Advertisement
Opinion Article Operations & Strategy

Your Staff Are Already Using AI — You Don't Know About It

Shadow AI is not a future risk. It is today's reality in most hotels — and the data being shared is far more sensitive than most leaders realize.

Hotels face significant data exposure risks as staff informally use public AI tools with sensitive guest information, requiring immediate governance policies.

Terence Ronson
By Terence Ronson, Founder & Managing Director, Pertlink Limited
.

.

Photo by Pertlink Limited

There is a term gaining quiet traction in hotel technology circles: Shadow AI. It describes staff using AI tools — chatbots, writing assistants, summarizers — without approval, without policy, and without the data controls that a responsible organization would require.

It sounds like a future risk. It is not. It is today's reality in most hotels.

What Is Actually Being Shared?

The most commonly cited example — a front desk agent drafting a guest apology email in a public chatbot — understates the problem considerably. In practice, what gets pasted into public AI tools by well-meaning hotel staff includes:

  • VIP preference profiles containing named medical and dietary requirements

  • Incident reports detailing complaints, injuries, or security events involving identifiable guests

  • Ownership correspondence and asset management documents

  • Confidential personnel records and disciplinary notes

  • Investigative summaries relating to theft, harassment, or staff misconduct

These are not hypothetical scenarios. They are exactly the categories of information that experienced hotel professionals reach for when they need to draft a sensitive communication or summarize a complex situation — the precise moments when the instinct to open a free AI tool is strongest.

The Governance Gap This Exposes

The governance risk is not that your staff are using AI. The risk is that the most sensitive operational data in your hotel is the most likely to be shared with a tool that has no data residency controls, no enterprise agreement, and no deletion guarantee.

None of this is malicious. Staff are trying to do their jobs better with the tools available to them. The failure is institutional, not individual.

The Operational Story That Illustrates It Best

A guest at an upper-upscale city hotel submitted a formal complaint about noise disturbances and slow housekeeping service. The front office team leader, under pressure during a busy morning at checkout, pasted the guest’s complaint details into a public AI chatbot and asked it to draft a recovery letter.

The tool returned a polished, well-structured apology — including a reference to “a complimentary room credit of £75 applied to your account” that had never been discussed or approved.

The team leader sent the letter without reading it carefully. The guest attempted to redeem the credit at checkout. When it could not be found, the guest escalated to the general manager, citing the hotel’s own letter as evidence of a commitment that had been denied. A recoverable service failure became a reputational and commercial liability.

Two governance failures compounded each other. A public AI tool was used with no data controls. And there was no approval workflow requiring a manager to review AI-drafted guest communications before they were sent. Either control, alone, would have prevented the outcome.

The Response Is Not Punishment — It Is Policy

Hotels that respond to shadow AI with blanket bans typically make the problem worse. Staff continue to use tools informally; they hide them. The response that works is threefold:

  • Publish an Acceptable Use Policy — a clear, accessible document that defines what AI tools staff may use, what data must never leave the hotel’s system boundary, and what happens when the rules are broken.

  • Provide approved alternatives — if staff are using a public chatbot to draft communications, give them an enterprise-grade tool that meets the same need without exposing data.

  • Train, don’t lecture — staff needs to understand why certain data cannot be shared with public tools, not just that it cannot.

Shadow AI has a more dangerous cousin: the Shadow Agent. Where shadow AI generates text for a human to review, a shadow agent can take action — sending emails, creating tickets, modifying records — without management visibility. As AI tools become more capable, the risk profile of unofficial adoption rises sharply.

Before your next leadership meeting on AI, ask one question: Do we have an Acceptable Use Policy that staff have read and acknowledged? If the answer is no, that is where the conversation begins.


This article is based on the AI in Hospitality Lexicon (V1.0), published by Pertlink in 2026. Download the full document at www.pertlink.net

AI in Hospitality Operations & Strategy Shadow AI Data Protection AI Regulation Customer Data Platform
Terence Ronson
Terence Ronson
Founder & Managing Director, Pertlink Limited

Terence Ronson is the Founder and Managing Director of Pertlink Limited, Asia's premier hospitality IT consultancy, established in Hong Kong in 2000. A former chef and hotel manager across the UK and Asia, he pivoted to technology in the mid-1980s — developing a conviction that technology, when deployed thoughtfully, could become a true business differentiator and driver of guest experience, not merely a back-office tool.

Pertlink Limited
Consultant

Pertlink Limited commenced operations on October 23rd 2000, and as IT Consultants exclusively caters to clients connected with the hospitality industry, helping them work through the maze of new technologies. Not only is Pertlink strategically placed to serve the industry from its headquarters in Hong Kong, it has been internationally recognized by numerous organizations as a global reach company helping the industry through its unique and...

Comments

Comments for this content

0 comments available
Loading comments...