Contact

Our Insights

Thought leadership and industry trends.

Home 9 Insights 9 Advisory Services 9 Bring Your Own LLM (BYOLLM) Is Here: How Employee AI Use is Reshaping Data Security Risk

Bring Your Own LLM (BYOLLM) Is Here: How Employee AI Use is Reshaping Data Security Risk

Apr 21, 2026

Bring Your Own LLM (BYOLLM) Is Here

Employees are no longer just bringing their own devices to work; they are bringing their own AI. Unlike personal devices, generative AI tools are more than just a productivity device. AI tools can transmit sensitive company data, instantly and irreversibly, far beyond organizational control.  

Traditional Bring Your Own Device (BYOD) policies were designed to manage business data living on employees’ personal devices. By contrast, BYOLLM (Bring Your Own Large Language Model) or “shadow AI”, presents a more complicated issue: where business data is transmitted, where data resides after transmission, and who can access and reuse transmitted data. Each consideration requires organizations to take an active role in establishing governance frameworks that define how confidential company data is protected and secured. 

BYOD: Controlling Devices and Protecting Data 

BYOD policies are designed to control how personal devices are used for business, and how sensitive data is protected, stored, and preserved. At a minimum, BYOD policy should address: 

  • Acceptable use of a BYOD device for business 
  • Approved devices, apps, and access controls 
  • Data storage, retention, and preservation requirements 
  • Monitoring and management protocols  
  • Separation of personal and business data  
  • Legal and regulatory obligations 

Compared to BYOLLM risks, traditional BYOD controls are relatively straightforward because business data remains discoverable and under organizational control. Bottom line: If employees use personal devices to conduct business, the data generated is subject to legal hold and discovery obligations. 

BYOLLM: A New Category of Data Risk  

In recent years, however, a growing trend has emerged alongside BYOD: the use of personal or employee-owned generative AI tools. A growing percentage of employees are now bringing and using their own AI tools outside their approved channels, often without IT or legal oversight.  

A 2024 study by CybSafe and the National Cybersecurity Alliance (NCA) found that approximately 38% of employees engage in shadow AI, sharing confidential data with AI platforms without employer knowledge or consent. 

The risk is increasingly documented and not hypothetical. A recent Axiom Law survey concluded that corporate legal teams are routinely inputting highly sensitive data (M&A strategy, litigation tactics, trade secrets, and more) into consumer AI tools with little or no control over how that data is being used or stored.  

And the gap between AI adoption and governance is widening rapidly:  

  • 83% of those surveyed by Axiom are using AI tools not provided by their company. 
  • 47% said their company has no formal policy in place to guide AI use. 
  • 46% use AI tools to draft complex legal contracts without training. 
  • Only 40% said their companies have basic safeguards in place. 

In other words, usage is accelerating faster than oversight. 

The emergence of generative AI adds another layer of risk to an already slippery data protection slope. When employees input data into public, unvetted AI tools, they risk inadvertently exposing their organization’s confidential or proprietary information to third parties, leading to serious legal ramifications.  

What an Effective BYOLLM Governance Framework Looks Like 

While BYOLLM offers real advantages and productivity enhancements, it fundamentally changes the data risk environment. Without strong governance, employees can unknowingly expose sensitive information in ways that are challenging or even impossible to reverse. To address BYOLLM risk, organizations need AI governance frameworks that extend beyond traditional BYOD controls and explicitly address how AI systems process, retain, and potentially re-use data. Key components include: 

  • Data Classification and Handling Rules: Define what data can be sent to external AI models and what must stay in-house, with emphasis on the clear definition of permitted and non-permitted data categories. 
  • Zero Data Retention (ZDR): Require that company data not be used to train LLMs. 
  • Allowed LLM Providers: Maintain a vetted list of approved LLM models and outline a process for approving new models. 
  • Monitoring and Auditing: Log and monitor all AI interactions.   Consider deploying browser level monitoring and controls, since AI activity is primarily transmitted via browser-based apps, which may be outside of standard endpoint monitoring. 
  • Human-In-The-Loop (HITL): Require human validation for high-risk outputs such as legal analysis, contracts, and regulatory content. 
  • Accuracy Testing: Apply safeguards to validate outputs. 

Organizations that treat AI use simply as an extension of existing BYOD policies may overlook the unique challenges introduced by AI-driven data propagation. But those that proactively define how AI models can be used, what data may be shared, and how outputs are validated will be better positioned to leverage generative AI while managing its associated risks. 

CDS provides a full range of Advisory Services, including assistance with mobile device/data collections, forensic analysis, and short message data collection, conversion, and review. For more information, contact us at /">. 

About the Author

Brad Berkshire

Brad Berkshire

Brad Berkshire is an eDiscovery, information governance, and digital forensics expert whose role at Complete Discovery Source includes leading complex projects and consulting, training, and educating internal teams as well as external clients on information governance, digital forensics, and data acquisition best practices. He also provides consulting and advisory services to the CDS forensic services team and direct support to clients with project scoping on information governance and forensics related projects. In his 25 plus years' experience working in information systems, digital forensics, and eDiscovery services, Brad has performed over 2,800 targeted data collections and forensic imaging acquisitions for cyber investigation, discovery response, and regulatory response engagements. These engagements include forensic data acquisition and data analysis for all types of digital storage including PC and Mac laptops and desktops, servers and enterprise application sources, structured databases, cloud data sources, social media sources, and mobile devices and mobile device applications sources.

15 June 2026

Relativity Fest London 2026

CDS joins Relativity Fest London 2026 for two days of legal tech insights, AI discussions, eDiscovery innovation, and networking in London.

Find out more
15 June 2026

Get A Higher Perspective RelFest London Kickoff Lunch with CDS

Join CDS at RelFest London for an exclusive lunch exploring legal tech trends, AI driven workflows, and the future of legal operations.

Find out more

Sign Up for Our Newsletter