t aspirational. They’re operational. Every platform decision, every workflow design, every client deliverable runs through them.

Five Questions to Frame the Conversation

If your organisation is working through this, these five tend to surface the gaps quickly:

  1. Who owns accountability when an AI-assisted decision needs to be explained - to a manager, a regulator, or a client?

  2. What customer and patient data is being processed by AI systems, and can you demonstrate where it sits and who has accessed it?

  3. Which tools are your teams already using, and how might you bring those into a governed framework rather than drive them further underground?

  4. Do you have an incident response approach for AI-specific scenarios, or are you still mapping your commercial AI onto a generic data breach protocol?

  5. Are your approved tools actually meeting the work requirements your people face every day - or are you governing the wrong layer?

The Window Is Now

Governance infrastructure built under the pressure of an incident costs more - in time, in money, and in credibility - than governance built as a precondition for deployment. The organisations framing AI governance as an enabler now, rather than a constraint imposed after something goes wrong, will be better positioned to move with speed and confidence as the tools keep improving.

It’s not about moving first. It’s about moving with intent.

What’s been most useful in your organisation’s approach to AI governance? I’m genuinely curious what’s working for others.