That AI Productivity Chart Everyone's Sharing? I Need You To Look At It Again.
You've seen it. The colourful grid of AI tools doing the rounds on LinkedIn right now. Dozens of logos. Tidy categories. Thousands of likes.
People are tagging colleagues. Saving it. Sharing it with the caption "we need this."
And I get it. It looks like someone's done the hard work for you. A ready-made map to a more productive business.
But when I looked at that chart, I didn’t see a productivity toolkit. I saw it through the lens of AI governance, operational risk, and data responsibility.
I saw something else entirely.
I saw third-party processors nobody has agreements with. Data flowing to servers in the United States and in some cases China, without anyone in the business knowing. Client information passing through AI systems that were never mentioned in a privacy notice. Employees quietly signing up to tools that their employers have never reviewed, never approved, and couldn't account for if someone asked.
I saw the inside of a data compliance problem that most SMEs don't know they have yet.
And I think it's time somebody said that out loud.
Most businesses aren't using AI tools. They're building invisible AI infrastructure.
That's the thing nobody is talking about.
It's not one tool. It's never just one tool. It's the scheduling platform that connects to the calendar system, that syncs with the CRM, that feeds into the email marketing tool, that links to the AI writing assistant, that exports to the project management platform. Each one processing data. Each one sending information somewhere. None of it mapped. None of it documented. Most of it adopted by someone in the team on a free account one Tuesday afternoon because it looked useful.
That is an AI supply chain. And most of the businesses building one don't realise that's what they're doing.
The risk isn't the individual tool. It's the undocumented ecosystem around it.
Let me make this concrete
Take the meeting notes section of that chart. Fireflies. Otter. Fathom. Genuinely useful. They record your calls, transcribe conversations, pull out the action points. Brilliant, in theory.
Except those recordings contain real conversations. Client discussions. Employee exchanges. Commercially sensitive information. Possibly details about people who were never told their words were being captured by a platform based in another country.
Where is that data stored? Who can access it? Is it being used to train the platform's AI models? Does your privacy notice say anything about it? Have your clients ever been told?
If you're sitting there thinking you're not sure that's not a small gap. Under UK GDPR, you are the data controller. You are the accountable party. Not the platform. You. Which means those questions aren't optional. They sit within your governance and accountability obligations under UK GDPR.
Here's how this actually happens inside most businesses
It doesn't start with a decision. That's the thing.
Nobody sits down and says "let's build an undocumented AI infrastructure today." It happens one download at a time. One free trial. One recommendation in a Facebook group. One team member who found something that saves them an hour a week and just... started using it.
Most AI adoption inside SMEs isn't going through procurement. It isn't being reviewed by anyone with data protection knowledge. It's happening quietly, individually, invisibly and by the time anyone thinks to ask what tools the team is actually using, the answer is usually a lot more complicated than expected.
This has a name. It's called shadow IT. And that chart being shared enthusiastically across LinkedIn right now is essentially a shadow IT menu being handed directly to the people most likely to adopt without asking permission.
The international piece that almost nobody checks
Most of those tools are American companies. Some are not. DeepSeek listed on that chart under AI Chatbots is Chinese-owned.
Under UK data law, when personal data leaves the UK, you need adequate protections in place. That means proper transfer mechanisms. It means understanding what the UK-US data bridge actually covers. It means not assuming that because a platform has a privacy policy, someone has sorted the legal framework on your behalf.
In many cases, businesses assume these safeguards are already handled by providers, when additional review may still be required internally, and most businesses aren't doing it, not because they don't care, but because nobody told them it was theirs to do.
I'm not here to tell you to stop using AI tools
I use them. AI Policies UK uses them. Most of my clients use them, and they should.
AI adoption is not the problem. Unstructured AI adoption is.
The businesses that navigate this well won't be the ones that avoided the technology. They'll be the ones that understood what they were building and took the time to build it properly. The ones who can answer a client's due diligence questionnaire without panic. The ones who know what's in their systems, where their data is going, and what agreements are in place.
That's not a huge ask. It just requires someone to actually look.
Most SMEs now have AI operational infrastructure whether they intended to build it or not.
Where to start, right now, today
Make a list of every AI tool your team is currently using. Not what you've officially approved. What they are actually using.
Then for each one, ask four questions: Does it process personal data? Where is that data stored and under which jurisdiction? Do we have a Data Processing Agreement in place? And does our privacy notice actually reflect that we're using it?
That's your baseline. That's where the audit starts. And if working through that list reveals more gaps than you expected, that's not a failure. That's exactly the kind of visibility that protects your business.
A final thought
The tools on that chart were designed to be easy. Fast to find, simple to sign up for, seamless to use. The obligations they generate are none of those things.
The gap between how quickly AI can be adopted and how slowly governance catches up is where most operational exposure now sits. Quietly. Invisibly. Until it isn't.
The businesses that will lead in this next period won't necessarily be the ones with the longest list of AI tools. They'll be the ones that understood the infrastructure they built around them.
That understanding is available to every business. It just has to be chosen.
AI Policies UK exists to make AI governance make sense for the businesses that don't have a legal team or a compliance department — just a real business, real clients, and real data they're responsible for. If you'd like to understand where you actually stand, start at https://www.aipolicies.uk
Nothing in this piece constitutes legal advice. If you need to review your data protection position or compliance obligations, please speak with a qualified data protection specialist.