By Luciana Betiol, PhD; and Ana Biderman Furriela, MCL
The use of various digital technologies, including the indiscriminate use of artificial intelligence, is a constant reality in Brazil’s business environment.
Data from the TIC Empresas 20251 survey shows that 17% of Brazilian companies with 10 or more employees used AI technologies, up from 13% in 2024, with a higher incidence among medium and large enterprises. When generative AI tools and broader uses in day-to-day business are considered, adoption appears at a higher rate: 63% of medium and large enterprises, 46% of micro and small enterprises, and 42% of individual micro-entrepreneurs (MEIs) declared using AI in their businesses2.
Moreover, a survey led by Abiacom showed that 47.4% of professionals report using AI tools without official approval from their respective companies — a practice known as Shadow AI — and that 59.1% of Brazilian companies have yet to establish formal guidelines for AI use, which raises an alarm signal regarding governance and information security failures3.
These figures allow the conclusion that AI is already used by a significant proportion of Brazilian companies across different sizes and regions, although not uniformly. In small businesses, operational support uses predominate, such as marketing, communications, idea generation, and time savings; in medium and large enterprises, more strategic uses appear, linked to data analysis, workflow automation, process management, and redesign. Even so, the integration of AI into critical core business processes remains more concentrated in larger companies or those with greater digital maturity and cannot be treated as a widespread reality across the country.
This scenario, however, reinforces the need for organizations to prepare for the impacts associated with the use of AI, particularly given the absence, inadequacy, or low maturity of internal standards, policies, and procedures for its responsible and ethical operationalization — what is known as AI governance.
This opinion article aims to alert business owners, directors, board members, and managers, among other decision-makers, about the risks associated with the absence of institutional rules for the use of AI tools and about the importance of establishing an internal AI governance structure, regardless of the size and/or the level of integration of this technology in the context of each company. Organizations that prepare themselves will be better placed to capture value from these technologies, safely and sustainably.
Among the most sensitive points to address is the use of personal generative AI accounts — such as ChatGPT, Claude, Gemini, and Copilot — by employees in their professional activities. The unauthorized practice is more common than one might expect and exposes companies’ confidential data to the platforms, without any institutional control. An apparently innocent query can expose the company insofar as AI platforms – when used through personal accounts, even if paid – learn and are trained on all data entered. It only takes the platform to cross-reference data on the user, the company they work for, and the query submitted to it.
Therefore, the use of AI without an adequate governance structure — one that goes beyond the mere enunciation of generic principles — exposes organizations to significant risks. These risks are not limited to technological vulnerabilities, such as data leaks or information security failures, but also encompass the organization’s capacity to develop policies, procedures, and control mechanisms that are compatible with rapidly evolving technology.
In this context, the implementation of AI governance must enable the organization to identify where and how AI is used, which decisions or processes are affected by it, which risks are created or amplified, and which internal mechanisms will be adopted for supervision, accountability, review, and the correction of any failures. Organizations that succeed in structuring internal policies, classifying risks, conducting due diligence on suppliers (and on the entire supply chain), monitoring impacts, and documenting decisions will be better prepared to respond both to future national and international regulatory requirements and to market pressures, investors, consumers, commercial partners, and other interested parties.
In the Brazilian context, therefore, AI governance must be understood not merely as a risk-control mechanism but also as an element of trust, competitiveness, and institutional maturity.
Against this backdrop, the organization should begin its AI governance with a self-assessment to identify where the technology is used, which areas and processes are affected, and which risks are most relevant in its specific context. Based on this mapping, set out below a non-exhaustive list of situations that may generate financially onerous consequences and adverse reputational impacts for organizations.
• leakage of confidential data and sensitive information, with potential violation of the General Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais — LGPD);
• unintentional disclosure of commercial strategies or trade secrets, with potential competitive harm;
• infringement of copyright and other intellectual property rights;
• use of inaccurate, distorted, false or non-existent information, leading to erroneous decisions, serious failures in the production chain or service delivery problems, as applicable;
• adoption of discriminatory practices or practices that violate the fundamental rights of employees, partners, consumers or other affected parties;
• absence of adequate human supervision in automated or semi-automated decisions that may produce significant legal, economic or social impacts;
• engagement of AI suppliers without prior assessment of risks, liabilities, information security, data protection, intellectual property and audit criteria;
• difficulty in tracking, explaining or documenting decisions taken with the support of AI systems, which may compromise the organization’s defense in any internal, judicial, regulatory or reputational challenge; and
• emergence of employment, regulatory, contractual or consumer liabilities arising from the inadequate, unsupervised or undocumented use of AI systems.
The risks associated with the use of AI must be taken seriously, as they may result in fines, claims for damages, and, in more serious situations, administrative and even criminal sanctions. These consequences do not necessarily stem from the use of AI itself, but from the outcome of its inadequate use, without defined criteria, controls, and responsibilities. For this reason, governance is essential.
Based on the self-assessment, a customized risk matrix should be developed that considers the company’s specific vulnerabilities. There is no single recipe: risks vary by sector, company size, data used, degree of automation, suppliers engaged, and potential impacts on employees, consumers, partners, and other interested parties.
Thereafter, it is recommended that an internal AI use policy be created, with clear rules on permitted uses, prohibited uses, and uses subject to prior approval; employee responsibilities; and consequences for rule violations, data protection, confidentiality, intellectual property, human supervision, and supplier engagement.
This policy should be reviewed periodically, as AI is a rapidly evolving technology. Review allows guidelines to be updated, failures to be corrected, and new regulatory requirements and market practices to be monitored.
It is also essential to promote digital literacy and provide continuous training to employees and leadership, with a view to avoiding the individual, informal, and non-institutionalized use of AI tools. Governance will only be effective if people understand the applicable risks, limits, and internal procedures.
Finally, the organization should implement internal controls and protocols, such as approval workflows for sensitive uses, decision registers, guidance channels, supervision mechanisms, and incident reporting procedures.
Thus, formally established policies and guidelines can transform AI into a value-generating tool. Mere prohibition tends to be unrealistic, whilst indiscriminate use amplifies legal, operational, and reputational risks. The most appropriate path is the responsible, ethical, supervised and documented adoption of AI.
***
This material is for informational purposes only and does not substitute for the analysis of a specific case. The assessment and implementation of these practices in the workplace require specialized legal advice.
References:
- TIC Empresas 2025. Available on https://cetic.br/pt/tics/pesquisa/2025/empresas/H9/
- “Uso de IA nos negócios” (Pesquisa Sebrae/FGV IBRE, com colaboração do Google, dez/2025). Available on https://blogdoibre.fgv.br/posts/uso-de-ia-nos-negocios-no-brasil-0
- Pesquisa da Abiacom, em parceria com Brazil Panels e Lideres.ai, divulgada por André Lopes em artigo publicado na Revista Exame, em 19/01/2026. Available on https://exame.com/inteligencia-artificial/72-das-empresas-brasileiras-estao-no-inicio-da-adocao-de-ia-aponta-pesquisa/ Exame
- DELOITTE. State of AI in the Enterprise 2026. Deloitte Brasil, 2026. Available on https://www.deloitte.com/br/pt/about/press-room/state-of-ai-2026.html?utm=