← Resources

AI Governance Guide

What should employees not put into ChatGPT?

Last updated: June 4, 2026 · Practical guidance for owners, operators, managers, and teams using AI at work.

Quick answer

Employees should not put client data, private business information, credentials, legal or coverage-sensitive facts, regulated records, confidential documents, or unreleased strategy into public ChatGPT accounts. The safe default is simple: if the business would be embarrassed, exposed, or legally obligated to explain the disclosure, do not paste it into AI.

The 5 categories employees should never paste

1

Client names, customer records, claim details, policy numbers, medical details, financial records, or anything covered by confidentiality duties.

2

Passwords, API keys, one-time codes, private links, login tokens, session screenshots, or any credential-like information.

3

Unreleased strategy, pricing, acquisition plans, employee issues, legal disputes, internal financials, or board-level material.

4

Full documents from clients, vendors, carriers, attorneys, or partners unless the company has approved the tool, data terms, and purpose.

5

Regulated or coverage-sensitive information where an AI answer could be mistaken for legal, insurance, tax, medical, or professional advice.

Use a red, yellow, green rule employees can remember.

A policy employees cannot apply during real work will not protect the company. Tensor Garden recommends a simple traffic-light model because it turns abstract data governance into an everyday decision.

Green

Usually allowed

Public information, generic examples, brainstorms, drafts with no private data, and training exercises that use made-up names or sanitized facts.

Yellow

Needs review first

Client-adjacent summaries, internal workflows, vendor documents, spreadsheets, meeting notes, or anything that might become confidential when combined with other context.

Red

Do not paste

Credentials, private customer data, policy or claim details, legal matters, payroll/HR issues, trade secrets, unreleased financials, and sensitive screenshots.

What should employees do instead?

The goal is not to ban AI. The goal is to make AI useful without turning every staff member into a security decision-maker. Use a repeatable workflow for common AI tasks.

  1. Step 1

    Write the task in plain English without private names, numbers, or identifiers.

  2. Step 2

    Replace real people, clients, policy numbers, claim facts, and dollar amounts with placeholders.

  3. Step 3

    Ask the AI to produce a draft, checklist, outline, or decision support. Do not ask it to make the final judgment.

  4. Step 4

    Review the answer against company policy, professional standards, and the actual source documents.

  5. Step 5

    Move repeated prompts into an approved company workflow so staff are not improvising with sensitive data every time.

The owner-level test

Would I be comfortable explaining this exact paste in a client email, claim file, lawsuit, carrier review, or data-breach notice?

If the answer is no, the employee should not paste it into a public AI tool. That does not mean the task cannot use AI. It means the company needs an approved workflow, an approved account, sanitized inputs, and a human review point.

FAQ

Can employees put client emails into ChatGPT?

Not unless the company has approved the specific AI tool, account plan, data terms, and use case. A safer default is to remove names, account numbers, private facts, and attachments before asking for help with tone, structure, or next-step drafting.

Is ChatGPT Team or Enterprise safer than personal ChatGPT accounts?

Business plans can offer better controls than personal accounts, but the plan alone is not a policy. Companies still need data rules, employee training, approved workflows, access controls, and review steps.

What should an AI usage policy include?

A useful AI usage policy should define allowed use cases, forbidden data, approval rules, tool/account requirements, human review points, incident reporting, recordkeeping, and who owns updates to the policy.

What is the fastest way to reduce AI data-leak risk?

Start with a red/yellow/green data policy, train staff on concrete examples from their daily work, and replace one-off public ChatGPT usage with approved reusable workflows for common tasks.

Source context

This guide is written as practical operator guidance. It should be adapted with counsel, insurance advisors, IT/security leadership, and the actual AI tools your company approves.

Want this turned into a policy your staff will actually follow?

Tensor Garden helps teams use AI safely on real work.

We train your team, define the data boundaries, build approved workflows, and support the staff when they get stuck. This page is general information, not legal advice or an insurance coverage determination.