For many leadership teams, AI governance has been treated as a medium-term operating model issue: important, but separate from immediate geopolitical and economic disruption. That separation no longer holds. The current Middle East conflict is materially affecting global energy markets. The International Energy Agency said in March 2026 that the war had created a major energy crisis and the largest oil supply disruption in the history of the global oil market. Its March Oil Market Report projected a sharp drop in supply, while Reuters has since reported Brent moving above $110 per barrel amid continued disruption around the Strait of Hormuz.
That matters for enterprise AI for a simple reason. When fuel becomes scarcer and more expensive, pressure rises to reduce commuting, cut travel and lean harder on distributed work. The IEA explicitly recommended work from home as a demand-side response to higher energy prices, and Reuters has reported governments in multiple markets using remote work or virtual meetings to curb fuel use and manage economic pressure.
At first glance, that looks like a productivity story. In practice, it is also a governance story.
The more suddenly organisations expand remote and hybrid work under economic pressure, the more likely employees are to reach for whatever tools help them move faster. That is the operating environment in which shadow AI proliferates. Employees paste client material into public models. They connect unsanctioned agents to inboxes and files. They build lightweight automations outside approved architecture. They generate business content, analysis, code or decisions with no logging, no retention policy, no access control and no assurance over where data has gone.
Microsoft’s 2026 Cyber Pulse AI Security Report states that 29% of employees use unsanctioned AI agents for work tasks, while only 47% of organisations have AI usage policies. IBM has separately warned that shadow AI creates risks including data leakage, compliance failures and loss of control over sensitive business information, and its 2025 Cost of a Data Breach research argues that ungoverned AI systems are more likely to be breached and more costly when they are.
This is the strategic point many boards are still missing: the energy shock does not just change where work happens. It changes how quickly unmanaged AI adoption can spread.
Why fuel disruption makes shadow AI more likely
When commuting becomes more expensive, remote work becomes more economically attractive to both employers and employees. That is not speculative. The IEA has recommended work from home to reduce oil demand, Reuters reported Malaysia shifting government workers to home working to save energy costs, and UK reporting shows pressure building around office attendance as fuel costs rise. Older UK ONS evidence already showed that home working reduced fuel and parking spend for many workers.
Inside the enterprise, this has a predictable second-order effect. The more dispersed the workforce, the more work gets done through chat, cloud documents, ad hoc collaboration and individually assembled digital workflows. That does not automatically create poor governance. But it does reduce the natural friction that once came from office-bound process, supervised environments and more visible technology choices.
In a tight operating environment, the employee logic becomes brutally rational:
- approved enterprise AI is slow or access-controlled
- security review takes too long
- business pressure is immediate
- commuting is expensive
- remote workers need throughput
- consumer AI tools are one browser tab away
That is how shadow AI becomes normalised. Not as rebellion, but as convenience under pressure.
Why this is now a GRC issue, not just an IT policy issue
Too many firms still treat shadow AI as a tooling problem. It is a governance, risk and compliance problem because it cuts across decision rights, regulatory exposure, data protection, cyber assurance, records management, model risk and operational resilience.
From a governance perspective, the central failure is unclear accountability. Who approves AI use cases? Who classifies risk? Who decides what data may be entered into which model? Who owns monitoring? Who signs off third-party terms? Who determines whether outputs can influence a customer, employee, or regulated decision? If those answers are vague, shadow AI is already a control failure.
From a risk perspective, the problem is compounded by the fact that unsanctioned AI use often bypasses the control points organisations rely on elsewhere. Security teams cannot monitor what they do not know exists. Privacy teams cannot assess processing they have not been told about. Legal teams cannot review supplier obligations that no one disclosed. Internal audit cannot test a control environment that was never formally designed.
From a compliance perspective, the timing is increasingly uncomfortable. The EU AI Act entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026, with some obligations already in application, including prohibited AI practices and AI literacy duties from 2 February 2025 and GPAI-related obligations from 2 August 2025. The European Commission continues to publish implementation guidance as 2026 approaches.
That means the window for informal AI adoption is closing. Organisations do not need perfect bureaucracy. They do need evidence that AI deployment is subject to clear policy, proportionate oversight and traceable accountability.
The hidden risk in the “WFH benefit” narrative
There is a real short-term gain from reduced commuting. Lower travel time, lower employee cost pressure, lower fuel consumption and more operational flexibility all matter. In an energy-disrupted market, leadership should absolutely be prepared to use remote work pragmatically.
But the mistake is to stop the analysis there.
If remote work expands quickly without equally mature digital controls, the enterprise may simply swap one cost problem for a larger risk problem. Savings on fuel can be erased very quickly by:
- data leakage through public models
- confidential material entering unapproved AI systems
- uncontrolled AI-generated content in customer or regulatory contexts
- untested autonomous agents acting on corporate systems
- fragmented vendor exposure and unknown subprocessors
- inconsistent retention, auditability and evidential trails
- security vulnerabilities in rapidly deployed AI applications
The NCSC has repeatedly emphasised that leaders need to understand AI risk well enough to discuss it meaningfully, and its secure AI development guidance stresses threat modelling, awareness of threats and designing systems for security as well as functionality. ISO/IEC 42001 provides the management system structure for establishing and continually improving governance around AI use.
In other words, the answer is not to resist remote work. The answer is to make AI GRC part of remote-work resilience.
What robust AI GRC looks like in this environment
For CIOs, CISOs and CTOs, the operating principle should be straightforward: when external disruption increases digital improvisation, governance has to move closer to the point of use.
That requires six practical shifts.
1. Move from generic AI policy to role-based control.
A broad “use AI responsibly” policy is inadequate. Sales, legal, engineering, HR, procurement, customer operations and finance need different rules, examples and prohibited actions. Staff should know exactly which tools are approved, which data classes are allowed, and which use cases need escalation.
2. Treat shadow AI as a discovery problem first.
Most firms underestimate the scale of unsanctioned use. Start with detection: network visibility, SaaS discovery, endpoint telemetry, browser controls, procurement review and targeted workforce surveys. You cannot govern what you have not surfaced.
3. Classify AI use by risk, not by hype.
Not every use case needs the same level of review. Drafting internal summaries is not the same as customer-facing advice, automated decision support, code generation in production environments, or HR screening. Build a tiered review model with fast paths for low-risk use and stronger gates for higher-risk deployment.
4. Put data boundaries at the centre.
The most common shadow AI failure is not model choice. It is data handling. Establish clear rules for confidential, client, employee, regulated and strategic data. Enforce them technically where possible, not just through training.
5. Create an approved productivity path.
Shadow AI thrives where sanctioned AI is missing, weak or frustrating. Provide enterprise-grade alternatives that are easy to access, integrated with identity and logging, and aligned to common workflows. Governance works better when the compliant path is the easiest path.
6. Link AI GRC to business continuity and resilience planning.
Energy disruption, geopolitical instability and workforce flexibility should now sit alongside cyber, supplier and operational resilience discussions. AI usage controls should be part of continuity planning, not an isolated innovation workstream.
The board-level reframing
Boards should stop asking only, “How are we using AI?” and start asking, “What happens to AI usage when external shocks change workforce behaviour faster than our control environment changes with it?”
That is the sharper question for 2026.
The Middle East conflict and resulting energy pressure are not merely macroeconomic background noise. They are changing enterprise operating conditions in ways that make unmanaged AI adoption more likely. The combination of cost pressure, distributed work, faster decision cycles and readily available consumer AI tools is exactly the combination in which shadow AI expands.
Robust AI GRC is therefore no longer just about ethics, model inventory or future-proofing against regulation. It is an immediate resilience capability. It protects confidentiality, reduces control drift, supports regulatory defensibility and lets the organisation keep moving under stress without losing command of its own technology estate.
The firms that respond best will not be those that ban AI or force a false choice between productivity and control. They will be the ones that recognise a basic operational truth: in a volatile environment, governance must accelerate at least as fast as adoption.
That is now the real advantage.