Your employees are already using AI. They are pasting sensitive meeting notes into ChatGPT to get a summary. They are uploading CSVs of customer data to clean it. If you have "banned" these tools without providing an alternative, you have simply pushed this activity into the shadows.
IT Security teams often default to blocking domains (e.g., openai.com). This gives a false sense of security. Employees will simply use their personal phones or find unblocked alternatives to get their work done 10x faster. You lose all visibility into where your data is going.
The Safe Harbor Approach
The only effective governance strategy is to provide a Sanctioned, Private Alternative.
You must deploy a secure, internal instance of these models (e.g., Azure OpenAI or a private VPC deployment) that guarantees Zero Data Retention. When you provide a better, safer tool, employees will naturally migrate away from the risky public ones. Security comes from enablement with guardrails, not abstention.