Monday, July 6, 2026

News

Half of Polish Officials Use AI Secretly Ahead of August AI Act Deadline

PolicyPatryk RabaJuly 6, 2026

A study by Fundacja Miasto and the Związek Miast Polskich (Union of Polish Cities) finds that one in two officials uses tools like ChatGPT or Copilot without their superiors' knowledge, while only 8 percent of local governments have any rules governing such use. Time is short - AI Act requirements for high-risk systems take effect on August 2, 2026.

Contents
  1. The Scale of Informal Use
  2. Legal Risk for Public Offices
  3. Cities Watch but Don't Act
  4. The AI Act Clock Is Ticking

Every other official in Polish local governments uses AI tools such as ChatGPT, Copilot, or Claude on their own, without their employer's knowledge or oversight. That is the finding of a study by the Fundacja Miasto (City Foundation) and the Związek Miast Polskich (Union of Polish Cities), which describes a phenomenon called Shadow AI - the undisclosed, unregulated use of artificial intelligence within public institutions. The problem is growing just as the EU's AI Act is about to become fully applicable, with little more than a month left.

The study, reported by Prawo.pl, was based on a survey of Związek Miast Polskich members. The conclusions are clear - officials turn to commercial chatbots to speed up drafting documents, summarizing files, or searching for information, doing so without any institutional oversight. Only 27.5 percent of local governments have formally deployed AI solutions, though actual use of artificial intelligence in the daily work of public offices is far more widespread.

The Scale of Informal Use

The data show that only 8 percent of the surveyed local governments have any written rules on employees' use of AI. About 20 percent of units are working on artificial intelligence deployment strategies, but as many as 60 percent have not addressed the topic in their strategic documents at all. More than half, 52 percent, cite concerns about data security as the main barrier to formal implementation.

Where AI has entered official use, it most often supports document automation and back-office processes - 63 percent of local governments report this. AI also appears in city and tourism promotion, as well as in security, monitoring, and traffic management systems.

The most obvious risk is a breach of personal data protection through entering information about citizens into public AI tools as part of a query (prompt) - Paweł Dymek, legal counsel, Głowacki i Wspólnicy law firm

Dymek points out that the consequences of informal AI use fall not on the employee but on the institution. As he stresses, it is the office - meaning the State Treasury or the local government unit - that is liable to the injured party. That means a single official's mistake in entering a citizen's data into a public chatbot could end up making the entire institution liable for damages.

The lawyer adds that if an office decides to use a specific AI system, it must ensure it is used in accordance with the manufacturer's instructions, implementing appropriate technical and organizational measures. The lack of such safeguards, combined with employees informally using tools like ChatGPT or Copilot, creates a liability gap that is hard to close after the fact.

Cities Watch but Don't Act

Cities do not ban this practice, but they also aren't actively building strategies to support their employees - Adam Mikołajczyk, sustainable city marketing expert, Fundacja Miasto

Mikołajczyk describes a situation in which local governments tolerate informal AI use but do not invest in training, security policies, or infrastructure that would allow this use to move onto legal, controlled ground. The result is a gray zone - officials use the tools because they speed up their work, but do so outside any institutional control.

A few exceptions show it can be done differently. Gdynia is testing PLLuM, a Polish language model developed under national AI projects, to support searches of citizen data and document creation, while simultaneously preparing compliance documentation ahead of the EU requirements taking effect in August 2026.

The AI Act Clock Is Ticking

Time pressure is real. The obligation to ensure employees have adequate knowledge of AI systems, so-called AI competence, formally took effect on February 2, 2026, but many public institutions have not implemented it. From August 2, 2026, significantly stricter requirements for high-risk systems take effect, covering, among other things, some applications in public administration.

Penalties for violations involving prohibited AI practices, such as uncontrolled profiling of citizens or mass facial recognition, can reach 35 million euros or 7 percent of an organization's global annual turnover. For local governments funded from the public budget, that is still a secondary threat compared with the risk of liability for damages toward residents that Dymek describes.

A similar problem affects the private sector. Polish companies also often assume that obligations under the AI Act will only start applying once a national law implementing the regulation is passed, whereas the EU rules apply directly, regardless of the state of legislative work in the Sejm (the lower house of Poland's parliament). Lawyers warn that some prohibited practices, including employee emotion recognition and social scoring, are already in force.

The next month and a half will be critical for Polish public offices. Institutions that fail to inventory the AI tools in use, fail to introduce security policies, and fail to train employees before August 2 will enter the new legal regime with an open gap between what employees actually do and what the office officially oversees.

Sources: Prawo.pl (prawo.pl), Rzeczpospolita (rp.pl)

Share: