Move fast, don’t leak things: The new enterprise AI mandate

There’s electricity in the air. Teams are spinning up copilots, wiring model context protocols and connectors to knowledge bases, and putting AI into every workflow. That energy is a gift—until someone drags a finance share, a legal folder, or a customer export into an LLM and the headlines write themselves.

The truth: non‑technical builders are now one click away from exfiltration. The difference between breakthrough and breach is no longer just model choice; it’s disciplined data handling around the model.

Here’s a pragmatic playbook to keep confidential information truly confidential while you scale AI.

1. Treat prompts like production

• Anything you paste into a prompt is data leaving its origin. Apply the same rules you would to code deploys or customer exports: approvals, logging, and review.

• Turn off data retention for third‑party models by default. Never allow “use your data to improve our service.”

2. Classify and gate before you connect

• Label data sources (Public, Internal, Confidential, Restricted) and bake those labels into connectors.

• Use least‑privilege, read‑only service accounts for AI apps; never connect with human superuser credentials.

3. Build two firewalls: data-in and data-out

• Inbound: DLP and PII/PHI redaction on everything headed into the model. Strip secrets, tokens, and IDs unless explicitly required.

• Outbound: Response filters for sensitive terms, document fingerprints, canary tokens, and policy checks before content is shown or sent.

4. Enforce access at retrieval time, not just at index time

• If you use RAG, apply attribute‑based access control per query. The model should only “see” what the user is allowed to see at that moment.

• Shard vector stores by sensitivity; don’t mix customer contracts and public FAQs in one index.

5. Prefer private by design

• For highly sensitive use cases, run models in your VPC or on-prem with your KMS. For external APIs, use enterprise contracts, regionalization, and customer-managed keys.

• Minimize data: send features, not full records. Summaries over source files.

6. Make policy code, not a PDF

• Encode rules like “Legal docs never leave region X” or “No customer identifiers in prompts” directly into middleware.

• Maintain allowlists for tools, connectors, and model versions; block everything else.

7. Train humans and machines

• Give non‑tech builders a 30‑minute “AI safety 101”: what not to paste, how to mask, when to escalate.

• Red team prompts: test prompt injection, data exfil tricks, and tool abuse before launch, not after.

8. Observe everything

• Centralize audit logs for prompts, retrieved documents, tool calls, and responses. Tie every event to a user, a purpose, and a data source.

• Set real alerts: unusual volume from a connector, cross‑region pulls, excessive high‑sensitivity hits.

9. Separate sandboxes from prod

• Prototype with synthetic or scrubbed data. Promotion to production requires a security checklist and sign‑off.

• Time‑box access tokens and rotate keys frequently.

10. Govern like you mean it

• Stand up an AI risk register and a simple approval path for new use cases.

• Map controls to frameworks your auditors already trust (ISO 27001, SOC 2, GDPR, HIPAA where relevant).

The upside of enterprise AI is massive. The cost of a single leak is larger. Win on both fronts by making “confidential by default” your standard: smallest necessary data, shortest possible path, strongest verifiable controls. Build fast—but wrap every model call in the same discipline you’d wrap around money.