A marketing manager at a mid-size insurance firm in Ohio pasted 14,000 customer records into ChatGPT last March. She wanted to segment the list for a spring campaign. The data included names, addresses, policy numbers, and annual premiums. By the time compliance found out, the damage was already theoretical — nobody knows what OpenAI's servers retained, and nobody can prove they didn't. The firm spent $340,000 on legal review and customer notification. The marketing manager had no idea she had done anything wrong.

This is not an isolated incident. A Samsung semiconductor division lost proprietary source code the same way. A New York law firm filed court briefs containing AI-hallucinated case citations that never existed. A hospital administrator in Texas used an AI transcription tool that stored patient audio on servers outside the United States. None of these people were malicious. They were efficient. They saw a tool, they used it, and nobody had told them the boundaries.

The absence of a written AI policy in a business is not a neutral position. It is an invitation for every employee to make their own rules. And employees, given the choice between asking permission and getting the job done before lunch, will pick lunch every time.

Subscribe to keep reading

This content is free, but you must be subscribed to Alun Hill to continue reading.

Already a subscriber?Sign in.Not now

Keep Reading