{"id":27112,"date":"2026-02-13T04:32:51","date_gmt":"2026-02-13T04:32:51","guid":{"rendered":"https:\/\/www.insentragroup.com\/au\/?p=27112"},"modified":"2026-02-13T06:16:35","modified_gmt":"2026-02-13T06:16:35","slug":"governance-in-the-age-of-genai-because-chatbots-arent-bound-by-ndas","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/au\/insights\/not-geek-speak\/generative-ai\/governance-in-the-age-of-genai-because-chatbots-arent-bound-by-ndas\/","title":{"rendered":"Governance in the Age of GenAI: Because Chatbots\u00a0Aren\u2019t\u00a0Bound by NDAs"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">The Rise of GenAI<\/h2>\n\n\n\n<p>Let\u2019s be honest: GenAI platforms like Copilot, ChatGPT, Claude, Gemini and whichever new one appears while you\u2019re reading this are incredible. They summarise, rewrite, translate, predict, hallucinate confidently like an intern on their first day\u00a0and are basically the answer to \u201cI need to write\u00a0a script for\u00a0a\u00a0complex automation task\u00a0whilst creating a PowerPoint presentation for the board in the next 30mins\u201d.\u00a0<\/p>\n\n\n\n<p>But\u00a0as Hollywood movies,\u00a0cartoons and some wise people throughout history have said\u2026with great power comes great responsibility\u2026or at least a couple of sleepless nights wondering whether someone just pasted your company\u2019s FY26 roadmap into a random chatbot\u00a0or whatever that guy did from a US cybersecurity agency\u2026no really\u2026ask GenAI to find you the article.\u00a0Proper facepalm moment!\u00a0<\/p>\n\n\n\n<p>As organisations integrate GenAI to improve productivity, automate processes, and reduce the number of meetings that \u201ccould have been an email\u201d, they\u2019re also waking up to a harsh reality: these systems consume data, and not all data is created equal. Sensitive, confidential, regulated, personal, or \u201cplease don\u2019t let Legal find out\u201d data must be governed like a toddler at a chocolate fountain.\u00a0<\/p>\n\n\n\n<p>The real challenge?\u00a0Most\u00a0users\u00a0don\u2019t know what\u2019s safe to share with an AI model.\u00a0Just because the chatbot is polite doesn\u2019t mean the architectural drawings of your new vault are safe.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">GenAI and Your Data: No Black Magic, Just Predictive Maths on Steroids\u00a0<\/h2>\n\n\n\n<p>Some people think GenAI is like shouting into a void and getting wisdom back. Others think it\u2019s like feeding secrets to a hyperintelligent cyborg. The truth is somewhere in between.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"404\" height=\"533\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2026\/02\/image-3.png\" alt=\"\" class=\"wp-image-27131\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2026\/02\/image-3.png 404w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2026\/02\/image-3-227x300.png 227w\" sizes=\"(max-width: 404px) 100vw, 404px\" \/><\/figure>\n\n\n\n<p>GenAI models\u00a0operate\u00a0using prompts and context data. Depending on the platform, data may be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Processed temporarily<\/li>\n\n\n\n<li>Logged for quality\/control<\/li>\n\n\n\n<li>Used to finetune models (not in enterprise-grade solutions)<\/li>\n\n\n\n<li>Stored in data centres within or outside your region<\/li>\n\n\n\n<li>Protected or not protected by enterprise-grade isolation\u00a0<\/li>\n<\/ul>\n\n\n\n<p>This is why governance matters!&nbsp;<\/p>\n\n\n\n<p>For example:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Microsoft Copilot for M365<\/strong>\u00a0uses the Microsoft Graph with strong tenant boundaries.\u00a0Basically,\u00a0your\u00a0data stays\u00a0as\u00a0your data. No training, no leakage, no data going for a walk into a different tenant<\/li>\n\n\n\n<li><strong>Public ChatGPT<\/strong>\u00a0(free or\u00a0Plus) is consumer-grade, which means content may be stored,\u00a0reviewed\u00a0and used to improve models<\/li>\n\n\n\n<li><strong>ChatGPT Team\/Enterprise<\/strong>\u00a0has stronger controls but still requires clear data handling rules<\/li>\n\n\n\n<li><strong>Unapproved AI tools<\/strong>\u00a0(the shadow IT kind)\u00a0turn \u201cwe didn\u2019t know\u201d into\u00a0a very expensive\u00a0sentence\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Without governance, sensitive information can slip into systems that were never meant to hold it. And once\u00a0it\u2019s\u00a0in,\u00a0you\u2019re\u00a0relying on the vendor\u2019s goodwill and privacy policy and\u00a0let\u2019s\u00a0be honest, those documents are written in a dialect only lawyers and ancient Sumerians understand.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Big Governance Checklist: Because Hope Is Not a Strategy<\/h2>\n\n\n\n<p>Governance\u00a0isn\u2019t\u00a0about stopping people from using GenAI\u2026it\u2019s about making sure they can use it safely without causing a data breach so catastrophic that your CISO moves to a remote farm and raises alpacas.\u00a0<\/p>\n\n\n\n<p>Here\u2019s&nbsp;what&nbsp;organisations should consider&nbsp;putting in place:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A\u00a0clear GenAI\u00a0acceptable\u00a0use\u00a0policy\n<ul class=\"wp-block-list\">\n<li>Basically, your\u00a0users need to know what they can and\u00a0 can\u2019t upload into GenAI platforms and have a clear understanding of what platforms are approved for use\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data\u00a0classification &amp;\u00a0labelling\u00a0that&#8217;s\u00a0actually\u00a0used\u00a0\n<ul class=\"wp-block-list\">\n<li>If your organisation has a classification framework that nobody remembers, now is\u00a0a great time\u00a0to dust it off and make it simple enough for humans\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Technical\u00a0controls\n<ul class=\"wp-block-list\">\n<li>So\u00a0this is your DLP and label controls, approved and unapproved GenAi platforms, shadow IT\u2026and the list goes on.\u00a0Basically, policies\u00a0without the technical controls\u00a0is\u00a0just expensive poetry\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vendor\u00a0assessment &amp;\u00a0transparency\n<ul class=\"wp-block-list\">\n<li>Sit the vendor down in a room and interrogate them about their platform.\u00a0Don\u2019t\u00a0leave until you have a clear understanding of where they store data, are prompts used for training the platform, data retention\u2026I could go on but you catch my drift\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Human\u00a0oversight\n<ul class=\"wp-block-list\">\n<li>AI\u00a0isn\u2019t\u00a0Neo or The Oracle\u2026so everything it\u00a0produces must be reviewed by humans. And\u00a0don\u2019t\u00a0ask it for financial advice unless you are sure that the Caymen Islands account\u00a0it suggests\u00a0is\u00a0legitimate\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Protecting Sensitive Data (If Legal Would Panic,\u00a0Don\u2019t\u00a0Paste It)\u00a0<\/h2>\n\n\n\n<p>Let\u2019s&nbsp;talk about the stuff that keeps CIOs awake at night:&nbsp;sensitive data leakage.&nbsp;GenAI&nbsp;platforms&nbsp;become a risk when employees paste things like:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Customer PII<\/li>\n\n\n\n<li>Financial forecasts<\/li>\n\n\n\n<li>Legal documents<\/li>\n\n\n\n<li>The\u00a0blueprint to the next generation Android phone\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<p>So,&nbsp;what can you do to avoid this from happening in your organisation?&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement AI DLP\u00a0policies\n<ul class=\"wp-block-list\">\n<li>Purview\u00a0DLP can detect sensitive content\u00a0being uploaded into\u00a0Gen AI platforms. The catch\u2026you just need to\u00a0determine\u00a0what is sensitive data.\u00a0It\u00a0doesn\u2019t\u00a0just automagically\u00a0just happen. DLP (aka the gatekeeper) needs to know what to look for<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Use Purview\u00a0sensitivity\u00a0labels\u00a0everywhere\u00a0(where possible and\u00a0where\u00a0supported by your friendly neighbourhood IT guy)\n<ul class=\"wp-block-list\">\n<li>Labels follow data even when used in Copilot prompts\u2026which means your AI assistant\u00a0won\u2019t\u00a0surface restricted data to the wrong person.\u00a0So no, a prompt of \u201cwhat\u00a0is the salary of our CEO\u201d will surface absolutely nothing\u2026if labelled correctly<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Provide an\u00a0approved,\u00a0secure AI\u00a0environment\n<ul class=\"wp-block-list\">\n<li>Just because the site has a .ai domain,\u00a0doesn\u2019t\u00a0mean\u00a0it\u2019s\u00a0safe and approved!\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Educate,\u00a0educate\u00a0and educate some more\n<ul class=\"wp-block-list\">\n<li>Even the best controls will fail if Bob from Finance\u00a0uploads\u00a0a spreadsheet labelled \u201cQ4 Salaries \u2013 Do Not Share\u201d<\/li>\n\n\n\n<li>Training should include:\n<ul class=\"wp-block-list\">\n<li>What\u2019s\u00a0acceptable to\u00a0upload<\/li>\n\n\n\n<li>What\u2019s\u00a0never acceptable<\/li>\n\n\n\n<li>How to verify outputs<\/li>\n\n\n\n<li>How to detect hallucinations<\/li>\n\n\n\n<li>How to report AI misuse\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>If you\u00a0don\u2019t\u00a0train your\u00a0users,\u00a0don\u2019t\u00a0be surprised when someone tries to get ChatGPT to write next year\u2019s board strategy paper using actual board data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">In Closing: Do This Right and\u00a0You\u2019ll\u00a0Sleep Better<\/h2>\n\n\n\n<p>GenAI&nbsp;isn\u2019t&nbsp;going away. If anything,&nbsp;it\u2019s&nbsp;accelerating like someone strapped a rocket engine to&nbsp;Clippy&nbsp;and yelled, \u201cGood luck, mate!\u201d Organisations that use it responsibly will innovate faster,&nbsp;operate&nbsp;smarter, and leave competitors behind so dramatically&nbsp;you\u2019d&nbsp;think they were still arguing over who gets to use the office fax machine.&nbsp;<\/p>\n\n\n\n<p>Those who ignore governance?&nbsp;<\/p>\n\n\n\n<p>Well\u2026let\u2019s&nbsp;just say the Privacy Commissioner has cancelled their lunch plans, brewed a family\u2011sized thermos of chamomile tea, and is&nbsp;absolutely ready&nbsp;to have a&nbsp;\u201cfriendly little chat\u201d&nbsp;about your organisation\u2019s creative approach to data handling. Bring biscuits.&nbsp;You\u2019ll&nbsp;need them.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/au\/contact\/\" target=\"_blank\" rel=\"noreferrer noopener\">Contact us<\/a>&nbsp;to design a secure, practical governance framework tailored to your organisation.&nbsp;<\/p>\n\n\n\n<p>Or accelerate your journey with our&nbsp;<a href=\"https:\/\/www.insentragroup.com\/au\/services\/generative-ai-series\/sprint-1\/\" target=\"_blank\" rel=\"noreferrer noopener\">Generative AI Sprint<\/a>, where we help you rapidly assess risk, define guardrails, implement&nbsp;controls&nbsp;and unlock value from GenAI with confidence.&nbsp;<\/p>\n\n\n\n<p>And remember:&nbsp;<\/p>\n\n\n\n<p><strong>&#8220;The future depends on what you do today.&#8221; \u2014 Mahatma Gandhi<\/strong>&nbsp;<\/p>\n\n\n\n<p>Until next time\u2026&nbsp;<\/p>\n\n\n\n<p>Pure Awesomeness signing off!&nbsp;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GenAI boosts productivity but increases risk. Learn how to govern AI use and protect sensitive data the right way. <\/p>\n","protected":false},"author":52,"featured_media":27132,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[298],"tags":[],"class_list":["post-27112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-generative-ai","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/27112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/comments?post=27112"}],"version-history":[{"count":12,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/27112\/revisions"}],"predecessor-version":[{"id":27136,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/27112\/revisions\/27136"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media\/27132"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media?parent=27112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/categories?post=27112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/tags?post=27112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}