How to protect sensitive data when using AI assistants

Matt Eustace, Aiimi DPO and Head of Solutions Engineering, explains why urgent action is required to prevent sensitive information from appearing in AI outputs where it doesn't belong.

 AI assistants or copilots can supercharge productivity, but they also introduce new risks if given access to all enterprise data. To safely scale these tools, organisations must learn how to protect data when using AI assistants by implementing robust data governance and automated sensitive data classification.

The Risks of Sensitive Data Exposure in AI Copilots

The use of AI systems is higher than ever among business leaders and knowledge workers. More than 75% of leaders and managers say they use generative AI several times a week, according to BCG research. The data loss risks of edge AI and shadow AI – where users adopt third-party AI tools that aren’t sanctioned by their organisation – are clear to see. But leaders can’t overlook the risks of their internally approved AI assistants either.

 These AI tools access corporate systems and synthesise information at scale, meaning that unclassified, ungoverned information can risk sensitive data exposure from one area of the business to another. Enterprise-scale Generative AI assistants boost our productivity precisely because they uncover and bring together data that an individual user may never have found. But it’s a double-edged sword.

Even a single occurrence of sensitive data exposure can lead to:

• Compliance violations

• Customer trust issues

• Legal and financial damage

• Intellectual property loss

• Reputational damage

Real-World Examples of Data at Risk

Every organisation and industry has its own specific sensitive data sources, each with different risks associated – like employee and customer data, financial data, and corporate or client IP. When teams use AI copilots with enterprise access, this sensitive data can find its way into areas of the organisation you least expect.

Some common examples of sensitive data exposure include:

Sensitive Personnel Information & PII: It can be human nature to seek out information we know isn’t ours to see – and AI makes it easy to ask the question. Personally Identifiable Information (PII) that’s not well governed can be inadvertently surfaced, leading to severe privacy breaches and harm to individual well-being.

Customer & User Data Risks: Generative AI tools often bring together data from multiple sources to provide an answer, meaning disparate sensitive data with poor permissions may be combined to expose significant insight into vulnerable individuals or protected groups.

Client Confidentiality & Ethical Walls: Professional services organisations, like legal and audit firms, must restrict the exchange of confidential information between teams to avoid conflicts of interest, maintain regulatory compliance, and keep client trust. Unchecked corporate AI tools accessing data across systems present a significant risk to this.

Businesses need the benefits of daily AI-powered productivity, without taking a gamble on leaking their most sensitive data. If trust is broken when AI copilots get rolled out, it can be costly to rebuild it both inside and outside your organisation.

Assessing the risk of AI copilots - Key governance pitfalls

Before scaling an AI assistant across your corporate systems, you must audit your data landscape. Many organisations fail to protect sensitive data when using AI assistants because they fall into these common traps:

• Dark Data Blindness: Not knowing what sensitive data exists within the estate.

• Permissions Overexposure: Having poor visibility into who can access unstructured data or where it lives.

• Static Governance: Reviewing data risk at a single point in time rather than using dynamic, real-time monitoring.

• Over-reliance on Users: Assuming employees will automatically know what not to upload to external AI tools, without labels to guide them.

• Lack of Prompt Monitoring: Failing to track whether employees are asking sensitive questions or including sensitive information in their AI prompts.

As well as keeping sensitive information safe, organisations are also missing out on making valuable data available to AI copilots, because it’s not labelled and can’t be surfaced – either by employees or AI tools.

Why sensitive data classification at source is critical for AI security

Unlike human coworkers, AI won’t inherently understand “this information should be private” – unless you ask it to check. If data isn’t labelled as sensitive and managed appropriately, it’s fair game for an AI assistant to use it to generate answers.

The problem is that sensitive data lives everywhere; customer records, financials, internal strategy documents, employee information. It’s often unstructured in PDFs, chat logs, spreadsheets, presentations, and emails, and scattered across countless systems.

Some data and documents might be labelled as sensitive by tools within existing systems, others might have been classified by users during previous information governance efforts – but labels aren’t consistent and complete, and governance isn’t dynamic as your data estate grows and changes. At enterprise scale, it’s just too much to manage manually.

This lack of consistency in classifying sensitive data is a huge problem. You need to ensure you protect sensitive data when using AI assistants that connect straight to your systems and work with stored information.

“With AI operating at enterprise scale, your data governance efforts need to level up, too. If you want to pursue AI-powered productivity, it’s no longer enough to rely on individuals to spot files containing sensitive data and label them appropriately.”

 — Matt Eustace, Aiimi DPO & Head of Solutions Engineering

 Suddenly the risk of sensitive data that’s buried in files increases exponentially as AI copilots gain access to it. As a result, data governance tools for unstructured data have never been more important.

What’s needed: A unified approach to unstructured data governance for AI

 As AI usage rockets, the market for software solutions that can identify sensitive data across the enterprise and help you remediate it is converging.

 Data leaders need to prioritise accuracy, speed, and scale, to find and fix data risk within large, complex sources. Look for AI data governance tools that can deliver the following core capabilities to improve your information governance and protect sensitive data as you scale AI adoption.

3 Essential AI Data Governance Tools for Security

To move from risk to remediation, data leaders need a unified approach to unstructured data governance. Look for tools that provide the following three core capabilities:

1. Automated Data Discovery

 You can’t protect what you can’t see. High-quality data governance software scans across your storage systems, email, collaboration tools, and cloud apps to identify sensitive content in situ – no matter the format. This ensures all data is indexed and classified where it lives, without moving it to external servers.

The more granular and automated (usually leveraging AI and Machine Learning) these data classification capabilities, the better for accuracy, detailed understanding of data in context, and minimal false positives.

2. Data Security Posture Management (DSPM)

DSPM acts as a security dashboard for your information. It visualises where your data lives, how it is classified, and most importantly, who has access. Look for DSPM tools with visualisation and reporting capabilities that show you where your biggest sensitive data risks are.

Even better, tools that can both classify and remediate data at source – setting new access permissions, moving, or even deleting data that’s no longer needed. This will help you take rapid action to stop AI from accessing poorly labelled sensitive data.

 3. Universal Labelling to support DLP

Traditional Data Loss Prevention (DLP) focuses on networks and endpoints. Tools that can identify sensitive data at scale, and remediate its risk, can support your entire DLP effort.

To stop unauthorised employees from accessing data via AI copilots, focus on finding and labelling sensitive information. This way, you can apply rules to secure it and prevent unauthorised access. This helps prevent the leakage or exposure of sensitive data while allowing legitimate AI use. Look for tools that can label sensitive data for AI. These tools should work well with your tech stack. This includes options like Google Cloud, Microsoft Purview, or others.

The bottom line: protect your enterprise data while scaling AI

If you want to use AI safely, at scale, you’ll need a unified data governance approach that can:

• Classify unstructured data

• Identify what’s sensitive and what’s safe

• Work dynamically to keep sensitivity labels up to date, across all relevant sources

• Label sensitive data for AI to access in-situ, without the risk of moving it

• Take action to move or change permissions to prevent data loss through AI

This approach enables you to unlock the value of secure AI copilots without putting your business, customers, or reputation at risk. 

Get your data house in order now, and you’ll roll out AI assistants with confidence. Learn more about Aiimi’s unstructured AI data governance tools.