![\"\"](\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2026\/02\/image-3.png\")
<\/figure>\n\n\n\nGenAI models operate using prompts and context data. Depending on the platform, data may be:<\/p>\n\n\n\n
- \n
- Processed temporarily<\/li>\n\n\n\n
- Logged for quality\/control<\/li>\n\n\n\n
- Used to finetune models (not in enterprise-grade solutions)<\/li>\n\n\n\n
- Stored in data centres within or outside your region<\/li>\n\n\n\n
- Protected or not protected by enterprise-grade isolation <\/li>\n<\/ul>\n\n\n\n
This is why governance matters! <\/p>\n\n\n\n
For example: <\/p>\n\n\n\n
- \n
- Microsoft Copilot for M365<\/strong> uses the Microsoft Graph with strong tenant boundaries. Basically, your data stays as your data. No training, no leakage, no data going for a walk into a different tenant<\/li>\n\n\n\n
- Public ChatGPT<\/strong> (free or Plus) is consumer-grade, which means content may be stored, reviewed and used to improve models<\/li>\n\n\n\n
- ChatGPT Team\/Enterprise<\/strong> has stronger controls but still requires clear data handling rules<\/li>\n\n\n\n
- Unapproved AI tools<\/strong> (the shadow IT kind) turn \u201cwe didn\u2019t know\u201d into a very expensive sentence <\/li>\n<\/ul>\n\n\n\n
Without governance, sensitive information can slip into systems that were never meant to hold it. And once it\u2019s in, you\u2019re relying on the vendor\u2019s goodwill and privacy policy and let\u2019s be honest, those documents are written in a dialect only lawyers and ancient Sumerians understand. <\/p>\n\n\n\n
The Big Governance Checklist: Because Hope Is Not a Strategy<\/h2>\n\n\n\n
Governance isn\u2019t about stopping people from using GenAI\u2026it\u2019s about making sure they can use it safely without causing a data breach so catastrophic that your CISO moves to a remote farm and raises alpacas. <\/p>\n\n\n\n
Here\u2019s what organisations should consider putting in place: <\/p>\n\n\n\n
- \n
- A clear GenAI acceptable use policy\n
- \n
- Basically, your users need to know what they can and can\u2019t upload into GenAI platforms and have a clear understanding of what platforms are approved for use <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- \n
- Data classification & labelling that’s actually used \n
- \n
- If your organisation has a classification framework that nobody remembers, now is a great time to dust it off and make it simple enough for humans <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- \n
- Technical controls\n
- \n
- So this is your DLP and label controls, approved and unapproved GenAi platforms, shadow IT\u2026and the list goes on. Basically, policies without the technical controls is just expensive poetry <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- \n
- Vendor assessment & transparency\n
- \n
- Sit the vendor down in a room and interrogate them about their platform. Don\u2019t leave until you have a clear understanding of where they store data, are prompts used for training the platform, data retention\u2026I could go on but you catch my drift <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- \n
- Human oversight\n
- \n
- AI isn\u2019t Neo or The Oracle\u2026so everything it produces must be reviewed by humans. And don\u2019t ask it for financial advice unless you are sure that the Caymen Islands account it suggests is legitimate <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Protecting Sensitive Data (If Legal Would Panic, Don\u2019t Paste It) <\/h2>\n\n\n\n
Let\u2019s talk about the stuff that keeps CIOs awake at night: sensitive data leakage. GenAI platforms become a risk when employees paste things like: <\/p>\n\n\n\n
- \n
- Customer PII<\/li>\n\n\n\n
- Financial forecasts<\/li>\n\n\n\n
- Legal documents<\/li>\n\n\n\n
- The blueprint to the next generation Android phone <\/li>\n<\/ul>\n\n\n\n
So, what can you do to avoid this from happening in your organisation? <\/p>\n\n\n\n
- \n
- Implement AI DLP policies\n
- \n
- Purview DLP can detect sensitive content being uploaded into Gen AI platforms. The catch\u2026you just need to determine what is sensitive data. It doesn\u2019t just automagically just happen. DLP (aka the gatekeeper) needs to know what to look for<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Use Purview sensitivity labels everywhere (where possible and where supported by your friendly neighbourhood IT guy)\n
- \n
- Labels follow data even when used in Copilot prompts\u2026which means your AI assistant won\u2019t surface restricted data to the wrong person. So no, a prompt of \u201cwhat is the salary of our CEO\u201d will surface absolutely nothing\u2026if labelled correctly<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Provide an approved, secure AI environment\n
- \n
- Just because the site has a .ai domain, doesn\u2019t mean it\u2019s safe and approved! <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- \n
- Educate, educate and educate some more\n
- \n
- Even the best controls will fail if Bob from Finance uploads a spreadsheet labelled \u201cQ4 Salaries \u2013 Do Not Share\u201d<\/li>\n\n\n\n
- Training should include:\n
- \n
- What\u2019s acceptable to upload<\/li>\n\n\n\n
- What\u2019s never acceptable<\/li>\n\n\n\n
- How to verify outputs<\/li>\n\n\n\n
- How to detect hallucinations<\/li>\n\n\n\n
- How to report AI misuse <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
If you don\u2019t train your users, don\u2019t be surprised when someone tries to get ChatGPT to write next year\u2019s board strategy paper using actual board data.<\/p>\n\n\n\n
In Closing: Do This Right and You\u2019ll Sleep Better<\/h2>\n\n\n\n
GenAI isn\u2019t going away. If anything, it\u2019s accelerating like someone strapped a rocket engine to Clippy and yelled, \u201cGood luck, mate!\u201d Organisations that use it responsibly will innovate faster, operate smarter, and leave competitors behind so dramatically you\u2019d think they were still arguing over who gets to use the office fax machine. <\/p>\n\n\n\n
Those who ignore governance? <\/p>\n\n\n\n
Well\u2026let\u2019s just say the Privacy Commissioner has cancelled their lunch plans, brewed a family\u2011sized thermos of chamomile tea, and is absolutely ready to have a \u201cfriendly little chat\u201d about your organisation\u2019s creative approach to data handling. Bring biscuits. You\u2019ll need them. <\/p>\n\n\n\n
- Educate, educate and educate some more\n
- Just because the site has a .ai domain, doesn\u2019t mean it\u2019s safe and approved! <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Implement AI DLP policies\n
- AI isn\u2019t Neo or The Oracle\u2026so everything it produces must be reviewed by humans. And don\u2019t ask it for financial advice unless you are sure that the Caymen Islands account it suggests is legitimate <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Human oversight\n
- Sit the vendor down in a room and interrogate them about their platform. Don\u2019t leave until you have a clear understanding of where they store data, are prompts used for training the platform, data retention\u2026I could go on but you catch my drift <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Vendor assessment & transparency\n
- So this is your DLP and label controls, approved and unapproved GenAi platforms, shadow IT\u2026and the list goes on. Basically, policies without the technical controls is just expensive poetry <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Technical controls\n
- If your organisation has a classification framework that nobody remembers, now is a great time to dust it off and make it simple enough for humans <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Data classification & labelling that’s actually used \n
- Basically, your users need to know what they can and can\u2019t upload into GenAI platforms and have a clear understanding of what platforms are approved for use <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Public ChatGPT<\/strong> (free or Plus) is consumer-grade, which means content may be stored, reviewed and used to improve models<\/li>\n\n\n\n
- Microsoft Copilot for M365<\/strong> uses the Microsoft Graph with strong tenant boundaries. Basically, your data stays as your data. No training, no leakage, no data going for a walk into a different tenant<\/li>\n\n\n\n