The Rise of GenAI
Let’s be honest: GenAI platforms like Copilot, ChatGPT, Claude, Gemini and whichever new one appears while you’re reading this are incredible. They summarise, rewrite, translate, predict, hallucinate confidently like an intern on their first day and are basically the answer to “I need to write a script for a complex automation task whilst creating a PowerPoint presentation for the board in the next 30mins”.
But as Hollywood movies, cartoons and some wise people throughout history have said…with great power comes great responsibility…or at least a couple of sleepless nights wondering whether someone just pasted your company’s FY26 roadmap into a random chatbot or whatever that guy did from a US cybersecurity agency…no really…ask GenAI to find you the article. Proper facepalm moment!
As organizations integrate GenAI to improve productivity, automate processes, and reduce the number of meetings that “could have been an email”, they’re also waking up to a harsh reality: these systems consume data, and not all data is created equal. Sensitive, confidential, regulated, personal, or “please don’t let Legal find out” data must be governed like a toddler at a chocolate fountain.
The real challenge? Most users don’t know what’s safe to share with an AI model. Just because the chatbot is polite doesn’t mean the architectural drawings of your new vault are safe.
GenAI and Your Data: No Black Magic, Just Predictive Maths on Steroids
Some people think GenAI is like shouting into a void and getting wisdom back. Others think it’s like feeding secrets to a hyperintelligent cyborg. The truth is somewhere in between.
GenAI models operate using prompts and context data. Depending on the platform, data may be:
- Processed temporarily
- Logged for quality/control
- Used to finetune models (not in enterprise-grade solutions)
- Stored in data centers within or outside your region
- Protected or not protected by enterprise-grade isolation
This is why governance matters!
For example:
- Microsoft Copilot for M365 uses the Microsoft Graph with strong tenant boundaries. Basically, your data stays as your data. No training, no leakage, no data going for a walk into a different tenant
- Public ChatGPT (free or Plus) is consumer-grade, which means content may be stored, reviewed and used to improve models
- ChatGPT Team/Enterprise has stronger controls but still requires clear data handling rules
- Unapproved AI tools (the shadow IT kind) turn “we didn’t know” into a very expensive sentence
Without governance, sensitive information can slip into systems that were never meant to hold it. And once it’s in, you’re relying on the vendor’s goodwill and privacy policy and let’s be honest, those documents are written in a dialect only lawyers and ancient Sumerians understand.
The Big Governance Checklist: Because Hope Is Not a Strategy
Governance isn’t about stopping people from using GenAI…it’s about making sure they can use it safely without causing a data breach so catastrophic that your CISO moves to a remote farm and raises alpacas.
Here’s what organisations should consider putting in place:
- A clear GenAI acceptable use policy
- Basically, your users need to know what they can and can’t upload into GenAI platforms and have a clear understanding of what platforms are approved for use
- Data classification & labelling that’s actually used
- If your organization has a classification framework that nobody remembers, now is a great time to dust it off and make it simple enough for humans
- Technical controls
- So this is your DLP and label controls, approved and unapproved GenAi platforms, shadow IT…and the list goes on. Basically, policies without the technical controls is just expensive poetry
- Vendor assessment & transparency
- Sit the vendor down in a room and interrogate them about their platform. Don’t leave until you have a clear understanding of where they store data, are prompts used for training the platform, data retention…I could go on but you catch my drift
- Human oversight
- AI isn’t Neo or The Oracle…so everything it produces must be reviewed by humans. And don’t ask it for financial advice unless you are sure that the Caymen Islands account it suggests is legitimate
Protecting Sensitive Data (If Legal Would Panic, Don’t Paste It)
Let’s talk about the stuff that keeps CIOs awake at night: sensitive data leakage. GenAI platforms become a risk when employees paste things like:
- Customer PII
- Financial forecasts
- Legal documents
- The blueprint to the next generation Android phone
So, what can you do to avoid this from happening in your organization?
- Implement AI DLP policies
- Purview DLP can detect sensitive content being uploaded into Gen AI platforms. The catch…you just need to determine what is sensitive data. It doesn’t just automagically just happen. DLP (aka the gatekeeper) needs to know what to look for
- Use Purview sensitivity labels everywhere (where possible and where supported by your friendly neighbourhood IT guy)
- Labels follow data even when used in Copilot prompts…which means your AI assistant won’t surface restricted data to the wrong person. So no, a prompt of “what is the salary of our CEO” will surface absolutely nothing…if labelled correctly
- Provide an approved, secure AI environment
- Just because the site has a .ai domain, doesn’t mean it’s safe and approved!
- Educate, educate and educate some more
- Even the best controls will fail if Bob from Finance uploads a spreadsheet labelled “Q4 Salaries – Do Not Share”
- Training should include:
- What’s acceptable to upload
- What’s never acceptable
- How to verify outputs
- How to detect hallucinations
- How to report AI misuse
If you don’t train your users, don’t be surprised when someone tries to get ChatGPT to write next year’s board strategy paper using actual board data.
In Closing: Do This Right and You’ll Sleep Better
GenAI isn’t going away. If anything, it’s accelerating like someone strapped a rocket engine to Clippy and yelled, “Good luck, mate!” Organizations that use it responsibly will innovate faster, operate smarter, and leave competitors behind so dramatically you’d think they were still arguing over who gets to use the office fax machine.
Those who ignore governance?
Well…let’s just say the Privacy Commissioner has canceled their lunch plans, brewed a family‑sized thermos of chamomile tea, and is absolutely ready to have a “friendly little chat” about your organization’s creative approach to data handling. Bring biscuits. You’ll need them.
Contact us to design a secure, practical governance framework tailored to your organization.
Or accelerate your journey with our Generative AI Sprint, where we help you rapidly assess risk, define guardrails, implement controls and unlock value from GenAI with confidence.
And remember:
“The future depends on what you do today.” — Mahatma Gandhi
Until next time…
Pure Awesomeness signing off!
