Safety, Risk & Governance

AI data security & privacy

Q: Does the AI vendor train on your data?

This is the first question for any AI vendor. If yes, your proprietary information may surface in responses to other users. Enterprise agreements typically include no-training clauses — verify this is in your contract.

Q: Is customer information sent to a third-party API?

Every API call with customer data creates a data processing relationship with a third party. Map your data flows — which tools receive customer data, where it is processed, and what the handling policy states.

Q: Are conversations stored?

Stored conversations create a searchable archive of potentially sensitive information. Understand retention policies, access controls, and deletion capabilities for every AI tool your team uses.

By Mark Ziler · Last updated 2026-04-05

When you use AI tools, your data goes somewhere — and understanding where is critical. Does the AI vendor train on your data? Is customer information sent to a third-party API? Are conversations stored? For any business handling sensitive information — patient records, financial data, employee information — you need clear answers to these questions before connecting AI to your systems. The default assumption should be: verify the data handling policy before you share anything sensitive.

Go deeper

Your office manager signed up for an AI transcription service to save time on meeting notes. Great productivity win — until you realize last Tuesday's leadership meeting discussed a pending acquisition, employee performance issues, and a client's confidential financial data. All of that audio was uploaded to a third-party server. The transcription service's terms of service say they 'may use uploaded content to improve their models.' Your confidential business strategy is now training data for a product anyone can use.

The trap most companies fall into is evaluating AI tools on capability alone — 'does it transcribe accurately?' — without evaluating data handling. Every AI tool your team uses is a data pipeline. The question isn't just 'what can it do?' but 'where does our data go, who can see it, and what happens to it after?' If your team is adopting AI tools without IT review, you probably already have data exposure you don't know about.

Questions to ask

Do we have an inventory of every AI tool our employees are using, including free trials and personal accounts used for work?
For each AI vendor, do we know their data retention policy, their training data policy, and whether they offer a zero-retention option?
Have we classified which categories of business data should never be processed by external AI tools?