Before You Put Company Data Into an AI Tool
A one-hour working session that produces a data boundary your whole team can actually follow.
Most businesses discover their data boundary the same way: after something has already crossed it. Someone pastes a customer list into a chat window to “clean it up,” and only then does the question get asked — was that okay?
This guide runs the question in the other direction. In one hour, you and the people who actually own the risk write down the boundary before the incident, in language your team uses, short enough to be remembered without being looked up.
Why this is a high-risk topic
Data that leaves your business through an AI tool may be retained, logged, or used in ways the tool’s marketing page does not lead with. Some of it — customer records, employee information, anything under contractual confidentiality — can create legal exposure the moment it crosses the boundary, regardless of whether harm follows.
The session
Step one — inventory the reality (15 minutes). List every AI tool actually in use, including personal accounts. The unofficial list is the one that matters; the official list is usually fiction with a budget line.
Step two — sort your data, not the tools (20 minutes). Build three columns in your own words: fine (already public or harmless), ask first (internal but negotiable), never (customer PII, employee records, anything under NDA, credentials, financials you would not show a competitor). Argue about the middle column; the edges are usually obvious.
Step three — write the one page (15 minutes). The boundary must fit on a single page and pass one test: a new hire can apply it without asking anyone.
Step four — decide the exception path (10 minutes). Someone will need to cross the boundary for a legitimate reason within a month. Decide now who they ask and how long an answer takes, or the boundary will be quietly abandoned the first time it is inconvenient.
What this guide does not do
It does not evaluate specific vendors, and it does not replace legal review for regulated data. It produces the artifact your legal review will wish you already had.