AI tools are now part of everyday work: drafting emails, summarising contracts, analysing spreadsheets, rewriting proposals, generating code, and making sense of messy notes. The problem is that many teams are using them faster than the business has agreed what can safely be shared.

32% of businesses share sensitive data with AI tools without knowing where it goes. That does not mean every AI tool is unsafe. It means the risk is usually not the model itself — it is the gap between what staff are doing and what the business has checked, approved, and documented.

The Question Staff Rarely Ask

When someone pastes data into an AI tool, four things matter:

Most staff are not trying to create risk. They are trying to get work done. If the business does not give them an approved route, they will improvise.

What Major AI Tools Usually Promise

The broad pattern across major AI providers is this: business and enterprise plans generally give stronger privacy commitments than free or consumer accounts. They may offer admin controls, contractual terms, data processing agreements, retention settings, audit logs, and assurances that customer prompts are not used to train models by default.

Higher Risk
Personal Accounts
Free or individual accounts are easy to adopt, but they are usually outside company control. The business may not know who is using them, what has been uploaded, whether chat history is enabled, or whether data-sharing settings have been changed.
Use for: public information, learning, generic drafting, and non-sensitive experimentation.
Lower Risk
Business Plans
Business tiers for tools such as ChatGPT, Claude, Gemini for Workspace, and Microsoft 365 Copilot typically provide stronger terms, admin controls, and clearer treatment of workspace data.
Use for: approved business workflows, with settings reviewed and documented.

Even then, "not used for training by default" is not the same as "not stored anywhere" or "safe for every category of data." Retention, logging, integrations, workspace sharing, and third-party plugins still matter.

The GDPR Problem With US-Based AI

If your business handles personal data, GDPR does not disappear because a tool is clever. A prompt containing a customer name, health detail, employee issue, contract clause, support ticket, or email thread can be personal data. If that data goes into an AI provider, you need to understand the lawful basis, the processor/controller relationship, where processing happens, what safeguards apply, and whether the use matches what your privacy notices and customer contracts allow.

For US-based AI services, the question is not simply "is it in America?" The practical question is: do you have a proper business agreement, a data processing addendum, international transfer safeguards where required, and a reason to put that data into the tool at all?

The safest AI data is the data you do not upload. Strip names, account numbers, addresses, commercial terms, credentials, health details, HR details, and client-identifying context before using AI unless the tool has been approved for that category of data.

A Practical Staff Policy

You do not need a 40-page AI policy to make this safer. You need one page that staff can understand and managers can enforce.

Green: allowed

Amber: ask first

Red: do not upload

What To Check This Week

The first step is visibility. You need to know which AI tools are already in use, not just which ones IT approved.

The Bottom Line

AI is not going away, and banning it rarely works. People will use the tools that make their work easier. The business decision is whether that happens invisibly through personal accounts, or visibly through approved tools, clear rules, and settings you control.

If you do nothing else, do this: pick the approved AI tools, write down what data can and cannot go into them, and make sure staff know the difference between public, confidential, and personal data. That alone closes a surprisingly large gap.


Track Threats That Match Your Stack

Faradome Dash helps you see live security issues matched to the tools your business actually uses, including common AI platforms and workplace apps.

Open Faradome Dash → Talk to Us