The AI Workforce Is Splitting Into Two Tiers. The Smaller One Is Where Your Risk Lives.

Help Net Security's May 2026 report on a global survey of 6,000 enterprise full-time employees finds a split most owners would rather not look at directly. 31% of employees who use AI at work get no employer-provided training. 22% are not given AI tools at all. The result is a two-tier workforce: a managed tier with training, tools, and policy, and a shadow tier doing the same work with none of those things. The two tiers sit inside the same firm, often on the same team, often working on the same client account.

What the two tiers actually look like

In a 20-person service firm, the managed tier might be the principal and two senior people. The firm pays for ChatGPT Plus or Claude Pro for them. They were shown how to use it for proposals and client emails. They know what data they can paste in and what they cannot.

The shadow tier is everyone else. A junior designer using a free ChatGPT account on her personal email. A project coordinator using whatever AI feature is built into the calendar app she already had. A bookkeeper using a free trial of an AI receipt scanner that may or may not be sending client data overseas. A senior person who got tired of the friction of the company tool and quietly opened a personal Claude account because it loads faster.

The shadow tier is not malicious. They are doing their jobs better. The Help Net Security data says one in three are doing it without any training the firm provided. One in five are doing it on tools the firm did not provide.

The firm's official AI governance, whatever the principal would say in a sales meeting, applies only to the managed tier. The shadow tier is operating outside it.

Why training alone does not close the AI training gap

The intuitive response to a 31% training gap is to schedule a training. Send everyone to an AI workshop. Run a quarterly enablement session. Buy a course.

The Help Net Security data implies, and field experience confirms, this does not work. Training without the other two pillars produces an enthusiastic shadow tier that now has more skill.

The other two pillars are tool access and policy. Without equal tool access, training people on AI is teaching them to use something they do not have. They will use whatever they can get to, which is a personal account on a free tier. Without policy, training people on AI is teaching them to use it without telling them what is allowed. They will infer the rules, mostly wrong, often more permissive than the firm would want.

Training works when the tools and the policy already exist. It is the third pillar, not the first.

What the small-firm version of "managed tier" looks like

Most service businesses cannot afford the enterprise version of AI workforce management. The Help Net Security frame still applies. The small-firm version of "moving everyone into the managed tier" is concrete and inexpensive.

One. Equal tool access across the team. If the principal has ChatGPT Plus, the project coordinator should too. The marginal cost is 240 dollars a year per person. The risk of having half the team on a personal account and half on a firm account is larger than that. We have written elsewhere that governed tool use is one of three pillars of agentic AI governance for firms in this size band.

Two. A one-page AI policy. Approved tools. Prohibited categories. Data rules. Exception path. The exception path matters more than the rest. People follow policies they can work with. They route around policies they cannot.

Three. A real training cadence, after one and two are in place. Not a one-time class. A standing thirty-minute monthly session: what we are using, what we are learning, what we are finding. The principal hosts. The team shares. The firm gets a learning cycle on AI without paying for a course.

The Help Net Security report describes this fix as an enterprise problem with an enterprise solution. For a 5 to 50 person firm, it is a quarterly checklist.

The hidden cost of leaving the shadow tier in place

Most small firms run with a shadow tier and do not see immediate consequences. The cost is real but lagging.

Client confidentiality. A junior team member pastes a client's full brief into a free ChatGPT account to summarize it. The data may or may not train the model. The client did not consent. The firm did not document it. In 2027, when a new enterprise client's procurement team asks for an AI vendor risk attestation, the firm cannot make one truthfully.

Brand voice. The managed tier writes client emails using the firm's templates and the firm's brand voice file. The shadow tier writes the same emails using a free chatbot with no context. The client experience drifts. The principal cannot diagnose the drift because they cannot see the inputs.

Skill development. The shadow tier is learning AI from chatbots, not from the firm's senior practitioners. The next generation of senior people in your firm is forming its AI habits without anyone teaching them what good looks like. This is the slowest cost and the most expensive one over time.

None of these is catastrophic in a given quarter. All of them compound.

Why this is a Radiant Work read, not just a security read

Help Net Security frames the two-tier problem as a security and compliance issue. It is. It is also an operations and growth issue.

The firms that move everyone to the managed tier are not just safer. They are faster. The marginal hire is productive sooner. The senior person's AI habits become the firm's AI habits. The shadow inventory disappears, which means the audit at the start of the next sprint takes less time.

The Radiant Work operations audit treats the shadow tier as a first-class input. The shadow AI inventory is one of the standard deliverables. Mapping who is using what and on what data, before recommending any agent build, is the work that makes the build hold. See how we work for the methodology.

What to do this week

Ask two questions one-on-one with your team:

1. Which AI tools are you currently using for work, including personal accounts?
2. What did you wish was approved that is not?

The answers are the real version of your shadow AI inventory and the real version of your tool procurement list. Most firms discover three to five tools they did not know about and one or two tools the team has wanted access to for months.

Approve what should be approved. Replace what should not. Pay for equal access across the team. Write the one-page policy.

A month later, run the same one-on-ones again. The shadow tier shrinks. The firm gets faster and safer at the same time.

What to do next

The two-tier workforce is not abstract. It is sitting on the teams in your firm right now. Closing the gap is a one-quarter project for a small firm and largely costs the cost of paying for tools the team is already using on personal accounts.

If you want a map of what your shadow tier currently looks like and what the managed-tier build would cost, schedule a conversation. The audit produces the inventory as part of the standard deliverable.