The AI Policy Your Business Needs Before Someone Pastes Client Data into ChatGPT
Without a clear AI policy, a confidential-data incident isn’t a risk — it’s a matter of time. The fix is a one-page document most businesses could write this week, and the discipline to actually use it.
Here’s a scenario playing out in businesses everywhere. A capable, well-meaning employee is under pressure. They have a long, sensitive document — a client file, a contract, a set of management accounts — and a public AI tool that could summarise it in seconds. There’s no rule telling them not to. So they paste it in.
No malice, no recklessness — just the predictable result of useful technology meeting an absence of guidance.
Why this is now urgent, not theoretical
AI is genuinely useful, so people will use it. The most damaging exposure isn’t exotic; it is the ordinary paste of sensitive text into a public tool by someone trying to do their job well.
The more regulated or confidential your work, the sharper the exposure. The material your business most needs to protect is exactly the material your people are most tempted to hand to AI.
What the policy actually needs to say
- Which tools are approved. Name them. “Use these; don’t use random tools you found online.”
- What you may put in. General, non-sensitive internal material, defined clearly.
- What you must never put in. Client data, personal data, financial details, and anything confidential or regulated.
- Prompt and data hygiene. Strip identifying details, use redacted extracts, and never paste what you would never email externally.
- Human review. Consequential AI output gets checked by a person before it is used.
- Who to ask. A named owner for grey-area questions.
That is a page. Most businesses could draft it this week — and it would prevent the majority of realistic incidents.
The mindset shift: prompting is governance
An AI policy isn’t really an IT document. It is a governance document. How your people interact with AI — what they put in, what they trust, what they check — is now part of how your business handles confidentiality, risk and accountability.
The leadership question
If an employee pasted a confidential client document into a public AI tool tomorrow, have we given them a clear, written reason not to — and would we even know they had?
A one-page policy checklist
- Which AI tools staff are allowed to use
- What kinds of information they may put in
- What they must never put in, with concrete examples
- That important outputs must be checked by a human
- Who to ask when unsure
What to do next
Write the one page this week, name an owner, and circulate it before you do anything more ambitious with AI. Sophistication can come later; the red lines cannot wait.
In closing
You don’t need a perfect governance regime to be safer. You need a clear page that stops the predictable mistake — and the discipline to make it real.
If you’d like a practical, plain-English AI policy template and help tailoring it to your business, Savant and Axulu can provide that first concrete step.