Using ChatGPT and Other AI Tools at Work — Data Risks and How to Set Company Rules
A neutral look at the real risks of using ChatGPT and similar AI tools at work, why outright bans can backfire, and five minimum rules for a practical internal policy.
ChatGPT and other generative AI chat tools can dramatically speed up writing and organizing information, but using them for real business work requires clear rules about what can be entered and who is responsible. Letting people use these tools without any guidelines in place effectively leaves risks such as data leaks and the spread of inaccurate information unmanaged. This article outlines the real shape of the risks involved in business use of generative AI, and how to build a minimal set of internal rules to get started.
Why Generative AI Adoption at Work Has Spread So Quickly
Since 2023, ChatGPT and similar generative AI chat tools have rapidly become an everyday substitute for search and document drafting, and it's increasingly common for organizations to discover employees were 'already using' them before any formal rollout. Multiple surveys report a steady year-over-year rise in generative AI adoption among businesses, but rule-making often fails to keep pace with usage. Adoption isn't limited to cases led by IT or security teams — frontline employees frequently start using these tools on their own judgment, and how to handle this 'informal use' has become a real management question.
Understanding the Real Shape of the Risks
The risks associated with business use of generative AI fall into three broad categories. The first is how input data is handled. What you type into a chat window is treated differently by different services, and conversation content may be stored on the provider's servers. Entering customer data, undisclosed contract terms, or HR information risks having that information leave the company unintentionally, which is why a clear line on what may and may not be entered matters.
The second is training-data settings. Many services let you choose whether your input is used to further train the underlying model. Free consumer plans and business plans commonly differ in their default settings and handling, and in some cases a business contract may explicitly guarantee that inputs are not used for training. Starting to use a service without checking this setting leaves open the risk that information is used in ways you didn't intend.
The third is the risk of inaccurate output (hallucination). Generative AI can produce plausible-sounding content that is factually wrong or entirely fabricated, and using that output directly in external documents or decisions risks putting incorrect information out into the world. Numbers, proper nouns, and references to laws or regulations in particular should always be checked against primary sources before being used externally.
The Hidden-Use Problem an Outright Ban Creates
Some companies respond to these concerns by banning generative AI use outright, but this approach carries its own problem. The underlying need for efficiency doesn't disappear just because a tool is banned, so a ban tends to push usage toward 'shadow AI' — employees quietly using personal devices or personal accounts instead. Use that the company can't see or manage can end up riskier than use that takes place under a defined set of rules. Rather than an outright ban, defining a specific scope of acceptable use and providing an official channel for it tends to be a more effective approach to risk management.
Business Plans vs. Personal Use: A Comparison
| Item | Business plan (typical example) | Personal use (free / individual account) |
|---|---|---|
| Handling of training use | Contracts commonly specify that input data is not used for training | Depends on the service's default setting; input may be used for training |
| Data retention and management | Organizations can often set retention periods and deletion policies | Depends on individual account settings, which are hard for the company to oversee |
| Account management | Administrators can centrally manage users and permissions | Individuals register on their own, making usage difficult for the company to track |
| Contracts and guarantees | Handling may be formally documented in a business-tier agreement, in addition to the terms of service | Only the general consumer terms of service apply |
| Cost | Typically a monthly fee based on seats and features | Free, or a low-cost individual plan |
*The above reflects general tendencies; specific contract terms and settings vary by service and by when the contract was signed. Always check the latest terms of service and business-tier contract details for the specific service you plan to use.
Five Minimum Elements of an Internal Policy
- 1. Define what information may be entered: As a rule, prohibit entering customer personal data, undisclosed contract or financial information, and HR data; allow only public information or properly anonymized data
- 2. Set up a review process for output: Require a human fact-check of any generated text or figures before they leave the company, cross-checking proper nouns, numbers, and legal/regulatory references against primary sources in particular
- 3. Manage accounts: Avoid business use of free personal accounts where possible, and standardize on business-tier accounts with administrator oversight
- 4. Confirm training-use is turned off: Check whether input is used for training at contract time and turn it off where necessary; periodically confirm whether the setting has changed
- 5. Set up a point of contact: Designate and publicize a place (such as IT or legal) that employees can go to when they're unsure how to handle a situation
Steps for Rolling Out the Policy
Building a policy from scratch can feel like a heavy lift, so a practical starting point is to summarize the five items above into a one-page guideline and circulate it. Updating it over time based on real questions and cases that come up during actual use makes it easier to embed without forcing adoption. Beyond a single company-wide policy, departments that handle meaningfully different kinds of information may also want department-specific supplementary rules. For a broader approach to adoption, see A Guide to AI Adoption for SMB Management; for common pitfalls, see Common Failure Patterns in AI Adoption.
Frequently Asked Questions
Is it a problem to use a personal ChatGPT account for work?
It isn't necessarily illegal, but it does make training-use settings and data handling harder for the company to track and manage, so it's generally not recommended. Where possible, standardize on business-tier accounts and set a rule against using personal accounts for work.
If employees are already using these tools informally, where should we start?
Start by understanding current usage — a brief survey of which departments are using which services for what purposes. From there, build out minimum rules, such as a clear line on what information may not be entered.
Who should be responsible for writing the internal policy?
IT or legal teams are typically best positioned to lead, but the policy should also incorporate input from the people who actually use these tools day to day — a policy disconnected from real practice tends to be ignored.
Conclusion
Business use of generative AI isn't really a choice between banning it and leaving it unmanaged. A more realistic starting point is understanding the real shape of the risks and then setting a minimal set of rules — what information may be entered, how output is checked, how accounts are managed. Rules shouldn't be treated as a one-time exercise; they need to be revisited as actual usage and each service's specifications change. How much weight to give each risk depends on your industry and the kind of information you handle, so when in doubt, check your own information security policy or consult a specialist.
Feel free to contact us
Contact Us