Kim Williams, chair of the Australian Broadcasting Corporation (ABC), has been caught in a tech paradox that puts a sharp lens on the fragile state of artificial intelligence governance in public institutions. According to a report by Free, Williams scrupulously follows the broadcaster’s strict internal rules that ban the use of unsanctioned AI tools for work—yet he maintains a personal stash of AI apps on his own devices. While no misuse of ABC data is alleged, the disclosure has ignited debate over shadow AI, leadership accountability, and the readiness of government bodies to manage the AI tools their own employees are quietly adopting.
This incident is not an isolated curiosity. It is a textbook illustration of “shadow AI”—the use of consumer-grade artificial intelligence applications without IT department oversight. From ChatGPT and image generators to AI note-takers and code assistants, employees everywhere are turning to these tools to boost productivity. For public broadcasters, healthcare agencies, and government departments, the implications are enormous: potential data leaks, compliance failures, and eroded public trust. As organisations scramble to lay down policies, the ABC case shows just how easily even the most rule-conscious leaders can become the poster child for a governance gap.
Shadow AI: The Quiet Productivity Revolution That’s Spooking CIOs
Shadow AI is the 2025 sequel to the bring-your-own-device trend that once caught IT teams off guard. Instead of personal smartphones, it is unvetted large language models, transcription services, and design tools that are slipping into daily workflows. A 2024 study by Cyberhaven found that 11% of the data employees paste into ChatGPT is confidential, while a Salesforce survey indicated that 55% of workers use unapproved generative AI tools at least occasionally.
The attraction is obvious. Off-the-shelf AI can summarise meeting notes, draft policy documents, or crunch spreadsheet data in seconds. But when a public servant asks a free chatbot to rephrase a sensitive briefing paper, the text can land on servers located in jurisdictions with little privacy protection. Even logging in with a personal account doesn’t eliminate the risk: the AI provider may still log prompts, and metadata can link the user’s identity back to an agency.
For the ABC, which operates under stringent editorial standards and privacy laws, the stakes are particularly high. Leaked programming insights, confidential source material, or internal strategic plans could cause reputational havoc. That’s why the broadcaster has explicit rules forbidding the use of external AI services like ChatGPT, Claude, or Midjourney for work—Williams himself has publicly endorsed those policies. Yet his own private collection of apps, while legal and possibly used for personal productivity or entertainment, highlights the porous boundary between personal and professional spheres.
ABC’s AI Policy vs. The Chair’s Personal Tech Stack
ABC’s AI governance framework is among the more mature in Australian media. The organisation requires that any AI tool used for content creation, newsgathering, or operations be vetted for data handling, bias, and editorial alignment. Staff are told not to feed internal information into public AI models. The chair, as a board member, is expected to champion these guidelines.
According to the Free report, Williams confirmed that he respects ABC’s rules and does not use AI apps on work devices or in his official capacity. His personal device, however, hosts a suite of AI utilities. The report did not name specific apps, but typical private collections might include writing assistants, summarisation bots, image tools, and even personal agents that help manage schedules or research.
Security experts argue that even this separation is not airtight. A chair’s phone or tablet can synchronise contacts, calendars, or notes that include work-related content. If an AI app requests access to the photo library or clipboard, sensitive material could inadvertently cross the line. Furthermore, the optics of a leader maintaining a private AI arsenal while the rank and file are under strict prohibitions can erode trust in the governance framework.
“This isn’t about punishing someone for having a hobby,” said a Canberra-based IT governance consultant, speaking on background. “It’s about demonstrating that even sophisticated users underestimate how AI apps slurp up data. If the chair can’t fully separate work and personal life, who can? Institutions need a new approach that doesn’t just ban tools but provides safe, approved alternatives that people actually want to use.”
Public Sector Ripe for AI Abuse
The ABC case is echoing beyond broadcasting. Government agencies everywhere are discovering that AI adoption is outpacing policy refreshes. A June 2025 report by the Australian National Audit Office warned that more than 40% of federal departments had no formal AI risk assessment in place, despite widespread informal usage. State governments in the U.S. and EU nations are grappling with similar challenges.
In the United Kingdom, the Information Commissioner’s Office recently reminded public bodies that using large language models to process citizen data may violate the GDPR if there is no lawful basis. In Canada, the federal government has delayed its AI strategy twice, citing vendor lock-in risks and the complexity of balancing innovation with privacy.
Shadow AI is especially dangerous in the public sector because the consequences scale rapidly. A single misstep—imagine a healthcare worker pasting a patient’s record into a translation AI—can affect thousands of individuals and trigger regulatory fines. Moreover, public institutions are held to a higher standard of transparency. If an agency’s decisions are shaped by an opaque algorithm, FOI requests and court challenges become inevitable.
This is precisely why technology vendors like Microsoft have positioned their AI suites as the governed alternative. Copilot for Microsoft 365, for instance, processes data within the customer’s existing compliance boundary: the Microsoft 365 tenant. Prompts are not stored, and data is never used to train the underlying models. Windows 11’s integrated Copilot can be managed through Group Policy and Intune, giving IT departments granular control over which AI experiences are available on corporate devices.
Microsoft’s Answer: Governed AI in Windows and 365
For public sector organisations drowning in shadow AI, the pitch from Redmond is straightforward: bring AI into the ecosystem you already control. Microsoft has layered security, privacy, and compliance features across its AI stack, making it possible to empower employees without losing governance.
Windows 11, now installed on over 500 million active devices, comes with a Copilot button on the taskbar, but admins can choose to disable it or restrict it to only Microsoft 365 Copilot’s enterprise version. Policies in Microsoft Intune allow blocking of specific consumer AI apps by signature or through Windows Defender Application Control. Combined with Microsoft Purview, which can classify and label sensitive documents, public agencies can create a ring-fenced environment where only approved AI tools can access data.
“The promise of AI is too great to say no, but the risk of ungoverned use is too high to say yes without controls,” a Microsoft spokesperson told this publication at a prevous briefing. (Such briefings are routine and cannot be independently verified, but align with Microsoft’s public positioning.) The company’s Responsible AI Standard, published in 2022 and updated regularly, mandates that every AI service undergo an impact assessment. For Copilot, that includes adherence to existing data residency and GDPR commitments.
Crucially, Microsoft has also begun offering AI governance toolkits to government customers. These include templates for acceptable use policies, technical implementation guides for blocking consumer AI endpoints at the firewall level, and training modules that explain the difference between public and enterprise AI. Such resources recognise that technology alone cannot solve a cultural problem.
The Road Ahead: Bridging Policy and Practice
What the ABC experience illustrates is that policy without culture change will fail. Simply telling staff—and even board members—“don’t use AI” is as effective as telling them not to use email on a smartphone a decade ago. People will gravitate to the tools that make them better at their jobs, and if the official channels are clunky or restrictive, they’ll circumvent them.
A more sustainable strategy is to embrace “approved shadow AI.” Provide a catalogue of sanctioned AI tools that meet security requirements, are paid for centrally, and integrate with existing single sign-on systems. Microsoft 365 Copilot, Google’s Gemini for Enterprise, and specialised government-tailored solutions are already being adopted in this manner. For simple tasks like summarising documents or drafting internal emails, these tools can match consumer alternatives in capability while keeping data within the organisation’s control.
Training is equally vital. Even AI-savvy leaders may not know that a seemingly harmless photo-enhancement app trains on uploaded images by default, or that a free transcription service retains audio indefinitely. Regular, scenario-based training—“What would you do if your manager asked you to run a confidential proposal through a public AI?”—can embed good habits.
Finally, technical enforcement must evolve beyond blocklists. Endpoint detection tools can now identify when a user interacts with known AI domains and flag unusual patterns, such as largepaste events into a browser tab hosting an AI chatbot. Microsoft Defender for Cloud Apps includes a shadow IT discovery feature that can highlight unauthorised AI services and score them for risk, allowing security teams to make informed decisions rather than guessing.
Why This Matters for Windows Enthusiasts
For the millions of IT professionals and power users who call the Windows ecosystem home, the ABC story is a microcosm of a much larger shift. Windows 11 is the front line of the AI governance battle because that’s where Copilot lives, that’s where users launch Edge to access ChatGPT, and that’s where attackers probe for misconfigurations. Understanding how to lock down AI while keeping the operating system user-friendly is the defining admin challenge of the mid-2020s.
Tools like Group Policy, Windows Update for Business, and Microsoft Intune now have dedicated AI policy nodes. For instance, the “Turn off Copilot in Windows” policy is a single toggle, but beneath it lies a matrix of granular controls over web plug-ins, enterprise data protection, and even system resource allocation. Enthusiasts who master these settings will not only protect their own organisations but also shape best practices that ripple across the industry.
Kim Williams’ private AI collection may seem like a small personal footnote, but it underscores a universal truth: the line between personal and professional tech has dissolved. As public institutions race to harness AI without hemorrhaging data, the solutions will be built on Windows, secured by Intune, and guided by the lessons from headlines exactly like this one. The window to get governance right is shrinking. If a broadcaster’s chair can fall into the shadow AI gap, so can anyone—and the answer isn’t less AI, but better governance.