There’s a question near the bottom of the cyber liability renewal questionnaire now. It shows up on the vendor compliance surveys too. Do you have a formal, written AI usage policy?

I help clients fill these out. And more than once now, I’ve watched a CFO get to that question and write the same thing.

N/A. We prohibit AI use.

She believes it. That’s the part worth sitting with. She doesn’t use AI herself, the firm sent around a memo saying employees aren’t to use it, and so as far as she can see, the question doesn’t apply. We don’t do the thing, therefore we don’t need a policy for the thing. Clean. Next question.

Here is what I can’t say to her while she’s writing it.

We remote into her people’s machines all day. Somebody has a Dropbox sync problem, somebody’s Outlook won’t open, and we connect in to fix it. It is a rare day that I connect to someone’s screen and there isn’t a Claude or a ChatGPT tab open next to whatever they were doing. Not hidden. Just open, the way a calculator is open. The prohibition didn’t stop the work. It just moved the work somewhere nobody’s looking.

So when the form says N/A, we prohibit it, the honest answer is that the firm has an AI policy the way a town with a sign that says NO SWIMMING has a water safety program. The sign is real. The swimming is also real. They are not related.

I want to be careful here, because the easy version of this story is that the CFO is clueless, and that’s not it. She’s not clueless. She’s calibrated.

Think about what these questionnaires have trained all of us to do. Do you have a password policy? Is it written and documented? Do you have an onboarding policy? Everyone has a password policy, written down or not. Everyone has an onboarding policy — ours is called Indevtech: a person starts, we set up their access; a person leaves, we take it away. That’s the policy. The form doesn’t want to know whether the thing is real. It wants to know whether there’s a document. After enough years of answering questions that are really just asking did you generate the paperwork, you stop reading them as questions about your business and start reading them as a toll. Check the box. Make the deadline. Move on.

And the people who try to do better get punished for it. Answer one of these honestly — no, not formally, but here’s what we actually do and why it covers the risk — and the reviewer comes back and tells you to just answer yes. They don’t want the context. The context is extra work for them. So you learn. You stop explaining. You give them the box they’re asking for and you save your real attention for things that aren’t theater.

That reflex is rational. It is also exactly why the AI question slips through.

Because that one isn’t theater. The password question mostly protects the underwriter — it’s there so somebody can point at a form after a breach. The AI question is different. The gap between we prohibit it and it’s open on half the screens in the building is not a paperwork gap. It’s real exposure, sitting inside the firm right now, and the firm has formally told its insurer the exposure does not exist. That’s not a missing document. That’s a signed statement that’s wrong, made in good faith, by someone who had no way to know.

Here’s why I get to say any of this, and it’s the uncomfortable part. We are the only ones in the building who can see the whole picture. The employee with Claude open doesn’t see what management is promising the insurer. Management doesn’t see what’s open on the screens. We see both. That’s the job. And the reason you can trust us with that view is that we don’t do anything with it — our technicians keep a straight face, what’s on your screen stays on your screen, and we are not, and will never be, the people who walk into the CFO’s office to report what we saw on the second monitor. The discretion is the whole relationship. Nobody would call us for help if calling us meant getting written up.

But that same discretion is why the form never gets corrected. The one party who can see the gap is the one party professionally bound not to mention it. So it doesn’t get mentioned. It goes on the form as N/A and onto the list of things to handle one of these quarters, and everybody moves on, and the gap just sits there.

I’ll tell you when this got real for me. It’s the vCIO conversations — the ones where I’m across the table from the C-suite and the renewal is due Friday and the AI question is sitting there unanswered. They know. Of course they know; they’ve seen their own people. The question on the table isn’t really do your people use AI. It’s what do we write on the form.

And for the first time in twenty-five years of doing this, I didn’t have a good answer to give them.

I couldn’t tell them to stop, because the memo already tried that and it didn’t work. I couldn’t draft them a real policy by Friday, because a real one takes longer than a week and anything I could produce by Friday would be its own kind of theater. I couldn’t tell them to write yes and figure it out later. And I genuinely couldn’t tell them to write the honest no and just see what the underwriter did with it, because I’ve watched what underwriters do with an honest no.

It’s the only time I can remember, in twenty-five years, that I didn’t feel like I was being a very effective consultant. I knew exactly what was wrong and I had nothing useful to hand them.

That bothered me enough that we did something about it. We built a practice for it — somewhere a firm can go to turn N/A, we prohibit it into an actual answer, on a timeline that isn’t a panic the week the renewal is due. We’re calling it TechFuelAI. I’ll write more about what it is another time.

For now I just want to say the thing I can’t say across the table.

The question isn’t theater. You already know the answer. The only thing left to decide is whether you find that out on your own schedule, or on the underwriter’s.

☕   🌅   🐕‍🦺