Article
3 min read
What Happens When an Employee Shares Confidential Data with an AI Tool (and What to Do About It)
AI
IT & device management
Legal & compliance
Global HR

Author
Dr Kristine Lennie
Last Update
July 15, 2026

Table of Contents
What happens after confidential data is shared with an AI tool
Why policies and training are necessary but not sufficient
The first 24 hours: an IT incident response playbook
The enforcement architecture: closing the gap for distributed teams
How Deel IT helps organizations enforce security at scale
Key takeaways
- Employees are increasingly using consumer AI tools at work, making accidental exposure of confidential data a growing security and compliance risk.
- AI governance depends on technical enforcement, not just policy. Device management, identity controls, and application restrictions are what prevent unauthorized AI use across a distributed workforce.
- Deel IT extends AI governance across the worker lifecycle by combining global device management, identity-driven access controls, and automated onboarding and offboarding on a single platform.
Disclaimer: This article is provided for general informational purposes and should not be treated as legal or compliance advice. Regulations vary by jurisdiction. Consult a qualified lawyer or data protection officer for guidance specific to your organization.
It started with a developer trying to solve a problem more quickly. In 2023, as ChatGPT became part of everyday work, an engineer at Samsung pasted proprietary source code into the tool while debugging an issue. Within weeks, the company had recorded three separate incidents in which employees shared confidential information with ChatGPT, including source code, test sequences, and internal meeting transcripts. What began as an attempt to work more efficiently became one of the first high-profile examples of the governance risks surrounding consumer AI.
According to a Metomic survey of over 400 security leaders, 68% of organizations have experienced data leakage incidents tied to employees sharing sensitive information with AI tools, and only 23% have documented, enforced AI security policies in place. The gap between policy and technical enforcement is the real problem.
For IT teams supporting a global workforce, the challenge goes beyond writing AI policies. The real question is what happens when confidential data has already been shared, and how to prevent it from happening again.
What happens after confidential data is shared with an AI tool
When an employee submits confidential information to a consumer AI tool, the exposure begins immediately. The data is transmitted to the AI provider's servers, and what happens next depends on the type of account being used and the provider's data handling policies.
For consumer AI accounts, submitted content may be retained and, depending on the provider's settings, used to improve future models. OpenAI's default settings for non-enterprise accounts historically allowed this, although account holders can opt out via privacy settings. Enterprise AI agreements typically include stronger contractual protections around data handling and model training, but those safeguards generally don't apply to personal or consumer accounts.
Several legal and compliance risks may arise at this point, depending on the type of data involved. The most common include:
-
GDPR (and equivalent privacy laws): If the submitted data includes personal data about EU residents (customer names, employee records, contact details), GDPR Article 33's 72-hour breach notification obligation may apply. The clock starts the moment the organization becomes aware of the incident. Failure to notify the supervisory authority within 72 hours does not automatically trigger a fine, but the delay must be explained. GDPR maximum fines reach up to €20 million or 4% of global annual turnover, whichever is higher
-
Trade secret doctrine: In the US, the Defend Trade Secrets Act and equivalent state laws require that a trade secret holder take "reasonable measures" to protect secrecy. Submitting source code, pricing models, or product roadmaps to a third-party AI service without contractual protections may undermine that "reasonable measures" defense if a trade secret dispute later arises
-
Contractual liability: Many enterprise agreements with customers, partners, or vendors include confidentiality clauses. Submitting information subject to those clauses to a third-party AI provider may constitute a breach, regardless of whether the information was technically "leaked" in the public sense
Beyond the legal dimension, there is an operational one: once data leaves the organization, audit trail coverage ends. It cannot be verified, queried for future legal holds, or recalled.
Compliance
Why policies and training are necessary but not sufficient
AI governance starts with clear policies and employee education, but it can't end there. The evidence shows that organizations still struggle to enforce those policies consistently.
The numbers tell the story:
- 63% of organizations that experienced an AI-related breach either had no AI governance policy or were still developing one, according to IBM's 2025 Cost of a Data Breach Report
- Only 34% regularly audit for unsanctioned AI use, leaving many organizations without visibility into shadow AI
- 43% of employees using AI tools have shared sensitive company information without their employer's knowledge, according to National Cybersecurity Alliance survey
The challenge is clear: consumer AI tools require little more than a browser and an account. Employees can access them from personal devices, unmanaged corporate devices, mobile apps, or browser extensions, often outside IT's visibility.
That means effective AI governance requires more than policies alone. Organizations need technical controls that enforce those policies across every device and every worker, including:
- Device management to secure and monitor managed endpoints
- Application controls to restrict or block unauthorized AI tools
- Access management to enforce access policies based on user, device, and risk
- Continuous monitoring to identify unsanctioned AI usage and respond quickly
Training tells employees what they shouldn't do. Technical controls determine what they can do.
This distinction becomes even more important for distributed workforces. A company-managed laptop enrolled in mobile device management (MDM) can enforce security policies consistently, while a contractor using a personal device may sit outside those controls unless access is governed through identity and compliance policies.
Read also: How Effective is Your Awareness Training Against Cyber Threats? An 8-Question Checklist
The first 24 hours: an IT incident response playbook
Once an employee reports that confidential data has been shared with an AI tool, the focus shifts from prevention to response. The first 24 hours are critical for understanding what happened, preserving evidence, assessing legal and contractual obligations, and reducing the risk of further exposure. Use the checklist below to guide your response during those first critical hours.
Step 1 (0–2 hours): Establish the facts
Before taking action, build a clear picture of the incident.
Confirm:
☐ What data was submitted? (Source code, customer records, financial models, HR data, etc.)
☐ Which AI tool was used? (ChatGPT, Claude, Gemini, or another service)
☐ Which account was used? (Personal, team, or enterprise)
☐ Which device was used? (Company-managed, personal, or shared)
☐ Was this an isolated incident or part of a broader pattern?
Document every finding with timestamps. This record forms the basis of any legal review, regulatory notification, or internal investigation.
Step 2 (2–4 hours): Preserve evidence
Capture evidence before making changes to the affected device.
If the device is company-managed:
☐ Capture a device snapshot or disk image before remediation begins
☐ Preserve browser history, application logs, and network logs where available
☐ Record the time the incident was discovered and who had access to the device
If the device is unmanaged or personally owned:
☐ Document what evidence could and could not be collected
☐ Record any limitations caused by the device being outside company management
This evidence protects the organization's legal and regulatory position and helps establish an accurate timeline of the incident.
Step 3 (2–6 hours): Contact the AI provider
Many AI vendors provide privacy or security contact channels, even for consumer services. Submit a written request that includes:
☐ The date and approximate time of the submission
☐ A description of the data involved
☐ A request to delete submitted content or training data, where applicable
☐ Confirmation of the provider's data retention and model training policies for the account used
The response may not reduce the immediate risk, but documenting the request can support future legal, contractual, or regulatory reviews.
Step 4 (4–8 hours): Review legal and compliance obligations
Work with your legal team or Data Protection Officer (DPO) to determine:
☐ Whether GDPR Article 33 breach notification requirements apply
☐ Whether customer, partner, or vendor agreements require notification
☐ Whether confidential business information or trade secrets may have been compromised
The outcome of this review determines whether regulatory or contractual notification obligations have been triggered.
Step 5 (8–72 hours): Notify affected parties
Once the legal review is complete, determine who needs to be informed and when.
☐ Notify the relevant supervisory authority within GDPR's 72-hour window, where required
☐ Inform affected customers, partners, or vendors if contractual obligations require notification
☐ Brief internal stakeholders, including security, legal, executive leadership, and affected business teams
☐ Document when notifications were sent, who approved them, and what information was shared
Not every incident requires external notification, but every incident should have a documented decision-making process. Maintaining a clear record of what was assessed, who was notified, and why helps demonstrate compliance if the incident is later reviewed by regulators or customers.
Step 6 (24 hours onward): Strengthen your enforcement controls
Once the immediate response is complete, review the controls that were in place on the affected device.
Assess whether:
☐ The device was enrolled in MDM
☐ Application restrictions or browser policies were configured
☐ Identity and access controls were applied appropriately
☐ Any missing controls contributed to the incident
Use the findings to strengthen your AI governance framework and reduce the likelihood of future incidents.
Download also this: Complete IT Security & Compliance Checklist for Remote Work
The enforcement architecture: closing the gap for distributed teams
An incident response plan tells you what to do after confidential data has been shared with an AI tool. An enforcement architecture helps reduce the likelihood of it happening in the first place by applying consistent technical controls across every worker, device, and location.
Use the checklist below to assess whether your organization has the right enforcement controls in place.
1. Control AI applications on managed devices
Company-managed devices provide the strongest opportunity to enforce AI governance because IT controls the operating system and installed software.
You should make sure you:
☐ Maintain a list of approved and restricted AI applications to ensure employees only use AI tools that meet your organization's security, privacy, and compliance requirements
☐ Block or restrict unauthorized AI applications using MDM and endpoint management policies to reduce the risk of confidential information being shared with unapproved tools
☐ Prevent users from installing unauthorized software where technically possible to minimize shadow AI across managed devices
☐ Review application policies regularly as new AI tools and features become available to ensure your controls remain up to date
☐ Audit managed devices to confirm application restrictions are being applied consistently across your fleet
Why it matters: Device-level controls provide the strongest protection for company-owned hardware, but they should be complemented by identity controls for browser-based AI tools.
2. Extend enforcement through identity and access management
Many AI tools are accessed through a browser rather than an installed application, making identity just as important as the device itself.
You should make sure you:
☐ Integrate approved AI applications with your identity provider where possible to centralize authentication and access management
☐ Require users to access approved AI tools through single sign-on (SSO) so authentication and access can be centrally managed
☐ Configure Conditional Access policies to require compliant devices before users can access approved AI applications
☐ Apply different access policies based on user role, location, or risk level to protect sensitive systems and information
☐ Enforce the same identity controls for employees, contractors, and workers hired through an EOR to maintain consistent governance across your workforce
Why it matters: Identity controls extend protection beyond managed devices and provide a consistent enforcement layer for browser-based AI tools and distributed teams.
3. Apply practical controls to personal devices
Personal devices are often outside direct IT management, making policy and identity controls especially important.
You should make sure you:
☐ Clearly define which AI tools can and cannot be used for work on personal devices.
☐ Require employees and contractors to acknowledge your acceptable AI use policy before accessing corporate systems.
☐ Require device compliance before granting access to company applications and sensitive data.
☐ Restrict access to high-risk systems from unmanaged devices where appropriate.
☐ Review your BYOD policy regularly to ensure it reflects evolving AI risks, legal requirements, and business needs.
Why it matters: Practical BYOD controls reduce the likelihood of confidential company information being submitted from devices outside your direct management while respecting employee privacy.
4. Build AI governance into offboarding
Access to company systems should end as quickly as employment does. Offboarding is one of the most common points where governance breaks down.
You should make sure you:
☐ Automatically revoke application and identity access as soon as employment or a contract ends.
☐ Terminate active sessions and revoke authentication tokens to prevent continued access after offboarding.
☐ Recover, lock, or remotely wipe managed devices where appropriate to protect company data.
☐ Apply the same offboarding process to employees, contractors, and workers hired through an EOR so no worker type is treated differently.
☐ Document completion of access revocation, device recovery, and any follow-up actions to maintain a clear audit trail.
Why it matters: Automated offboarding minimizes the window of exposure, reduces manual errors, and helps ensure former workers no longer have access to company systems or sensitive information.
Zero-trust identity integrations help reduce the gap between a worker's last day and the removal of access across every connected system. Deel's data security management guide explains how these controls fit into a broader security and compliance framework.
Read also: Zero Trust Security for Remote-First IT Teams: A Practical Implementation Guide
Mobile Device Management
How Deel IT helps organizations enforce security at scale
AI governance depends on more than policies; it depends on consistent technical enforcement. Deel IT brings device management, identity, lifecycle automation, and global hardware operations together in one platform, helping organizations apply the same security controls across employees, contractors, and workers hired through an EOR, wherever they work.
With Deel IT, IT teams can:
- Manage devices globally: Enroll and manage macOS, Windows, iOS, and Android devices across 130+ countries using Apple Business Manager, Windows Autopilot, Apple Configurator, and remote enrollment where appropriate
- Restrict unauthorized AI tools: Classify applications as restricted and enforce device policies that block unapproved AI applications on managed devices
- Extend controls through identity: Integrate with Okta and Microsoft Entra ID to apply Conditional Access policies based on device compliance, user identity, and risk, helping govern browser-based AI access as well as installed applications
- Automate onboarding and offboarding: Connect HR lifecycle events to device provisioning, access changes, and IdP-driven deprovisioning, reducing the risk of orphaned accounts and delayed access revocation
- Procure and ship managed devices worldwide: Source, configure, register, ship, recover, and redeploy hardware through a centralized global logistics network, making it easier to bring every worker into the same managed environment
- Apply consistent controls across every worker type: Extend the same MDM, lifecycle, and identity controls to employees, contractors, and workers hired through an EOR, rather than managing separate security standards for each group
Book a demo to see how Deel IT helps distributed teams.
Deel IT
Procure, deliver, manage, and secure devices anywhere

FAQs
Does an employee submitting data to ChatGPT automatically trigger a GDPR breach notification?
Not automatically — it depends on whether the submitted data includes personal data of EU residents and whether the submission qualifies as a "breach" under GDPR Article 4(12). If personal data was shared without authorization with a third party (the AI provider), legal and DPO review of Article 33 notification obligations is required, and the 72-hour clock starts when the organization becomes aware of the incident.
What is shadow AI, and why is it a higher risk than IT-approved AI tools?
Shadow AI refers to AI tools employees use without IT or organizational approval — typically personal accounts on consumer AI platforms accessed through a browser. According to a 2026 BlackFog survey, approximately 49% of employees use unapproved AI tools, and these tools lack the enterprise data processing agreements, contractual protections, and audit trails that IT-approved tools include.
Can Deel IT block access to AI tools like ChatGPT on company devices?
Yes, using a layered approach: IT admins can classify applications as restricted in the Software Management system, with enforcement applied through device group policies and the Access Management layer. For web-based access, Conditional Access policies through integrated IdPs (Okta, Microsoft Entra ID) can extend restrictions to browser-based AI tools.
How does the enforcement approach differ for contractors vs. full-time employees?
The technical capabilities (MDM enrollment, software management, IdP integration) apply consistently across employees, workers hired through an EOR, and contractors within the Deel IT platform. The legal constraints on monitoring and enforcement may differ by jurisdiction, which is why the contractual and policy layer (acceptable use agreements, AI clauses in contractor agreements) remains necessary alongside the technical controls.
Is a written AI use policy enough to satisfy GDPR's appropriate technical and organizational measures requirement?
A written policy is an organizational measure, but GDPR's Article 25 and Article 32 both require appropriate technical measures proportionate to the risk. Supervisory authorities have consistently found that policy alone does not satisfy the standard where technical measures were feasible and reasonably available.
Related Deel IT resources
- Mobile Device Management with Deel IT: Everything You Need to Know
- How to Cut Device Security Costs and Risks with Mobile Device Management
- How to Improve IT Compliance with Automated Device Management
- Data Security Management: Risks, Controls, and Strategies
- How Deel IT Saves Time and Money at Every Stage of the Device Lifecycle

Dr Kristine Lennie holds a PhD in Mathematical Biology and loves learning, research and content creation. She had written academic, creative and industry-related content and enjoys exploring new topics and ideas. She is passionate about helping create a truly global workforce, where employers and employees are not limited by borders to achieve success.















