The concept of insider risk is that we don't trust the employees, because you can't trust everyone, due to a combination of apathy and potentially malicious activity. Blocking non approved generative AI systems, as well as governing and monitoring the use of approved systems, isn't just good security best practices; it can also be required as part of compliance (depending on your regulatory obligations, if any).
83% of orgs reported at least one insider attack in the last year [1], and insiders are responsible for ~18% of security incidents [2].
[1] https://go1.gurucul.com/2024-insider-threat-report
[2] https://www.verizon.com/business/resources/reports/dbir/