Most AI data leaks are not the work of attackers. They are well-meaning employees pasting the wrong text into the wrong tool, and well-configured tools doing exactly what they were told to do.
Headlines about AI data leaks tend to involve famous brand names and embarrassing quotes, but the incident shape is almost always the same. An employee with legitimate access to confidential material takes the fastest available route to a task — pasting a contract clause, a customer record, a code snippet or a strategy document into a chat interface. The interface logs it, the provider's terms permit retention or training, and the data is now somewhere outside the organisation's control.
Samsung's widely reported 2023 incidents are the canonical public examples (Bloomberg 2023), but they are routine rather than exceptional. The Information Commissioner's Office in the UK has reported a steady increase in AI-related data incidents since 2023, the majority of them inadvertent (ICO 2024).
No single control prevents inadvertent disclosure. A layered set works because the layers compensate for each other's blind spots.
1. A safe, sanctioned alternative. Provide an enterprise AI tool whose terms forbid training on customer data, whose logs are under your control, and whose access is tied to the corporate identity provider. If the safe path is also the easy path, most use migrates to it without coercion.
2. Browser and network controls. Use the enterprise browser, DNS filtering or DLP gateway to block known consumer AI services on managed devices, and to inspect or warn on pastes that contain classified content patterns.
3. Data classification that the tool can see. Tag documents, emails and tickets with sensitivity labels that the sanctioned AI tool respects. The tool should refuse to send the most sensitive categories outside the trust boundary.
4. Contractual constraints on suppliers. The corporate AI tool's contract must explicitly forbid the use of prompts and outputs for model training, and must restrict retention to the minimum needed for operation.
5. Training and habit-building. Short, scenario-based training that shows the user the specific patterns to avoid. Annual e-learning does not work; quick contextual reminders inside the tool itself do.
6. Logging and detection. Logs of prompts and outputs from the sanctioned tool, retained for a defined period and reviewed when an incident is suspected. This is the control that makes everything else auditable.
A separate class of disclosure arises with retrieval-augmented generation. The model itself is well-behaved, but it is connected to a corpus — a SharePoint, a Confluence, a CRM — with broader access than the requesting user has in the source system. The model dutifully synthesises an answer that includes information the user could not otherwise have seen. The disclosure is internal but no less serious.
The remedy is to ensure that the retrieval layer respects the user's source-system permissions, not just the AI tool's. Where the source system cannot be queried per-user, partition the corpus by sensitivity and gate access to the partitions separately.
When disclosure is suspected — through a complaint, an external notification or internal review — three questions structure the response.
The answers feed both the regulator notification (where applicable under UK GDPR Article 33 or equivalents) and the internal post-incident learning.
ISO-STANDARD.app links your AI tools to the data classifications, supplier terms and training programmes that keep confidential information inside the trust boundary — and gives you the audit trail when something does slip.
ISO-STANDARD.app ships a ready-to-adopt ISO 42001 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
