There has been a sharp and measurable shift in how Irish mid‑market executives view artificial intelligence: the proportion who described AI as “over‑rated” or mostly hype has collapsed, firms are moving rapidly to formalise generative‑AI rules for staff, yet anxiety about data privacy has never been higher — a paradox that will shape which Irish SMEs win and which stumble as AI moves from experiment to steady state. (irishexaminer.com)
Grant Thornton’s International Business Report (IBR) surveys roughly 10,000 mid‑market firms across dozens of economies and is a leading quarterly barometer of how business leaders see risk, investment and technology. Its Ireland slice has, in recent quarters, shown technology — and particularly AI — moving from a boardroom talking point to a line‑of‑business tool that management teams are trying to operationalise. Grant Thornton’s own Ireland pages and IBR materials note rising technology investment and a growing focus on AI projects. (grantthornton.ie, prod-emea.gtil-dxc.com)
At the same time, independent surveys and sector studies — from PwC’s GenAI and Digital Trust work to research produced with Trinity College and Microsoft — report similar dynamics in Irish companies: dramatically higher AI experimentation and adoption, more firms creating governance structures, and persistent, elevated concern about security and privacy when employees interact with generative AI. These outside datapoints confirm that the shift Grant Thornton flags is a national pattern, not a reporting anomaly. (pwc.ie, news.microsoft.com)
(Community and technical forums likewise show practitioners debating controls, DLP and shadow AI mitigation — a signal that the issue is front‑line, not only boardroom.)
The winners will be companies that treat AI governance as a strategic asset: investing in vendor due diligence, DLP, staff training and clear, scalable operating procedures. The losers will be those that assume a one‑off policy memo or a “tool rollout” without technical controls and ongoing measurement.
Source: Irish Examiner Number of Irish executives believing AI to be overrated is falling rapidly
Grant Thornton’s International Business Report (IBR) surveys roughly 10,000 mid‑market firms across dozens of economies and is a leading quarterly barometer of how business leaders see risk, investment and technology. Its Ireland slice has, in recent quarters, shown technology — and particularly AI — moving from a boardroom talking point to a line‑of‑business tool that management teams are trying to operationalise. Grant Thornton’s own Ireland pages and IBR materials note rising technology investment and a growing focus on AI projects. (grantthornton.ie, prod-emea.gtil-dxc.com)At the same time, independent surveys and sector studies — from PwC’s GenAI and Digital Trust work to research produced with Trinity College and Microsoft — report similar dynamics in Irish companies: dramatically higher AI experimentation and adoption, more firms creating governance structures, and persistent, elevated concern about security and privacy when employees interact with generative AI. These outside datapoints confirm that the shift Grant Thornton flags is a national pattern, not a reporting anomaly. (pwc.ie, news.microsoft.com)
What the latest figures say — and what they mean
A swift collapse in scepticism
- The Irish Examiner reported that the share of Irish executives calling AI “mostly hype” dropped from 45% to 23% in a six‑month window, based on the Grant Thornton IBR. That headline number captures a rapid move from caution and scepticism toward active experimentation and deployment. (irishexaminer.com)
Policies, training and governance rising fast
- The same reporting shows more firms now require staff to follow an AI‑usage policy for generative AI (examples include ChatGPT and similar tools). The Irish Examiner cites an increase from 37% to “more than half” in six months. That is consistent with other surveys showing governance activity accelerating as firms try to get ahead of the risks. (irishexaminer.com, pwc.ie)
The paradox — confidence vs. privacy fear
- While companies are getting better at spotting productive, day‑to‑day uses for AI (the IBR notes the share citing “difficulty determining productive uses” fell from about 48% to 22%), privacy jumped to the top barrier, cited by 58% of Irish executives, up from 35% six months earlier. In short: firms increasingly see practical value in AI, but are more anxious than ever about sensitive data being uploaded to third‑party models. (irishexaminer.com)
Why the shift happened so quickly
1. Rapid diffusion of usable models and vendor pushes
Lower‑friction access to capable LLMs, the spread of integrated workplace AI (for example, Microsoft‑branded copilots embedded into Microsoft 365), and vendor go‑to‑market pushes have moved AI from research labs to everyday tools. The Trinity/Microsoft analysis and industry press document big jumps in adoption rates year‑over‑year, particularly where vendor‑embedded AI is easy to switch on. (news.microsoft.com, pwc.ie)2. Measurable, early wins
Use cases with clear ROI — email triage, document summarisation, customer‑support drafting, and faster data analysis — mean teams can show short‑cycle productivity wins. Grant Thornton and other consultancies report that mid‑market firms are embedding tools into day‑to‑day operations precisely because those gains are tangible and visible to managers. (irishexaminer.com, grantthornton.com)3. Pressure to remain competitive
Irish firms competing with larger, international customers or suppliers have an incentive to adopt productivity tools quickly or risk falling behind. The IBR and sector studies both flag competitive pressure and technology investment intentions rising — AI is a central element of that spending. (prod-emea.gtil-dxc.com)4. A regulatory and reputational wake‑up call
The combination of EU regulatory attention (notably the EU AI Act) and high‑profile data incidents has pushed boards to treat governance as a priority. Many firms now see policy and training not as red tape but as a way to unlock scaled adoption without catastrophic risk. Surveys from PwC and others show the same pattern — governance ticks up once leaders accept AI is here to stay. (pwc.ie)What this means for Irish SMEs — strengths and opportunities
- Faster workflow automation: Irish SMEs can immediately benefit from automation of routine knowledge tasks — summarising contracts, generating customer replies, drafting standard reports — freeing human time for higher‑value work. This is repeatedly cited by Grant Thornton and PwC as one of the clearest short‑term returns. (irishexaminer.com, pwc.ie)
- Lower barrier to entry for advanced capabilities: Pre‑built APIs and SaaS copilots let smaller firms access language, image and data‑analysis models without large ML teams. Trinity/Microsoft research shows broad uptick in adoption rates where accessible offerings exist. (news.microsoft.com)
- Governance as a competitive differentiator: Firms building clear policies, training staff and embedding approved tools get two benefits: they reduce risk and they reduce the friction that keeps AI stuck in pilots. Grant Thornton explicitly points toward winners being those that treat governance and transparency as strategic. (irishexaminer.com)
The downside and material risks (what keeps CIOs up at night)
Data exfiltration and exposure
Employees uploading confidential client data, payroll records, or IP into public LLMs remains the single biggest operational hazard. Surveys show “shadow AI” (unsanctioned use of consumer LLMs) is common; PwC and other studies repeatedly rank cybersecurity and privacy as top concerns. The IBR‑reported rise in privacy concern (to 58%) tracks this reality. (pwc.ie, irishexaminer.com)Compliance complexity
The EU AI Act and sector privacy rules (GDPR) mean that careless use of third‑party models can create both reputational and legal exposure. SMEs that do not map data flows, maintain records of model use, or treat AI outputs as potentially personal data risk non‑compliance fines and contractual breaches. (pwc.ie, news.microsoft.com)Model reliability and “hallucinations”
Generative models can produce plausible‑sounding but incorrect outputs. When firms use AI for customer communications, legal drafting, or decisions that affect customers, hallucinations are a real business risk unless human review is baked into workflows. This is highlighted in multiple vendor and advisory studies. (grantthornton.com, pwc.ie)Skills and change management gaps
Many SMEs lack in‑house AI expertise. Even when leaders endorse AI, frontline staff need training on how to prompt, what data to share, and how to verify outputs; surveys repeatedly show governance lags training. PwC and EY surveys document this skills shortfall in Irish firms. (pwc.ie, ey.com)Shadow AI and inconsistent policy enforcement
Where policy exists on paper but is not enforced, “shadow AI” use continues — increasing the chance of leakage. Tech teams must combine policy with technical controls (DLP, sanctioned agent proxies) or trust gaps will persist. (pwc.ie)(Community and technical forums likewise show practitioners debating controls, DLP and shadow AI mitigation — a signal that the issue is front‑line, not only boardroom.)
Practical, pragmatic guidance for Irish SMEs (ten actionable steps)
- Create a clear, short AI‑usage policy and publish it to staff. Policy must state approved tools, forbidden data types, and escalation paths. Start with a 1‑page summary and a 2,000‑word operating guide.
- Identify and whitelist sanctioned AI tools (enterprise instances with contractual data protections). Block the rest at the network perimeter or with endpoint controls.
- Deploy Data Loss Prevention (DLP) rules that detect common sensitive tokens (IBAN, personal IDs, client codes) and block or quarantine uploads to cloud LLM services.
- Use data minimisation and redaction: never paste raw client data; instead, redact or summarise before prompting. Where possible, use synthetic or de‑identified examples for model‑training workflows.
- Require human‑in‑the‑loop sign‑off for outputs used externally or in regulated processes (legal text, financial disclosures, medical advice).
- Record and monitor AI use: maintain a register of AI models used, their vendors, data flows, and update cadence to meet audit needs under incoming regulation.
- Negotiate vendor SLAs that specify data handling, retention, model training opt‑out, and breach notification clauses. Prefer vendors who offer contractual commitments on non‑use of customer data for model training.
- Train employees on when to use AI and how to test outputs: short training modules, role‑specific cheat sheets, and internal “AI champions” who can advise peers.
- Run short, measurable pilots with defined KPIs (time saved, error reduction). Use a staged rollout before enterprise‑wide adoption. Grant Thornton and PwC both stress pilots and measurement as necessary to convert pilots into scaled wins. (grantthornton.com, pwc.ie)
- Prepare an incident response playbook for model‑related breaches or mis‑outputs: include communication templates for customers, regulators and employees.
Vendor selection checklist (what to ask suppliers)
- Does the vendor offer a contractual non‑use clause (no customer data used to further train public models)?
- What encryption and key‑management options are available (bring‑your‑own‑key preferred)?
- Where is data stored (data residency) and can you ensure EU/GDPR‑aligned processing?
- Are there audit logs and transparency tools showing prompts, inputs and outputs?
- Has the vendor completed independent security certifications (SOC 2, ISO 27001)?
- How are model updates handled and how will changes be communicated?
Piloting, measuring and scaling — a staged approach
- Select a bounded use case with measurable KPIs (e.g., customer support first‑response time, legal contract redaction time).
- Run a 6–8 week pilot with control cohorts (measure time saved, accuracy delta, user satisfaction).
- Assess security exposures: simulate potential data leakage and conduct a privacy impact assessment.
- Draft standard operating procedures that define human review thresholds and escalation rules.
- Scale iteratively — expand to adjacent teams only after governance, training and DLP controls are proven.
Policy essentials — what to include in your AI usage policy
- Purpose and scope: which tools/processes the policy covers.
- Approved and prohibited uses: concrete examples.
- Data handling rules: prohibited data classes (personal identifiers, client confidential data, source code, payroll).
- Vendor and procurement controls: who can sign vendor contracts and required clauses.
- Audit and logging expectations: record keeping for auditors/regulators.
- Training and certification: minimum training for staff that use AI.
- Enforcement and sanctions: what happens if rules are breached.
Where Irish SMEs should invest next (priorities)
- Governance foundation: policy, risk register, DPO alignment.
- Secure tooling: enterprise LLMs or private deployments with contractual data protections.
- Training and change management: role‑based training with clear playbooks for daily use.
- Measurement capability: dashboards that show business outcomes, not vanity metrics.
Critical assessment — strengths and blind spots in the current Irish response
Notable strengths
- Irish mid‑market firms are moving quickly from debate into practice, and that speed can produce early competitive advantage. Grant Thornton’s reporting — echoed by PwC and Trinity/Microsoft — shows clear growth in pilots and practical use‑case identification. (irishexaminer.com, news.microsoft.com)
- Many organisations are now writing policies and training staff; that operational focus is the most important single shift for converting hype into durable productivity gains. (irishexaminer.com)
Key blind spots / risks
- Overreliance on vendor claims: not all enterprise offerings come with equivalent contractual protections; reading the fine print on data usage clauses is essential. PwC and industry studies flag vendor due diligence as under‑resourced. (pwc.ie)
- Insufficient investment in technical controls: policies without DLP, identity and access control, or secure deployments will fail to stop shadow AI leaks. EY and PwC research both document that many firms have policies but lack enforcement mechanisms. (ey.com, pwc.ie)
- Auditability and reproducibility: few models are currently auditable; for regulated processes, organisations must treat AI outputs as provisional until the model and data provenance are demonstrably auditable. This is a broader industry challenge. (grantthornton.com)
Closing analysis and the strategic choice ahead
Ireland’s mid‑market sits at a crossroads: firms that combine pragmatic pilots with disciplined governance can capture meaningful productivity gains; those that prioritise speed without controls risk regulatory headaches, customer loss and data breaches. The IBR‑reported shift from 45% scepticism to 23% in six months — plus the rapid rise in formal policies and the concurrent spike in privacy concern to 58% — captures a single truth: Irish executives have decided AI is worth doing, but are far from complacent about how to do it safely. (irishexaminer.com, prod-emea.gtil-dxc.com)The winners will be companies that treat AI governance as a strategic asset: investing in vendor due diligence, DLP, staff training and clear, scalable operating procedures. The losers will be those that assume a one‑off policy memo or a “tool rollout” without technical controls and ongoing measurement.
Final takeaways — immediate checklist for business leaders
- Put a one‑page AI policy and an approved‑tools list on the intranet this week.
- Audit your top five use cases for privacy exposure and assign remediation owners.
- Deploy DLP and logging on endpoints used by knowledge workers.
- Run a 6–8 week pilot with measurable KPIs, and require human sign‑off for external outputs.
- Build vendor contracts that explicitly rule out use of your data for public model training.
Source: Irish Examiner Number of Irish executives believing AI to be overrated is falling rapidly