May 2026 | Qual IT Managed IT | Architectural Firms | AI Security & Shadow IT
AI tools have found their way into architectural workflows faster than most firms had time to develop policies for them. Designers are using ChatGPT to draft project narratives, Midjourney to generate concept imagery, and AI-assisted plugins inside Revit and SketchUp to accelerate modeling tasks. Some of these tools are officially approved. Many are not. And in the gap between what your firm has sanctioned and what your team is actually using, there is a growing category of risk that most architectural principals have not yet had to deal with directly: AI-driven shadow IT and the data that goes along with it.
The AI Hallucination Problem in Design Proposals
One risk that gets less attention than data leakage is AI hallucination — when an AI tool confidently generates information that is simply wrong. In an architectural context, this might look like a project narrative that cites a building code provision that does not exist, or a specification section that references a material standard that has been superseded. If that content goes from an AI tool into a proposal or deliverable without a human review step, it can create real problems: contractor confusion, compliance questions, or client disputes.
The fix is not to ban AI — it is to establish a clear workflow: AI drafts, humans approve. Any AI-generated content that leaves your firm as part of a deliverable should pass through a review step by someone who knows the subject matter well enough to catch an invented statistic or a fabricated code reference.
The Data Sharing Problem Is Larger Than Most Firms Realize
A 2024 CybSafe and NCSA study found that 38% of employees share confidential data with AI tools without employer approval. A separate BlackFog analysis found that 49% of employees use unapproved AI tools at work. In an architectural firm, 'confidential data' can include client project briefs, site plans, proprietary design concepts, construction budgets, and detailed drawings. When a designer pastes a project narrative or uploads a site plan to get AI feedback, that data may be used to train the AI model or retained on external servers — outside your firm's control and, depending on client agreements, potentially in violation of your NDA obligations.
The challenge is that these risks are largely invisible. There is no alarm that goes off when someone uploads a design file to an unapproved AI tool. The data leaves quietly, and the firm has no record that it happened.
Shadow IT: The Unapproved App Problem
Shadow IT refers to software, services, and tools that employees use without IT approval or oversight. AI tools are the fastest-growing category of shadow IT right now. In an architectural firm, shadow IT often starts with good intentions: a designer finds a tool that helps them work faster, tries it out, finds it useful, and starts integrating it into their workflow without formally requesting approval. By the time the principal is aware of it, the tool has become part of the team's daily process.
The problem is not the tool itself — it is the absence of vetting. Unapproved tools have not been reviewed for data handling practices, security controls, or compliance with your client agreements. They may store data in jurisdictions with different privacy laws, retain inputs for model training, or have security vulnerabilities that put your firm's environment at risk.
Three Policies That Reduce AI-Related Risk Without Killing Productivity
1. Define What Should Never Be Fed Into an AI Tool
The most practical starting point is a short, clear list of data types that should never be entered into any external AI tool without explicit approval. For an architectural firm, that list typically includes: client names and project identifiers, site addresses and location data, proprietary design details or unpublished schematics, construction cost data, and any content covered by NDA. Post this list where your team can see it. Make it short enough to actually be read.
2. Establish Approved AI Tools and a Request Process for New Ones
Create a short approved tools list — the AI tools your firm has vetted and sanctioned for use. For tools not on the list, establish a lightweight approval process: a designer who wants to use a new AI tool submits a brief request, someone reviews the tool's data handling policy, and a decision is made within a reasonable timeframe. This does not need to be bureaucratic — the goal is visibility and a record of what tools are in use, not a barrier to productivity.
Many architectural firms find it helpful to specifically address Autodesk's AI features (which are built into sanctioned tools) versus third-party AI plugins that may have different data handling terms.
3. Implement the AI Drafts, Humans Approve Workflow
For any AI-generated content that will be used in a deliverable — project narratives, specifications, client communications, proposal language — require a human review step before it goes out the door. This catches hallucinations, ensures the firm's voice and professional judgment are reflected, and creates accountability. Document this as a standard workflow so it applies consistently across the team, not just when someone remembers.
The Right Balance: Enabling AI While Managing the Risk
The architectural firms that handle this well are not the ones that ban AI tools — they are the ones that channel AI adoption through a clear, lightweight framework. Most of your designers are using AI because it genuinely helps them work better. The goal is to make sure that productivity gain does not come with hidden data exposure, contract risk, or the kind of AI-generated error that ends up in a client deliverable.
We work with Salt Lake City architectural firms to protect design files and keep project workflows running. That includes helping firms develop practical AI and shadow IT policies that match how their teams actually work.
Schedule a free discovery call with Qual IT to review your firm's AI tool policies.
Frequently Asked Questions
Q: Autodesk has AI features built into Revit and BIM 360. Are those safe to use?
Built-in Autodesk AI features operate under Autodesk's data handling terms, which you have already agreed to as part of your subscription. That is meaningfully different from a third-party AI tool with its own data retention policies. Review Autodesk's current AI data terms — they have evolved — and make sure you understand what inputs are retained. But generally, AI features inside your contracted Autodesk platforms carry far less shadow IT risk than standalone external tools.
Q: One of our designers used ChatGPT to write a project narrative and included client details. What do we do?
First, assess what was shared: client name, project specifics, proprietary design details. Check whether your client NDA has provisions about third-party data sharing. Depending on the sensitivity, you may need to disclose this to the client. Going forward, this is exactly the kind of incident that makes the case for a clear policy — a defined list of what should not go into external AI tools, communicated before the next proposal season.
Q: How do we find out what AI tools our team is currently using?
A network traffic audit by your IT partner can reveal what external services are being accessed from firm devices and the firm network. A direct team survey is also useful and often more revealing than technical audits — most employees will disclose what they are using if asked directly and non-judgmentally. The goal of the initial discovery is not to punish anyone; it is to build an accurate picture of the current tool landscape so you can make informed decisions about what to approve, what to replace with a vetted alternative, and what to discontinue.
