Book now
/ Insights/ Commentary/ Adoption/ Strategy

Banning AI doesn't remove the risk.

Martin Lulham
The word BANNED set in heavy outlined capitals, with a thick red horizontal line running across the frame behind the letters.

Ethan Mollick recently used a brilliantly sharp phrase in The Economist: "The IT department: where AI goes to die."

It works because there's a grain of truth in it. Not because IT departments are the enemy — that's too easy, and too unfair. It works because AI is often sent to IT when leadership doesn't know what else to do with it.

And once it arrives in IT, it gets handled the way IT has always been asked to handle new things: reduce risk, protect data, standardise systems, control access, stop users doing dangerous things. That's not a failing. That's the brief IT has been given for the last twenty years. It's the brief that's kept the lights on.

The trouble is, that brief produces a very specific output when it's pointed at AI. The output is ban it.

A small example, close to home

My partner works in education. Her school's IT department has, for all practical purposes, banned AI.

I'm not going to name the school, and I'm not going to make the IT team look stupid — they aren't. They're doing what they've always been asked to do. Schools handle some of the most sensitive data anywhere: pupil records, parent data, staff data, medical information, behavioural notes, safeguarding logs. They have plagiarism to worry about. Misinformation. Bias. Copyright. Children encountering things they shouldn't. Adults using tools they don't understand on data they shouldn't.

Faced with that list, block it is an entirely understandable answer.

But understandable is not the same as strategic.

The risk hasn't gone away. The visibility has.

Here's the thing the ban doesn't fix: pupils are already using AI. Staff are curious, and some will experiment whether you've sanctioned it or not. Parents are using it. The exam boards are talking about it. Vendors are quietly embedding it into the platforms the school already pays for — the MIS, the timetabler, the safeguarding tool, the email client, the Office suite.

So the choice isn't AI or no AI. That choice was made by everyone else, eighteen months ago, without asking permission.

The choice is visible, governed, educated AI use — versus invisible, unmanaged, personal-account AI use.

A blanket ban produces the second. Staff use ChatGPT on their phones over 4G to do the job they've been told they can't use it for. Pupils paste an essay prompt into whatever chatbot is one Google search away. Parents send the SENCo a letter that's clearly been written by Claude. None of it is logged, audited, scoped or labelled. None of it is paid for by the school, governed by the school, or visible to the school.

That's not safer. It's just less measurable. It's also exactly the shape of risk most organisations underestimate — because the thing they think they've stopped is the thing they've actually pushed off-tenant.

Control is not the same as strategy

Blocking access is a control. It's a perfectly reasonable one in some contexts, and it might be one control among many. But it isn't an AI strategy.

A strategy answers different questions:

  • What are we trying to improve?
  • What tools are approved, and why those?
  • What data is off limits, and how do we make that easy to follow?
  • What training do people need before they can use what's approved?
  • What use cases are safe? Which ones aren't, and how do staff tell the difference?
  • Where do humans stay firmly in the loop?
  • How do we review what's working and change it?

That list isn't a security register. It's a leadership document. And it's nobody's job inside an IT department to write it.

Where IT comes in — and where it doesn't

To be completely fair to IT teams: they are essential here, and the strategy cannot land without them.

IT owns the rails. Identity. Conditional access. Data loss prevention. Audit logs. Tenant configuration. Approved-tools management. Sensitivity labels. The plumbing that makes "approved" mean something more than a sentence in a policy document. None of the strategy questions above can be answered if those rails aren't sound.

What IT can't own — and shouldn't be made to own — is the direction. Where AI should be used. What work should change. What teaching should look like next September. Which jobs need re-shaping. Which workflows should be redesigned around AI capability instead of bolted on top of the old ones. What new things staff should be expected to learn.

Those are leadership decisions. Quietly handing them to IT under the label "sort the AI thing out, would you?" is what produces the ban. The ban isn't IT's failure. It's leadership's quietest possible answer to a question they didn't want to take a position on.

A particular shape, in SMBs

In SMB, the IT department often isn't a department at all — it's an MSP. The MSP is the IT department, on retainer, by ticket, on Tuesday afternoons. And MSPs are paid, structurally, to keep things stable and uneventful. That instinct — don't change what isn't broken, lock down what could break — is exactly right for a backup schedule. It's exactly wrong for an organisation working out where AI fits.

We say that from inside the lane. M-Tech Labs is the AI specialism of M-Tech Systems, which has been an MSP since 2003. We know the MSP instinct because we live with it. The reason Labs has its own front door is that AI adoption needs the opposite instinct sitting next to it: experiment, prove, ship, measure, redesign the work. The MSP keeps the rails. Labs lays new track. They're complementary; they aren't the same job.

What good actually looks like

In a school, governed adoption looks something like this:

  • A short list of approved AI tools, paid for by the school, accessed under the school's identity, with the data boundaries set in writing.
  • Staff guidance — a page or two, not forty — on what's permitted, what isn't, and what to do if you're not sure.
  • Real examples. "You can use it to draft this. You can't use it for that. Here's what an acceptable prompt looks like. Here's one that isn't."
  • Training that reflects the way people actually work, not a generic "intro to AI" video.
  • Pupil AI literacy on the curriculum side, because the world they're going into runs on this stuff and pretending otherwise is malpractice.
  • A governance position that's reviewed termly, not written once and shelved.

In a business, the shape is the same with different vocabulary: a readiness assessment, data governance that catches up with the actual tools in use, a small set of approved platforms, training that's grounded in real workflows, pilots that produce evidence, and a review cadence that actually happens.

None of that is a free-for-all. All of it is governed. The point is that governance isn't a synonym for banned; it's what you put in place so the answer to "can I use this for X?" is something more useful than "no."

Close

AI without governance is risky. Governance without adoption is paralysis.

AI doesn't die in IT because IT is bad. It dies there when leadership mistakes control for strategy.

Block what needs blocking. Approve what's safe. Train people properly. Redesign the work.

But don't pretend a ban is a strategy.

It's just a locked door, with everyone else finding windows.

/ Start a conversation

Let's talk about what you're trying to build.

Book a discovery session and we'll walk through the workflow, the systems and the shape of the solution.

Book a discovery sessionTalk through a challenge