22 May 2026

Your AI Governance Is Guarding the Wrong Door

I gave Claude Cowork exactly two instructions.

The first: “Help me create my own custom Gmail MCP server.”

Claude Cowork building a custom Gmail MCP server from one plain-English prompt, generating the server code files in a working folder. — Prompt one. One plain sentence, and Claude Cowork scaffolded the project and wrote every file for a working Gmail connector.

Once it finished, the second: “Help me install and configure it on my machine and make it available to you as a connector.”

Claude Cowork giving step-by-step instructions to install and configure the custom MCP server as a connector on the user's machine. — Prompt two, the last one. Claude Cowork walked me through installing and registering the connector. No code, no technical knowledge required.

That was the entire interaction. Two plain-English sentences. Between them, Cowork wrote all the code for a fully functional, non-trivial connector to my email, and then walked me through standing it up on my own machine.

One thing about the tool, because it matters. Claude Cowork is not a coding environment for developers. It is a general-purpose AI assistant, the kind built for everyday knowledge work. And none of this is unique to it. Plain Claude Chat, the ordinary chat window millions of people already use, could have produced the very same connector. Cowork just did it in one shot. In Chat it takes a little more back-and-forth, and the result is identical.

Here is what I did not do. I did not write a line of code. I did not need to know what an MCP server is. I did not need to know how to install a developer tool on a computer. I am a highly technical person, with thirty years of engineering behind me, and not one ounce of that mattered here. Any employee, in any role, in any organization, could have typed those same two sentences and gotten the same working result.

Here is why that should stop an AI governance team cold. Across organization after organization, I watch the same reflex play out. Lock the AI down to a short list of approved tools. Pair it with an acceptable-use policy. Treat that combination as the entire solution.

It feels like control. It is not.

If a working connector is two sentences away for anyone who can describe what they want, then the thing you are trying to govern was never a connector. It is a sentence. And you cannot lock down a sentence.

What Every AI Governance Team Is Doing Right Now

Let me describe the pattern, because if you have lived through an AI rollout you will recognize it immediately.

The organization gets serious about AI. It convenes the right people: cybersecurity, legal, HR, a representative from every corner. And then each of them applies the playbook they already know.

Cybersecurity locks down the tools. Two approved connectors instead of fifty. Skills and plugins banned. An allowlist, because an allowlist has always worked before.

Legal writes the acceptable-use policy. A document that states what employees may and may not do, signed and filed.

The AI governance group looks at the locked-down tools and the signed policy and concludes the problem is solved.

I want to be fair to this instinct, because it is not foolish. The liability is real. The supply-chain risk is real. A tool left wide open really is dangerous, and “start restrictive” is sound advice. Every person in that room is doing their job with care.

Here is the problem. Every one of those moves is a reasonable instinct. Not one of them is aimed at where the risk actually lives.

The Lever Is Language, and You Cannot Fence It In

For thirty years, risk management in technology has governed two things: artifacts and actions.

We scan files. We sign binaries. We allowlist installed applications. We inspect data flows. We review commits before they merge. Every one of those controls rests on the same assumption: the dangerous thing is a discrete object that exists before it is used, so you can catch it on the way in.

Generative AI breaks that assumption at the root.

The lever is not a file or a binary. The lever is text. A prompt. And text has three properties that defeat every artifact-based control we have ever built.

Text is generative. The prompt itself does no harm. It instructs a capable agent to produce the thing that does, fresh, locally, at the moment you ask. There is no artifact to scan, because the artifact does not exist yet.

Text is unbounded. There is no signature for an intent. “Build me a connector to my email,” “help me automate my inbox,” and “pull my mail into a spreadsheet” are the same request wearing three outfits. You cannot blocklist a meaning.

Text is the universal channel. The same prompt box that could improvise a workaround is the box your people use for every legitimate thing they do all day. You cannot close the dangerous channel without closing all the work.

You cannot put a perimeter around language.

Watch how the surface widens. Picture a ladder, and notice that each rung takes less skill than the one before, and is harder to govern.

On the first rung, the assistant builds an integration. That is the connector I described at the top. It reaches into a real system.

On the second rung, the assistant builds itself a new skill.

A word on what that means, because “skill” has a specific sense here. Modern AI assistants, Claude among them, use skills to extend what they can do. A skill is a small package, built to an open standard, and it can hold two things: plain-language instructions that tell the assistant how to carry out some task, and actual source code, Python or JavaScript or whatever fits, that the assistant runs when it uses the skill. Plenty of useful skills need code to work.

Here is the part that matters. The assistant knows how to create its own skills, and it can install them into itself. Ask a non-technical employee to do this and they write nothing, read nothing, and understand nothing. They describe what they want. The assistant designs the skill, writes the instructions, writes whatever code is required, and installs it. With the connector at the top of this article, I still had to run the install steps myself. A skill, the assistant can stand up on its own, and the employee may never see a single line of the code inside it. I have Claude build and install its own skills routinely. From the user’s side, it is just a short conversation. And if that sounds like something only a technologist could pull off, it is not: Claude is built to create and install skills on its own, and ordinary users on Claude chat, Cowork, and Claude Code do exactly this every day, just by describing what they need.

So even if you blocked every connector, this path is wide open. A skill carries its own code and does its work with no connector involved at all.

On the third rung, it is not even about code. The assistant gives plain, step-by-step instructions for something risky. The how-to-anything engine. This rung is the proof that the problem was never really about code.

And the lever is not always something your employee typed. Hidden instructions inside a web page or an email can hijack an agent that reads them. A prompt with sensitive data pasted into it can be the leak itself. The surface is not a list of features you can enumerate. It is the entire space of things expressible in words.

Here is what that means for AI governance. The capability ships with the product. You are not deciding whether your people have this. You are only deciding whether you can see them use it.

Lockdown Doesn’t Remove the Risk. It Hides It.

Now follow what an allowlist actually does.

You block the official connector, the one built and reviewed by real developers. You have not removed the capability. The person still needs to reach their email. So they turn to the assistant and have it improvise a replacement.

Look at what you just traded. You had a connector built and maintained by real developers and vetted by a trusted vendor. You now have one improvised on the spot, unreviewed, unsanctioned, authored by someone who cannot read the code it is made of.

It gets worse, because the replacement is invisible.

An improvised skill or script is a local file on a laptop. Your network monitoring does not see it for what it is. Your admin console does not list it. Your audit log does not contain it. The vendors are quiet about this in their marketing and clear about it in their documentation. Anthropic’s own guidance concedes that its desktop extension allowlist does not protect against tampering with local files. And the monitoring built into these agent products is passive by design. It is useful for a post-mortem. It cannot detect or block anything in the moment.

Lockdown did not remove the risk. It converted a reviewed, visible risk into an unreviewed, invisible one. And it let you feel safer doing it.

That is the worst trade on the board.

What Lockdown Costs You, Even When It Works

At this point a security leader says: fine, then we disable all of it.

Let me concede the point completely. Yes, you can. You can throw every switch. Local servers off. Extensions off. Skills off. Code execution off. File creation off. The vendor documents every one of those switches, and a determined administrator can flip them all.

Now look at what you are holding. An agent that cannot write a script. Cannot build a document. Cannot run an analysis. Cannot reach a single system.

That is not an AI agent. That is a 2022 chatbot with a search box.

You did not secure the tool. You deleted it.

The only lockdown complete enough to stop the workaround is the one that removes the reason you bought the tool. “Yes, we could disable all of it” is not a rebuttal. It is the whole problem.

And it is worse than a dead tool, because of what the dead tool was supposed to do for you.

The promise of this technology is twofold. There are the efficiency gains, the ordinary work done faster and better. And there are the entirely new capabilities, the things your organization simply could not do a year ago and can do now. Heavy lockdown does not trim the first and protect the second. It forfeits both.

While you congratulate the team on a tidy, locked-down environment, your competitors are answering a different question. They are asking what they can do this quarter that was impossible last quarter. You did not just disarm the agent. You handed away the advantage.

You Don’t Have the Control You Think

Here is the most sophisticated objection to everything so far, and it deserves a straight answer.

Someone deep in AI and security will say: the controls are getting better. I can already block an MCP server from installing, block a connector, block a skill, stop code from running, lock the settings. The labs ship new controls every month. Give it time and the surface closes.

Grant all of it. Assume every one of those controls exists and is switched on.

It still does not give you what you think, and here is why. The thing that makes a generative AI assistant useful is that it is goal-seeking. It is built to pursue what the user is trying to accomplish and to be maximally helpful in getting there. It is also non-deterministic. You cannot predict in advance exactly what it will do, how it will do it, or how far it will go.

Put those together. A goal-seeking, non-deterministic system that meets one of your controls does not stop. It treats the control as one more obstacle between the user and the goal, and it looks for another route. It may find it cannot write to one location and suggest another. It may work around a blocked path without the user asking. None of this needs a malicious user or a malicious agent. It is the system doing the one thing it was built to do.

This is not hypothetical. In controlled safety tests, frontier models, Claude among them, have been documented resorting to deception and even blackmail when they judged it necessary to reach a goal. The labs report this themselves.

Organizations leaning on traditional controls, blocking the install, the connector, the file write, believe they hold a level of control they no longer have. Keep the controls. They still have value. But stop mistaking them for certainty. You do not have the control you think you have, or the control you had in the past.

You Cannot Govern Against Human Nature

Here is the part the policy never accounts for.

A large subset of any workforce will ignore a policy they believe is seriously getting in the way of their work. I have watched this across many organizations. It is not fringe behavior. It is predictable, and it should be planned for like any other certainty.

This is not rebellion, and it is not a discipline problem. It is people resolving a contradiction the organization handed them.

Set the two messages side by side. The same organization tells its employees, “We hold you accountable for your productivity at your annual review.” And it tells them, “We are blocking you from using the tool that most increases it.”

Those two messages cannot both be honored. So people honor the one that is actually measured, and they quietly route around the one that is not realistically enforced. They are behaving exactly the way the incentive structure tells them to.

The result has a name. It is shadow AI, and the numbers are not subtle. Surveys in 2026 put the share of employees using unsanctioned AI tools well above half, with only a minority of that usage running through approved accounts. The “no AI without approval” memo is one of the most ignored documents in the modern workplace.

Now here is the sharpest edge, and it is the one most leaders miss.

The bind does not land evenly. It lands hardest on your best people.

Your most motivated, highest-output people have already worked out that their careers now depend on real fluency with this technology. They are not guessing. They are watching the industry, and they are watching their own future. When the message reaches them that this organization intends to hold them back, they do not just route around the policy. They update their plans.

A strong engineer, a sharp product manager, a forward-thinking leader reads “we are blocking the most important skill of your career” as exactly what it is. And the market for that person is wide open, and getting wider.

I want to be careful here, because the point is structural, not a knock on anyone. Lockdown does not filter randomly. It pushes hardest on the people with the most options and the most career exposure, which are precisely the people you most want to keep. Run that policy long enough and you have selected your workforce against the exact trait you need most. Nobody set out to design an adverse-selection program. They ran one anyway.

Govern as if human nature does not exist, and you have not written a safety control. You have written a CYA document, and you have started a slow leak of the people you can least afford to lose.

A Policy Cannot Undo the Damage

So you are left holding that CYA document. It is worth being clear about what it can and cannot do.

An acceptable-use policy is a liability instrument. It is not a safety control. It is built to answer one question after an incident: whose fault was it. It is not built to answer the question that actually matters: how do we keep it from happening.

And a CYA defense, even a winning one, does not undo anything.

“We had strict policies. We only authorized safe tools.” That sentence may well reduce a legal judgment. It does not unpublish the false, reputation-damaging post the agent already sent. It does not restore the production database, and the backups, that an agent deleted while following an untrained employee’s improvised workaround. The damage is done, and it stays done, no matter how cleanly the fault gets assigned.

The policy’s other uses are the same story. Defending the suit, counseling the employee, terminating the employee: all of it is firefighting. It manages blame. It does not prevent the fire, and it does not put it out. And notice who the policy’s only real teeth land on. An employee, often punished for routing around a bind the organization itself made untenable.

This is worse with agents than with anything before them. An agent acts at machine speed, on operations that have no undo. By the time fault can be assigned, the damage is already total. After the fact arrives too late to be a remedy.

To be precise, because this matters: the acceptable-use policy is necessary. It sets expectations and creates the basis for consequences. It is simply the wrong tool for preventing harm, and it must never be mistaken for one.

If paper cannot undo the damage, then the missing piece is not more paper.

Lead With Enablement, Not Lockdown

Step back and look at the shape of the entire traditional playbook.

Lockdown, the acceptable-use policy, and even training are all things you do before the moment of use. The CYA defense is what you reach for after. The playbook covers before and after. It has almost nothing for during, the moment the prompt is typed, and nothing for harm that cannot be taken back.

That is the gap. And closing it starts with a different idea of what you are trying to do.

Stop treating restriction as the strategy, and stop treating your people as the risk to be contained. Capable, trained, trusted people working in the open are the safety mechanism. They are the only thing that scales with a technology you cannot fence in.

Here is what actually belongs in the mix:

Enablement and training, as the lead investment. Not the afterthought. An untrained person with a blocked tool is the real hazard. A trained person with a capable tool is the goal. This is what responsible AI adoption actually takes, and most organizations have it inverted, pouring effort into controls and almost none into capability.
A sanctioned path that is actually fast. Scarcity and delay are what send people to build their own. If approving a connector takes weeks, and runs through reviewers who are not themselves AI experts, you have built the exact bottleneck that creates shadow tooling. The sanctioned path has to be one of two things, and ideally both: a fast review run by people who actually know this technology, or trust in the vetted catalogs that vendors like Anthropic and OpenAI already maintain. A slow gate staffed by non-experts is not a control. It is a detour sign pointing straight at the workaround.
The runtime half the old playbook is missing. Visibility into what your agents and people are actually doing. Detection and response, because prevention will leak and you need to catch things in motion. And containment by design, so what leaks cannot be catastrophic: scoped credentials, approval gates on irreversible actions, backups an agent cannot reach. That last item is the real answer to the database that cannot be restored.
A culture of transparency over punishment. People have to feel safe saying “I had the assistant build this” instead of hiding it. A punishment-first culture turns every workaround into a secret, and your visibility is only ever as good as your people’s willingness to be seen. That, not the lockdown, is the real cure for shadow AI.
Controls and the acceptable-use policy, kept in proportion. They still belong here, as modest guardrails. Not as the plan.
A standing process, not a one-time review. The capability surface changes monthly. The one-hour review that blesses a list of tools and calls it finished is itself a failure mode.

Tools change fast. Principles endure. The principle here is disciplined adoption and human judgment. Lockdown is a tooling reflex wearing the costume of a principle.

The Real Choice

None of this is an argument for no governance. It is an argument against AI governance that leads with restriction and calls it a strategy.

The organizations that win the next few years will not be the ones with the most locked-down environment. They will be the ones whose people were trusted, trained, and equipped to use these tools fully and well, in the open, where the organization can actually see and support them.

The most dangerous thing in your environment is not a capability your team never approved. It is a workforce you pushed into the dark, holding tools nobody ever taught them to use.

Latest Blog

Three luminous pillars on a dark editorial background representing the three commitments of responsible AI adoption: individual training, team workflows, and encoded guardrails

Confident, Biased, Often Wrong: What Responsible AI Adoption Actually Requires

Responsible AI adoption needs three things working together: trained individuals, agreed team workflows, and encoded guardrails. Not any two of them.

Off-the-shelf Claude plug-ins visualized as a generic launch pad in the foreground with a unique custom destination beacon on the distant horizon, illustrating that off-the-shelf is the starting point not the goal of an AI-native workflow

Why Off-the-Shelf Claude Plug-Ins Aren’t the Destination

Claude plug-ins like Superpowers are a launch pad for AI-native workflows, not the destination. Here’s why customization is unavoidable, and what to do about it.

AI code generation visualized as lines of code streaming from a bright cyan light source and accelerating into light trails on a dark background

Why AI Code Generation Is Solved and Still Accelerating

AI code generation is solved by any sensible definition. Here’s what that actually means, and three reasons capability is still accelerating fast.