The policy everyone signed, and the workaround everyone found
Walk into almost any UK SMB with more than twenty staff and you will find the same artefact on the intranet: a one-page AI policy that says public large language models are not approved for client work. Sometimes it names ChatGPT by name. Sometimes it threatens disciplinary action. And in the same building, within a week of the policy going live, someone on the finance team is pasting a board pack into a browser tab on their phone because the sanctioned tools do not do what they need, fast enough.
This is not a morality tale about reckless employees. It is a predictable systems failure. When you block a capability that makes people measurably better at their jobs — drafting, summarising, restructuring, explaining — you do not remove demand. You relocate it to channels IT cannot see, cannot log, and cannot remediate. The organisation trades a visible risk for an invisible one, then congratulates itself on being “AI safe.”
If you are the IT buyer or MSP lead being asked to “just block ChatGPT,” this article is for you. Not to argue that AI is harmless — it is not — but to explain why prohibition fails, what actually changes behaviour, and what a defensible middle path looks like for a UK firm that still needs to use the same models everyone else uses.
Why blocks fail in practice
Shadow use moves off the corporate network
URL filtering and DNS blocks work until they do not. Personal phones, home broadband, coffee-shop Wi‑Fi, and browser profiles that are not signed into corporate identity all bypass the control stack in an afternoon. Staff are not trying to exfiltrate data for sport; they are trying to finish a tender response before 5pm. Once the sanctioned path is slower or absent, the unsanctioned path wins on convenience every time.
From a security standpoint, the worst outcome is not “someone used ChatGPT.” It is “someone used ChatGPT and we have no idea.” Blocks that push usage off managed devices remove the only signals you might have had — proxy logs, CASB alerts, DLP hits on outbound paste buffers. You inherit the liability without the telemetry.
Blocks punish the careful and reward the hurried
Policy documents assume rational actors with unlimited time. Real teams under deadline paste first and ask forgiveness later. The partner who would have redacted a client name manually if given a safe tool will not do that work twice on a blocked path. Meanwhile the intern who never read the policy was never going to comply anyway. Uniform blocking selects for the people least likely to self-police.
“Approved vendor only” often means “approved American vendor only”
Many firms respond to AI anxiety by buying a SaaS wrapper that inspects prompts in a US region before forwarding them to OpenAI. That can be the right architecture for a global enterprise with a mature privacy programme. For a forty-person Manchester accountancy or a Bristol law firm, it introduces a new processor, new sub-processors, and a new set of transfer questions — while staff still route around it if the UX is worse than the public chat UI they already know.
Blocking ChatGPT without offering an equally capable alternative is not governance. It is postponement.
What actually changes behaviour
Teams that reduce real incidents — not just policy violations on paper — tend to converge on the same four moves. None of them require pretending AI will go away.
Make the safe path the fast path
If the approved route takes six clicks and the shadow route takes one, you have already lost. That means a interface people want: browser extension or chat UI that feels like the public product, streaming responses, sensible defaults. Security controls that add friction without adding visible value get disabled or ignored.
Inspect before egress, not after the fact
Training alone does not scale. Annual e-learning does not help at 11pm when a solicitor is fixing a clause. What scales is automated detection of the data classes you care about — UK postcodes, company numbers, account numbers, client names from your own directory — shown to the user before the prompt leaves your environment. The user remains in the loop; the organisation gets a chance to stop the leak at the only point that matters.
Give IT and compliance an audit trail they own
When the board asks “who sent what to which model, and was it redacted,” you need an answer that does not depend on a vendor’s US dashboard retention policy. Append-only logs on infrastructure you control — with export for regulators or insurers — turn AI from an anecdote into an auditable process.
Align with how UK firms think about data location
UK SMBs often process data that must not leave the UK — client lists, matter details, patient admin, FCA-regulated advice notes. Controls should respect that reality: minimise what crosses the border, document what still must (model inference with a US provider), and keep the original prompt and response pairing where your DPA says it should live. “We blocked the website” does not satisfy a data protection impact assessment. “We redact before egress and log every session” might.
What does work: enable with an inspection layer
The pattern we see work in production is not “ChatGPT, but scarier.” It is ChatGPT (or Claude, or Gemini) with a domestic inspection layer — sometimes called an AI gateway or AI firewall — sitting on your LAN. Staff keep the models they already use. Confidential fragments are replaced with placeholders before the prompt leaves the building; responses are restored on the way back so the answer still reads naturally. Local models can run on the same box for work that must never leave the site.
That is materially different from:
- Block only — shadow use, no logs.
- SaaS DLP in another country — new processor, same public models, prompts still leave your trust boundary in cleartext to a third party before redaction.
- Local-only models without a path to frontier capability — safer, but staff still open the public tab for hard tasks unless you give them a governed route to the same quality.
None of these are moral winners; they are trade-offs. The honest job of IT is to pick the trade-off the board can defend.
A practical rollout IT can live with
If you are planning the next quarter, a sequence that actually sticks looks like this:
- Assume usage is already happening. Run a frank conversation with team leads — not a survey with leading questions — about where AI saved them time last month.
- Classify what must not leave the UK (names, matters, patient IDs, deal terms) versus what can (generic marketing drafts with no client markers).
- Deploy inspection on the egress path your staff will actually use — extension plus optional local chat — rather than a separate “compliance portal” nobody opens.
- Start with UK pattern packs and your client list as custom rules; refine from the first week’s false negatives.
- Report to the board in incidents prevented and sessions logged, not in “number of blocks on chat.openai.com.”
Blocking ChatGPT is a thirty-minute firewall rule. Building a defensible AI posture is a small appliance, a rule pack, and a culture shift — but it is the only one that survives contact with a real deadline.
What MSPs should tell clients who ask for a hard block
If you support ten SMBs, you will be asked to “switch off ChatGPT” after every news cycle. The defensible answer is not refusal — it is a managed package: extension rollout, UK pattern pack, monthly log export, and a 30-minute rules workshop when someone joins from a merger. You bill for governance the same way you bill for backup — because the risk is real and the block is theatre. Clients who understand that stop treating AI as a forbidden fruit problem and start treating it as email-grade infrastructure with inspection.
Bottom line for IT buyers
If your goal is to stop AI use, block and accept shadow risk. If your goal is to stop uncontrolled AI use while keeping productivity, you need visibility and redaction at the boundary — on your network, under your logs, with UK support when something goes wrong. The firms that get this right stop fighting their own staff and start giving them a better tool than the one on their phone.
That is not permissiveness. It is control that matches how work actually happens.