AI tools are now part of everyday work: drafting emails, summarising contracts, analysing spreadsheets, rewriting proposals, generating code, and making sense of messy notes. The problem is that many teams are using them faster than the business has agreed what can safely be shared.
32% of businesses share sensitive data with AI tools without knowing where it goes. That does not mean every AI tool is unsafe. It means the risk is usually not the model itself — it is the gap between what staff are doing and what the business has checked, approved, and documented.
The Question Staff Rarely Ask
When someone pastes data into an AI tool, four things matter:
- Is the data used to train future models? Consumer tools and business tools often have different defaults.
- How long is the data retained? Some products keep chat history, logs, or abuse-monitoring records unless an admin changes the setting.
- Where is the data processed? Many major AI providers are US-based or use global infrastructure, which matters for GDPR and contracts.
- Who inside your organisation can see it later? Shared workspaces, custom bots, browser extensions, and connected apps can widen access quietly.
Most staff are not trying to create risk. They are trying to get work done. If the business does not give them an approved route, they will improvise.
What Major AI Tools Usually Promise
The broad pattern across major AI providers is this: business and enterprise plans generally give stronger privacy commitments than free or consumer accounts. They may offer admin controls, contractual terms, data processing agreements, retention settings, audit logs, and assurances that customer prompts are not used to train models by default.
Even then, "not used for training by default" is not the same as "not stored anywhere" or "safe for every category of data." Retention, logging, integrations, workspace sharing, and third-party plugins still matter.
The GDPR Problem With US-Based AI
If your business handles personal data, GDPR does not disappear because a tool is clever. A prompt containing a customer name, health detail, employee issue, contract clause, support ticket, or email thread can be personal data. If that data goes into an AI provider, you need to understand the lawful basis, the processor/controller relationship, where processing happens, what safeguards apply, and whether the use matches what your privacy notices and customer contracts allow.
For US-based AI services, the question is not simply "is it in America?" The practical question is: do you have a proper business agreement, a data processing addendum, international transfer safeguards where required, and a reason to put that data into the tool at all?
The safest AI data is the data you do not upload. Strip names, account numbers, addresses, commercial terms, credentials, health details, HR details, and client-identifying context before using AI unless the tool has been approved for that category of data.
A Practical Staff Policy
You do not need a 40-page AI policy to make this safer. You need one page that staff can understand and managers can enforce.
Green: allowed
- Public information already on your website or in published material.
- Generic drafting, rewriting, formatting, brainstorming, and summarising where no sensitive data is included.
- Code examples or formulas that do not include API keys, passwords, client data, or proprietary logic.
- Approved business AI tools using company accounts and company settings.
Amber: ask first
- Client documents, contracts, proposals, tickets, or meeting notes after identifying details have been removed.
- Financial data, forecasts, pricing, supplier information, or internal strategy.
- Using plugins, browser extensions, custom GPTs, connected drives, or tools that can access company systems.
- Uploading files rather than pasting short extracts.
Red: do not upload
- Passwords, API keys, private keys, recovery codes, or authentication tokens.
- Personal data you would not be comfortable emailing to an unknown third party.
- Health, HR, legal, disciplinary, customer complaint, or special-category data.
- Unredacted client contracts, unreleased financials, acquisition plans, or regulated information.
What To Check This Week
The first step is visibility. You need to know which AI tools are already in use, not just which ones IT approved.
- Ask every team what they use. Include personal ChatGPT accounts, Claude, Gemini, Copilot, Perplexity, browser extensions, note-takers, meeting bots, and AI features inside SaaS tools.
- Choose approved tools. Decide which AI tools are permitted for business data and which are only allowed for public or non-sensitive work.
- Check admin settings. Review training controls, chat history, retention, workspace sharing, connected apps, plugins, and audit logs.
- Update your privacy documentation. If AI tools process personal data, make sure your internal records and external notices reflect reality.
- Train staff with examples. A redacted invoice example is more useful than a vague warning about "confidential information."
The Bottom Line
AI is not going away, and banning it rarely works. People will use the tools that make their work easier. The business decision is whether that happens invisibly through personal accounts, or visibly through approved tools, clear rules, and settings you control.
If you do nothing else, do this: pick the approved AI tools, write down what data can and cannot go into them, and make sure staff know the difference between public, confidential, and personal data. That alone closes a surprisingly large gap.
Track Threats That Match Your Stack
Faradome Dash helps you see live security issues matched to the tools your business actually uses, including common AI platforms and workplace apps.
Open Faradome Dash → Talk to Us