ChatGPT, Copilot, Gemini and Claude are already open on your team’s screens — helping write emails, clean up spreadsheets, and answer questions. That’s a good thing. The risk isn’t AI itself; it’s the moment someone pastes the wrong thing into a free, public tool without thinking. A customer list “just to clean it up.” A contract “to summarize.” No bad intent — just no rule to follow. This is that rule.
The 5-second check.
🔴 STOP — never paste.
Customer or employee personal data, passwords, keys and logins, financials that aren’t public, source code, contracts and legal documents, health records, and anything covered by an NDA. These don’t go into a public AI tool, full stop.
🟡 PAUSE — strip and check.
Internal documents, strategy, client names, unpublished numbers. Remove the identifying details first — or use an approved company AI account (a paid Team/Enterprise plan that doesn’t train on your data), never a personal free login.
🟢 GO — you’re good.
Public information, general how-to questions, your own draft writing, and brainstorming with no confidential specifics attached.
Why “free” tools are the risky part.
Free and personal AI accounts often store and train on what you type. That means the sensitive thing you pasted can persist somewhere you don’t control — and occasionally surface in ways you didn’t intend. Paid business tiers usually let you turn that off and sign agreements about how your data is handled. The fix is rarely “ban AI” — it’s “use the right account for the sensitive stuff.”
Make it stick.
Print the poster and put it where people work. Adopt the one-page policy so the expectation is written down, not assumed. Both are free below — no email required. (For teams that need to show “reasonable care” under frameworks like the NIST AI RMF or Colorado’s AI Act, a written, adopted policy is a sensible first step; adapt it with your counsel.)
