AI in the Workplace: What's Safe to Use and What's Not

Your employees are already using AI — whether you've approved it or not. ChatGPT, Claude, Google Gemini, and Microsoft Copilot have become standard productivity tools for drafting emails, summarizing documents, writing code, and brainstorming. The question isn't whether your business will use AI. It's whether you're using it safely.

The stakes are real. Confidential client data, internal financials, proprietary processes — these things have already been inadvertently shared with AI providers by employees who didn't realize their prompts were being used to train models or stored on external servers.

The Core Risk: Where Does Your Data Go?

When an employee pastes a client contract into ChatGPT to get a summary, that text leaves your network and goes to OpenAI's servers. Depending on the service tier and settings:

• The conversation may be stored and reviewed by humans for safety purposes
• The data may be used to improve the model
• It may be retained for a period of time even after deletion

For most AI tools, the free consumer tiers have the least data protection. Enterprise tiers (ChatGPT Enterprise, Microsoft Copilot for M365) offer data processing agreements, no training on your data, and tenant isolation — but they cost significantly more.

What's Generally Safe

Low-risk AI use cases (no sensitive data involved):

• Drafting generic marketing copy or email templates
• Summarizing publicly available information
• Brainstorming ideas with no proprietary context
• Writing or debugging code that doesn't contain credentials or proprietary logic
• Generating images for social media or presentations

What Requires Caution

Medium-risk use cases (use enterprise/approved tools only):

• Summarizing internal documents, meeting notes, or reports
• Drafting communications that reference client names or situations
• Analyzing spreadsheets with financial or operational data
• Writing code for internal systems or APIs

For these use cases, Microsoft Copilot for M365 is often the right choice if you're already on the Microsoft ecosystem — your data stays within your Microsoft tenant and is covered by your existing compliance agreements.

What to Avoid Entirely

High-risk use cases (do not use consumer AI tools for these):

• Uploading client contracts, NDAs, or legal documents
• Sharing personally identifiable information (PII) — names, emails, SSNs, health info
• Pasting database credentials, API keys, or passwords
• Inputting patient health information (automatic HIPAA violation risk)
• Sharing anything covered by NDA with any third-party AI

Building an AI Acceptable Use Policy

Every business using AI needs a written policy. At minimum, it should cover:

1. Approved tools — List the specific AI tools employees are allowed to use
2. Data classification — Define what data can and can't be shared with AI systems
3. Disclosure requirements — When must AI-generated content be disclosed (client deliverables, reports, etc.)
4. Verification requirement — AI output must be reviewed by a human before use in any professional context

The Right Approach: Controlled Adoption

The goal isn't to ban AI — that battle is already lost. The goal is controlled adoption: harness the productivity gains while protecting client data, maintaining compliance, and managing risk.

The businesses that get this right will have a significant competitive advantage. Those that ignore it will face data breaches, compliance violations, and client trust issues down the road.

Want help building an AI policy for your business or evaluating enterprise AI tools? Reach out to our team — this is something we help clients navigate every week.