By Jimi Clarke — Founder, DDC Solutions
Your team is already using AI — just not to the same standard. Here is how that quietly becomes a trust problem, and the question every director should be asking before a client answers it for them. Think about almost any piece of work that leaves your business under its own name — a proposal, a report, a set of advice to a client. More often than not it is not the work of one person. Different people write different parts, and somewhere near the end those parts are stitched together into a single document. The client, who has never met any of the authors, reads it as one voice — and decides, partly on the strength of it, whether your business can be trusted. Now add the detail that makes this the most quietly dangerous moment in a modern business. Some of those people used AI to help produce their part — but not the same AI, used in the same way, to the same standard. One may have spent real time setting theirs up: thinking about what is safe to put into it, how it handles confidential data, the tone and language it writes in. Another may have opened a free chatbot on a personal login, pasted in sensitive client information without a second thought, and accepted whatever came back because it sounded confident. Different standards of accuracy, data protection, tone and judgement — arriving in one document, under one brand. That gap is not a technology problem. It is a trust problem. And it is forming, right now, in the background of almost every business — because AI is still new enough that most people have no shared idea of what “using it properly” even means.
Trust is built — and broken — inside the business first
We tend to think of brand and trust as outward-facing things: the website, the logo, the way we talk to clients. But trust is manufactured internally, long electrostatic before a client ever sees it. It is the accumulated consistency of a hundred small things done to the same standard by different people. A client does not experience your “AI strategy.” They experience a proposal where one section is sharp and careful and the next is subtly wrong, oddly worded, or weirdly generic — and they draw a conclusion about the whole organisation from the seam between them.
Here is the part people miss: AI only ever does what we ask of it. It has no standards of its own. So when two people get two different results, the inconsistency is not really coming from the machine. It is a mirror held up to the difference in how two humans understand the tool, the risk, and the job. Which means an organisation with no shared standard for AI does not have a neutral position. It has an invisible, fluctuating one — a different level of risk and quality every time a different person opens a different tool.
I have watched this film before. It was called BIM.
If this pattern feels familiar to me, it is because I have lived it once already, with a different technology.
“I have watched this film before. It was called BIM. The industry was told it needed a new technology, the label was everywhere, everyone was assured they would be left behind without it, and so they bought it — the tools, the training, the consultants — and put the three letters on their website. And then, overwhelmingly, nothing changed, because the label had been adopted without the substance. I am now watching the identical pattern play out with artificial intelligence, faster and louder, and almost nobody seems to notice it is the same film.”
The reflex is the same. An enthusiastic team member builds something impressive over a weekend, or finds a tool that makes them dramatically faster, and the business quietly starts to depend on it — with no one having asked whether it is safe, consistent, or fit to carry the company’s name. Same blind spot, same outcome waiting to happen. Only this time it is faster, louder, and the tool is far better at looking authoritative while being wrong.
The risks you cannot see (and probably are not being told about)
Most of the danger here is invisible to the person creating it, which is exactly why it spreads. You do not need to become technical to manage it, but you do need to understand the shape of it. There are four edges to watch.
1. Review
Professional work is checked by another competent person before anyone relies on it. Code or content that an AI generated and that simply “ran” or “read fine” has not been reviewed, tested against awkward cases, or checked for the ways it fails quietly later. “It worked when I tried it” is not the same statement as “it is safe to rely on” — and in professional work, the distance between those two sentences is the entire job. Code review and proper checking are not common knowledge outside technical teams, so most people genuinely do not know this step is missing.
2. Stability
A tool — or a piece of writing — that looks right once, on a good day, with tidy inputs, can fail silently when conditions change. Properly made things fail safely and visibly, so you know. A quick AI build often fails invisibly, producing a confident, wrong answer that looks exactly like a right one. In a business decision, a confidently wrong number is far more dangerous than no number at all.
3. The account you are using
There is a real and under-appreciated difference between a free, personal AI account and a properly configured business one. Free and consumer accounts may use what you type to train future models, offer little control over where data goes, and come with none of the contractual data-protection terms a business needs. The same prompt that is harmless on a paid, business-grade setup can be a confidentiality breach on a free one. Most people have been told this, so they assume one chatbot is much like another. It is not.
4. Security and data protection
The moment someone feeds business or client information into an AI tool, they have created a data-protection and confidentiality question — the same discipline that runs through the golden thread and through how we handle people’s information everywhere else.
“An impressive tool that quietly leaks or mishandles sensitive information is not an asset. It is a liability with a nice interface.”
People are the control
In my book I argue that people are not a soft topic sitting off to the side of the real work. In ISO 19650, people are a control measure — their competence and judgement are tied directly to whether the business can deliver reliable information at all. AI does not change that. It raises the stakes on it.
“A standard is only as good as the person applying it… The most carefully specified information requirement in the world arrives, in the end, on the desk of someone who either gets it or does not.”
An AI tool arrives on the desk of someone who either understands its risks or does not. If they do not — and most people, through no fault of their own, currently do not — then the control has failed before a single word reaches the client. This is why the real problem is not the technology at all. It is a knowledge gap, spread unevenly across the business, that nobody has yet been given the chance to close.
What good AI use actually looks like
None of this is an argument against using AI. I use it every day — to write, to build, to sharpen how we work. It is an argument for using it the way you would use anything powerful: deliberately, and with the risks managed. And the picture of what that looks like is not complicated:
- A human stays in the loop — nothing goes out into the world, or to a client, without a competent person reviewing and approving it.
- Anything the business genuinely depends on is tested before it is trusted, not after.
- There is a named person accountable for each consequential output.
- There is a shared standard — a simple, real AI policy people actually know about — covering what may and may not be put into which tools, and a clear way to flag a risk when someone is unsure.
That last point is the one businesses skip. A policy that exists in a drawer protects no one; the safeguard only works if it has actually been implemented and made available to the people doing the work, https://ddcsolutions.co.uk/bim-information-management/ with a route to raise a concern. AI does only what we ask of it — so the protection has to live in how we ask, and in who is allowed to rely on the answer.
And this is already happening at scale
If this sounds like a hypothetical, it is not. Survey after survey now puts AI use at work somewhere between two-thirds and four-fifths of professionals — while only around a third of organisations have a formal AI policy to govern it. IBM’s 2025 Cost of a Data Breach report found that 63% of breached organisations had no AI governance in place at all. And people use it whether or not it is sanctioned: in one 2026 workplace survey, two-thirds admitted using AI at work even where they believed it was not permitted, while other studies find roughly half of employees have pasted confidential company or client information into public AI tools. The same IBM report put a price on the consequence — one in five breaches now involve “shadow AI”, adding around $670,000 to the average breach. The behaviour is running well ahead of the governance, across every sector — and professional services and construction are no exception.
So what do we actually do about it?
Which brings me back to that single document leaving your business under one name, written by people using AI to different standards. The risk in it is not that AI was used. It is that nobody agreed, beforehand, what “used well” had to mean — and so the company’s trustworthiness is being quietly set, paragraph by paragraph, by whoever happened to open whichever tool.
I do not think the answer is to ban it, and I do not think the answer is to pretend a policy nobody has read will save you. Somewhere between “use whatever you like” and “lock it all down” is a standard a real business can actually live by — one that closes the knowledge gap, keeps a human accountable, and lets people move fast without betting the brand on a confident-sounding paragraph nobody checked.
So here is the question I think every director and business owner should be sitting with right now, before a client answers it for them: how do you build one shared, trustworthy standard for AI across a business full of people who are all, quietly and at different speeds, already using it?
I have a view on where that starts. But I would rather leave you with the question first — because the businesses that get this right will be the ones that took it seriously before anything went wrong, not after.