What do you do with my data when AI is involved?

Why the data question matters before AI goes live

When a client asks what you do with their data, they are not asking for a vague assurance that AI is safe. They need to know which data enters the workflow, which tool or vendor processes it, who can see it, whether it can be retained for training, and who is accountable for the final output.

The practical standard is simple: if the work involves client, employee, financial or regulated information, the AI workflow should be treated like a controlled business process, not an experiment.

The safest answer: purpose-limited use, clear ownership and evidence

You should use client data only for the agreed purpose, minimise what is shared with AI tools, block public-model training where possible, record vendor terms, and keep a review trail for anything client-facing. A named human owner should be able to explain what data was used, why it was allowed and what checks happened before the output left the firm.

Map your AI data risks before rollout

What should be documented for each AI workflow?

For every AI-enabled workflow, keep a short control record. It does not need to become a 40-page policy, but it must be specific enough for a manager, auditor or client to understand the risk.

• Data types: client files, personal data, financial records, privileged material, internal know-how or anonymised examples.
• Purpose: the business reason for using the data and the exact task the AI supports.
• Tool and vendor: the approved system, contract owner, data-processing terms and whether data is retained or used for training.
• Access: who can enter data, who can view outputs and who owns exceptions.
• Review: the human check required before the output reaches a client, customer, regulator or public channel.
• Evidence: logs, approvals, versions and decisions that prove the controls were followed.

How to answer clients without over-promising

A strong client-facing answer should be direct. Say that data is used only for the agreed service, that sensitive information is not placed into unapproved public tools, that vendor settings and contracts restrict retention and training where relevant, and that AI outputs are reviewed by a human before use.

Avoid absolute claims such as "AI never touches client data" unless that is genuinely true. Most risk comes from the gap between the written policy and what teams actually do under deadline pressure.

Keep AI governance evidence current

Controls that reduce data risk in day-to-day work

The strongest controls are close to the workflow. Give teams approved tools, standard prompts, clear red lines for confidential data, and a simple escalation route when a use case is uncertain. Then capture evidence automatically where possible instead of relying on people to update spreadsheets afterwards.

• Classify AI use cases by data sensitivity and client impact.
• Maintain an approved-tool list with training and retention settings.
• Use redaction or synthetic examples where full client data is not needed.
• Require named review for regulated, legal, financial or client-facing outputs.
• Log the prompt, source material, reviewer, version and final decision for higher-risk work.

What leaders should ask before approving an AI data workflow

Leaders do not need to inspect every prompt, but they do need evidence that the operating model works. Before approving a workflow, ask who owns the data risk, whether the vendor terms are acceptable, what happens when the model is wrong, and how the firm can prove the output was reviewed.

If those answers are unclear, the workflow is not ready for client or production use.

Turn AI data controls into working implementation