You finally got your team using AI every day? Great. Get ready for the lawsuits.
You're driving (mandating?) your teams to use AI every day. Good. Directionally you can't not use AI. The companies that are waiting on the sidelines will regret it.
But somewhere between "we need to use AI anywhere we can" and today, something happened that nobody assigned an owner to: your confidential data started leaving the building. Shipped out the door by your own people. Daily.
If there's no governance layer over all of it — Claude, ChatGPT, Gemini, Grok, any of them — you're asking to be sued. Especially if you're in a regulated industry. Or your customers are. Or both. But this isn't just for regulated industries. This affects every company using AI. Including yours.
Sound hyperbolic? Maybe. Doesn't make it wrong.
AI is the power. AI is also the risk.
AI is the biggest fundamental shift in technology since the personal computer and the internet because it democratizes building. Anyone with the patience to give it a go and iterate can build almost anything. That's the power.
It's also the risk. You're making sure no one can hack in — while your own people ship data out. If your people research contracts with AI, or draft emails and strategy off customer data, then somewhere in your org, someone has already put confidential data — covered by a contract, an NDA, a privilege — into a model. Not out of malice. They're not trying to hack you. They are trying to get good work done at the speed of AI.
What's actually happening
Marketing pastes a customer list into a chatbot to "clean it up." Sales feeds three years of deal notes in to draft a plan. Legal — yes, legal — runs a counterparty's contract through an AI to flag the risky clauses. Nobody filed a ticket. Nobody asked. And half of them are on a personal login, because it's faster than the tool you approved.
That's the part that should keep you up at night. It's not the system you bought. It's the dozen you didn't.
And this isn't a hunch. In an Okta survey fielded in March 2026, 52% of knowledge workers admitted to using AI tools their company never approved — among American workers, two-thirds. Meanwhile, 90% of executives said they're confident they can see the AI tools their people use. Both can't be right. In a 48,000-person study across 47 countries, KPMG and the University of Melbourne found 48% of employees admit they've uploaded sensitive company information to public AI tools. As of March 2024, Cyberhaven's telemetry showed 82.8% of legal documents employees put into AI tools went through personal accounts. By its 2026 report, the average employee was putting sensitive data into an AI tool once every three days.
Every three days. Per employee. How would you even know?
It's been happening since the beginning
In early 2023, Samsung engineers leaked internal source code by uploading it into ChatGPT — an incident Samsung itself acknowledged in an internal memo reviewed by Bloomberg. Samsung's response was to temporarily ban generative AI on company devices entirely.
That was three years ago. The tools got better. The habit got exponentially worse.
And now there's case law
This February, a federal judge in Manhattan ruled on a question of first impression: a defendant's conversations with a consumer AI chatbot were not protected by attorney-client privilege. Not because of anything unusual he did — because the platform's own privacy policy meant there was no reasonable expectation of confidentiality. The court went further: even if privileged material went in, sharing it with the AI platform waived the privilege "just as if he had shared it with any other third party." (U.S. v. Heppner, S.D.N.Y., Feb. 2026.)
Read that from the other side of the table: what your people paste into a consumer chatbot may be neither confidential nor privileged.
One detail worth sitting with. The court expressly left open how this plays out for enterprise deployments with real data controls. That's the whole game. It was never about which AI. It's whose account it's on, and what sits around it.
You're already forming the objection: "We're on the enterprise plan — our data isn't trained on." Maybe. For the one tool that is operating on that platform and its data, under that corporate account and plan.
But here's the thing — AI governance was never only about the vendor's training policy. It's that you can't name which tools your people use, whose accounts they're on, or what left the building in the last three days. Your enterprise contract doesn't cover the personal ChatGPT tab, or the Claude Code session running in a terminal in the next window.
And those other windows aren't free. IBM's 2025 Cost of a Data Breach report put the US average at a record $10.22 million — and organizations with heavy shadow-AI use ate an average $670,000 more per breach than those with little or none. Of the breached organizations IBM studied, 63% had no AI governance policy at all.
What's actually at stake
This isn't theoretical, and it isn't about getting hacked. It's the quiet stuff:
- A confidentiality clause breached the moment regulated data left your control.
- Privilege waived because "summarize this" handed protected material to a third party — exactly what Heppner ruled, above.
- In a regulated business, a reportable event you never even saw — because there was no log, no audit trail, nobody watching.
You have specialists guarding the front door. You have nobody watching the back.
The fix is knowing what's being done with AI — by whom, on what data, on which accounts
The fix isn't banning AI. Samsung tried — the restriction was explicitly temporary, and they lifted it. Your best people would route around a ban by Friday, and it would cost you more than the risk. The fix is a governance layer over every team touching AI. Simpler than the stack your CISO already runs. Three moves.
Find out what's actually in use.
Every tool, every account, every personal login. Almost no one has done this, and the real inventory is always longer than leadership guesses. You can't govern what you can't see — so you start here.
Match the rules to your real obligations.
Which classes of data can touch which tools — tied to the contracts, NDAs, and regulations you're genuinely bound by. Not a template you downloaded. The actual obligations you signed.
Make it visible and owned.
One accountable owner. A way to see what's happening before it shows up in discovery. Guardrails your team can move fast inside of — reviewed as the tools, and your exposure, keep changing.
None of that slows the build down. It's what lets you floor it — because you finally know where the guardrails are, and who's blasting through them.
This needs to live at the CEO level
AI is being used by every team in every group and functional area at your company. This isn't an Operations problem. This isn't a Finance problem. This isn't (just) an IT problem. This is a governance layer that needs to sit above all of them.
Build fast. Trust, but verify at the highest level.
Find out what's walking out the door.
The AI Exposure Check is six questions and about five minutes — a straight read on where your confidential and regulated data is leaking through everyday AI use, and the first move to make this week. Free. No sales call. If you're fine, we'll tell you that too.
run the free exposure check →