May 2026 | Qualit Managed IT | Engineering Firms | AI Security & Shadow IT
AI tools are moving into engineering workflows at a pace that most firm principals did not anticipate. Engineers are using AI assistants to draft technical specifications, summarize project documentation, generate code for data analysis, and accelerate literature reviews for design decisions. Some of these tools are officially sanctioned. Many are not. And in the gap between what your firm has approved and what your project staff is actually using, there is a growing category of risk — AI-driven shadow IT and the sensitive project data that goes with it. For engineering firms, where project files may include proprietary calculations, government project data, and infrastructure specifications, the stakes of an undiscovered data exposure are higher than most principals have fully considered.
The AI Hallucination Problem in Engineering Deliverables
One risk that gets less attention than data leakage is AI hallucination — AI tools generating technically plausible but factually incorrect content. In an engineering context, this is particularly dangerous. An AI tool asked to summarize a structural design standard might reference provisions that do not exist or have been superseded. An AI-assisted specification draft might cite load tables or material standards incorrectly. If that content is incorporated into a deliverable — a structural calculation, a project specification, a report for a DOT submission — without a thorough human review, the consequences range from embarrassing to legally significant.
The fix is a documented workflow: AI drafts, engineers review and verify. Any AI-generated content used in a technical deliverable must be reviewed by a qualified engineer who can catch an invented standard or a fabricated reference before it leaves the firm.
The Data Sharing Problem Is Larger Than Most Firms Realize
A 2024 CybSafe and NCSA study found that 38% of employees share confidential data with AI tools without employer approval. A separate BlackFog analysis found that 49% of employees use unapproved AI tools at work. For engineering firms, confidential data includes project calculations, infrastructure designs, client specifications, simulation outputs, and — for government or DOT clients — data that may be subject to specific handling requirements under contract terms.
When an engineer pastes a project specification or uploads a drawing to get AI feedback, that data may be retained by the AI provider on external servers, used to train future model versions, or accessible to third parties under the provider's terms of service. None of that is visible to the firm — and none of it triggers any internal alert. The data leaves quietly, and there is no record.
Shadow IT in Engineering: The Unapproved Tool Problem
Shadow IT refers to software and services used without IT approval or oversight. In engineering firms, shadow IT often starts organically: an engineer discovers a tool that accelerates a tedious process — summarizing technical documents, checking calculations, drafting specification language — tries it, finds it useful, and begins integrating it into their regular workflow. By the time the project principal is aware of it, it has become part of how the team operates.
The risk is not the tool itself — it is the absence of vetting. Unapproved AI tools have not been reviewed against your firm's data handling obligations, client NDA terms, or government contract security requirements. They may store data in jurisdictions with different privacy laws, have terms that allow them to use inputs for model training, or have security vulnerabilities that create risk in your firm's environment.
Three Policies That Reduce AI-Related Risk Without Killing Productivity
1. Define What Should Never Be Fed Into an External AI Tool
Start with a short, clear list of data categories that should not be entered into any external AI tool without explicit approval. For an engineering firm, that typically includes: client names and project identifiers, proprietary calculation methodologies, design specifications that are covered by NDA, government or DOT project data with security requirements, and anything that could identify infrastructure vulnerabilities. A concise, readable policy is far more effective than a lengthy security document that no one reads.
2. Establish Approved Tools and a Request Process
Create an approved AI tools list — the tools your firm has reviewed and authorized for specific use cases. Establish a lightweight process for requesting approval of new tools: a brief request form, a data handling review, and a decision within a defined timeframe. The goal is not to create barriers but to create visibility — a documented record of what tools are in use and what data they are authorized to handle.
For engineering firms, it is worth addressing the AI features built into contracted platforms separately. AutoCAD and Civil 3D have AI-assisted features that operate under Autodesk's data terms. Simulation platforms like ANSYS increasingly incorporate AI features under their own licensing terms. These are distinct from third-party standalone AI tools and should be assessed accordingly.
3. Implement the AI Drafts, Engineers Verify Workflow
For any AI-generated content that will appear in a technical deliverable — specifications, calculations summaries, project reports, DOT submission documents — require documented review by a qualified engineer before the content is finalized. This is both a data integrity control and a professional liability protection. Engineers signing and sealing work product are responsible for its accuracy, regardless of what tool produced the first draft.
The Right Balance: Enabling AI While Managing Technical and Legal Risk
Engineering firms that manage this well are not the ones that prohibit AI tools — they are the ones that channel AI adoption through a practical framework. Your project staff is using AI because it genuinely helps them work more efficiently. The goal is to ensure that efficiency gain does not come with undisclosed data exposure, contract violations, or the kind of AI-generated technical error that creates liability for a sealed deliverable.
We work with Salt Lake City engineering firms to protect project data and support technical workflows. That includes helping firms develop AI and shadow IT policies that are technically sound and matched to how engineering teams actually work.
Schedule a free discovery call with Qualit to review your firm's AI tool policies.
Frequently Asked Questions
Q: Our engineers use AI to help draft specification sections. Is that acceptable?
AI-assisted specification drafting is acceptable with appropriate controls. The key requirements are: no confidential project data in the prompt, human review and verification of all AI-generated content before it is incorporated into a deliverable, and use of an approved tool with known data handling terms. The engineer responsible for the specification is still professionally accountable for its accuracy — the AI is a drafting assistant, not a substitute for engineering judgment.
Q: We work on DOT and government projects. Do those projects restrict AI tool use?
Many government and DOT contracts include data handling and security provisions that may affect AI tool use, particularly if project data includes infrastructure specifications, sensitive site information, or data categorized as controlled unclassified information (CUI). Review the security provisions in your active government contracts and assess whether your current AI tool usage is consistent with those terms. When in doubt, limit AI tool use on government projects to approved internal tools until you have a clear answer.
Q: How do we find out what AI tools our engineering team is currently using?
A network traffic audit conducted by your IT partner is the most comprehensive method — it reveals what external services are being accessed from firm devices. A direct team survey is also effective and usually more candid than principals expect. Frame it as an opportunity to build an approved tools list rather than a compliance audit, and most engineers will disclose what they are using. The output of the discovery process is an accurate inventory that lets you make informed decisions about what to approve, what to replace with a vetted alternative, and what to discontinue.
