Home/Knowledge Base/Knowledge Worker Playbooks/K-08

K-08K-Series · Foundation

Protecting Confidential Information When Using AI

Every other AI mistake can be fixed with an apology and a correction. This one can’t. Once confidential information goes into a tool your organisation hasn’t approved for it, you cannot get it back — and you may never know where it went. This card gives you the red lines, the questions to ask before you paste, and the habits that make safety automatic rather than effortful.

Why this matters

AI tools feel like private scratchpads — a chat box, just you and the cursor. They aren’t. Depending on the tool and its terms, what you enter may be retained, reviewed or used in ways you can’t see. Organisations approve specific tools for specific data precisely because those guarantees vary enormously. The person who pastes a salary spreadsheet into a random free tool isn’t malicious; they’re in a hurry. The red lines exist for exactly that moment.

The red lines

These never go into an AI tool your organisation hasn’t explicitly approved for that class of data:

  • Salary, HR and performance information
  • Board papers and anything commercially sensitive
  • Client and customer data
  • Personal information about any identifiable person
  • Legal matters, disputes and anything privileged
  • Passwords, security details and system configurations

Notice the phrasing: it’s not ‘never use AI on these’. It’s ‘never use an unapproved tool on these’. If your organisation provides an approved assistant covered by proper agreements, that’s a different conversation — one your IT and privacy people have already had for you.

Three questions before you paste

  1. Is this tool approved for this data? Not ‘approved generally’ — approved for this sensitivity level.
  2. Could this text identify a person or expose a decision? Read it as an outsider would.
  3. Would I be comfortable if this exact text appeared somewhere unexpected? If the thought tightens your stomach, stop.

The habits that make it easy

Assume anything you paste may be retained. De-identify by default — ‘an employee’, not the name — when the identity isn’t essential to the task. And when in doubt, don’t: ask what’s approved instead. The five minutes that question costs is the cheapest insurance in your career. If you don’t know your organisation’s answer, that’s your first task tomorrow, not after something leaks.

Putting it into practice

  1. Find out today which AI tools your organisation has approved, and for what data
  2. Print or save the red lines list where you work
  3. De-identify by default in every prompt this week
  4. Before pasting anything borderline, run the three questions
  5. If no guidance exists at your workplace, ask for it — in writing

Key takeaways

  • Confidentiality is the unrecoverable AI mistake — prevention is the only cure
  • Six red lines never enter unapproved tools: HR, board, client, personal, legal, security
  • Approved tools exist precisely because retention guarantees vary between products
  • De-identify by default; assume anything pasted may be retained
  • When in doubt, don’t paste — ask what’s approved
What Next?

You've read the article. Now what?

Pick the one that fits right now — a 5-minute fix, the full answer library, or the complete system.

Free · Takes 2 Minutes

Start Here — Free

12 tips that change how you think about SharePoint for good. No fluff, no theory — just what actually works.

Get My Free Guide →
Free · 207 Answers

Got a Different Question?

Search 207 step-by-step cards for whatever's actually stuck right now. Plain English, no jargon.

Find My Answer →
Buy Once · From $19

Ready to Fix It Properly?

Skip the trial and error. Get the complete toolkit and stop patching the same problem every month.

Shop the Hub →

Not ready for any of that? Get one useful email a week instead. Join the free newsletter →