AI tools and data leakage.
AI tools are powerful — and not as private as people assume. What you paste into them can be stored, logged, or used to train the model.
AI tools like ChatGPT, Claude, Copilot, and Gemini are powerful — and not nearly as private as most people assume. Anything you paste into an AI tool could be stored, logged, reviewed by employees at the provider, or even used to train future versions of the model. For a business, that's a significant data-leakage risk that nobody talks about enough.
What "confidential" looks like to an AI tool
Free-tier AI tools generally keep your prompts and may use them for training. Business-tier versions (ChatGPT Enterprise, Copilot for Microsoft 365, Claude for Work) contractually don't train on your data — but only when you're using the right tier, signed into the right account. Employees pasting into the free version of a public AI tool is where the leakage happens, every day, at businesses that don't realize it.
Real leakages we've seen
“A small firm's HR manager pasted an entire company roster with salary data into a free AI tool to "summarize pay band trends."”
Red flag: The tool stored the prompt. HR data — including real names and salaries — sat in a third-party system with no visibility or recourse.
“A developer pasted production API keys and code into a free AI tool while troubleshooting.”
Red flag: The keys were in the prompt history. The tool had been compromised a month earlier and prompts were leaked. Keys had to be rotated across production.
The simple rule
Before you paste into an AI tool, ask: "is this confidential?" If yes — don't. Or use a business-tier version you've vetted. Or de-identify the data before pasting. Treat AI like an email to a stranger you've never met.
We help set up safe AI at work.
We deploy business-tier AI — Copilot, ChatGPT Enterprise — with policies and training so your team gets the value without the leak. Ask us.
- 1Write a one-paragraph AI usage policy this month — what tools are approved, what data is off-limits.
- 2Provide business-tier AI accounts so employees don't need to use free versions.
- 3Train staff: anything confidential, regulated, or client-specific does not go into AI without approval.
- 4Audit AI tool usage quarterly — it's surprisingly easy to see via OAuth logs.
- 5For regulated industries (HIPAA, finance), specifically document AI handling as part of your compliance program.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Microsoft 365 settings every business should turn on.
Microsoft 365 ships with insecure defaults. Five settings take under an hour and shut the door on the most common cloud attacks.
ReadTip #18 · Cloud & SaaSShadow IT is hurting your business.
Every month, employees sign up for tools you don't know about. Shadow IT leaks data, breaks compliance, and multiplies your attack surface.
Read