Why smart companies are putting the brakes on public AI
There is a quiet problem spreading through otherwise well-run companies. Staff have discovered that AI makes them dramatically faster. A task that took an hour now takes ten minutes. A report that required three drafts comes together in one. Research that needed a morning is done before the first coffee. So they use AI, as they should. The problem is not the use. It is how they use it: by pasting client information, internal processes, pricing models, legal correspondence, and strategic plans into a general-purpose tool to get a faster answer.
The speed is real. What happens to that information on the other side is where the risk lives, and most businesses have not thought carefully enough about it.
How it starts, and why it is so hard to catch
The pattern is almost always the same. One person on the team discovers that AI makes a particular task dramatically easier. They share the find with a colleague. Word spreads. Within weeks, it is embedded in the workflow of half the team, and leadership either does not know, has tacitly accepted it, or has decided not to address it because the productivity gains are too obvious to walk back.
The problem is that this happens invisibly. There is no audit log of what was pasted, no record of what the AI received, no visibility into what may have been retained. From the outside, the team just looks more efficient. From the inside, a slow drip of sensitive information is leaving the building through a channel nobody approved and most people have not thought to question.
Most businesses that have a formal AI policy have written it after the fact. The team was already using the tools before the policy existed. The policy was put in place to create the appearance of control, not to provide it. But a policy that cannot be enforced at the level of individual behaviour, on individual devices, through personal accounts, is not a control. It is a hope dressed up as governance.
The more sophisticated the AI tools become, the harder the problem gets to manage through policy alone. These are not crude systems that trip obvious filters. They are conversational, capable, and designed to feel like a private interaction. A staff member does not feel like they are doing something risky when they paste a client name into a prompt. They feel like they are doing their job well, just faster.
What the major AI providers actually do with your data
Most people assume that because they are paying for a tool, their data is private. This assumption is too simple. The reality is a spectrum. Some providers do not train on data from paying accounts. Some do, unless you opt out through settings most users never see. Some keep conversation logs for extended periods and do not offer a straightforward way to request deletion. Some process prompts through infrastructure in jurisdictions you have not reviewed. Some update their terms with changes that are technically disclosed but practically invisible.
The important distinction is between what a provider promises and what its architecture actually enforces. A promise is something a business makes about its intentions. An architectural guarantee is something that is true regardless of intentions, because the system is designed so that the alternative is structurally impossible. Businesses that are serious about privacy should be asking for the second, not accepting the first as sufficient.
Even providers that have made genuine and well-intentioned commitments to not training on enterprise data typically still operate on shared infrastructure by default. Your prompts may be processed in the same environment as another company's. The model you interact with has been shaped by data from many sources. These are not malicious outcomes. They are the natural consequence of general-purpose infrastructure built for scale, not for the privacy requirements of a specific business.
The two losing options most leaders choose
When leadership becomes aware of the problem, the instinct is usually to reach for one of two levers. The first is to ban AI tools outright: issue a policy, block the websites at the network level, and consider the matter managed. The second is to accept the situation with loose guidance: be careful what you share, avoid client data where possible, use your judgement.
Both are losing moves, for different reasons. The ban does not work because it cannot be enforced at the level of individual devices, personal accounts on personal phones, and browser extensions installed without IT visibility. Your team is not going to stop using the tool that makes their job easier because there is a policy document on a shared drive. They are going to use it more discreetly, with even less oversight than before.
The loose guidance approach fails because it assumes individuals are well-equipped to make the right risk judgement in the moment, under time pressure, when the tool is right there and the task is urgent. They are not. Context collapse is real: the same person who would never post a client's name publicly will paste it into an AI prompt without a second thought, because the interaction feels private. It feels like thinking out loud, not like sharing data.
The result of either approach is the same. Your business takes on risk it cannot see, measure, or manage. The data exits quietly. The compliance exposure accumulates. The competitive information is shared with a system you do not control. And the next time a client asks how their information is handled, the honest answer is more complicated than you would like.
Why this is a bigger problem in regulated industries
The stakes are not equal across industries. For businesses that handle medical information, legal correspondence, financial records, real estate transactions, or personal financial data, the exposure from uncontrolled AI use is not theoretical. It is a direct breach of the obligations that govern how personal information must be processed and protected.
In South Africa, the Protection of Personal Information Act requires businesses to implement appropriate technical and organisational measures to secure the personal information they process. Allowing staff to paste that information into an uncontrolled third-party system is, at minimum, a governance failure. At worst, it is a reportable breach. The European GDPR carries equivalent obligations, and enforcement actions over the past several years have made clear that regulators interpret the appropriate measures standard strictly.
Beyond regulation, there is the question of competitive advantage. A brokerage's client scripts, a firm's pricing model, a coaching company's proprietary methodology: these represent years of learning and real investment. The risk of introducing them to a model that may train on them is not just a privacy risk. It is a strategic one. You are potentially sharing your most differentiated assets with a system that serves your competitors as well.
The governance gap that most security teams miss
Most enterprise security frameworks are built around the assumption that sensitive data moves through identifiable channels: email, file transfers, application integrations. These can be monitored, logged, and audited. What the frameworks were not designed to catch is the informal, conversational movement of information through AI prompts, which leaves no trace in traditional logging infrastructure.
A member of staff who emails a client spreadsheet to a personal account trips a data loss prevention alert. The same person who pastes the contents of that spreadsheet into a prompt leaves no trace at all. The information moves just as effectively. The risk is comparable. But the tooling that most security teams rely on cannot see it.
This gap is widening as AI tools become more capable and more embedded in everyday work. The security conversation needs to catch up. The question is not just which tools are approved, but what happens to the information that flows through those tools, and whether there is any technical mechanism to enforce the answer.
A third option: private AI
The answer to this problem is not to abandon AI. The productivity gains are real and compounding. Businesses that deploy AI well will pull ahead of those that refuse to engage with it, and the gap will widen over time. The answer is to deploy AI that was built for private use: trained on your own knowledge, bounded by your own rules, and architecturally isolated so that your information cannot leave your environment.
This is fundamentally different from a general-purpose AI tool. It is not a shared model that you send prompts to and hope the privacy policy is adequate. It is an AI built around your specific business: it knows your processes because you trained it on them, it follows your rules because they are embedded in how it operates, and it keeps your data private because that is what the architecture makes inevitable, not because a policy says it should.
A private AI gives your team the speed they want while the business retains the control it needs. Staff are not making individual judgements about what to share in each prompt. They are using a tool that was approved, configured, and audited by the people responsible for protecting the business. The risk moves from invisible and individual to visible and managed.
What private AI needs to actually work
Not all AI described as private is genuinely private. The word is used loosely, and the details matter. A truly private AI deployment requires four things: an isolated database that contains only your data and is not shared with other customers; a guarantee that your data is not used to train any AI model, ever; no shadow copies or backup systems that retain your information beyond your control; and a permanent deletion option that actually removes your data when you ask for it.
For businesses with the most sensitive requirements, a fifth element matters: the ability to host the AI on your own infrastructure, so that data never leaves your premises at all. This is particularly relevant for financial institutions, law firms, and enterprises operating under strict data residency requirements. Self-hosting means the architecture guarantee is absolute: the information is on your hardware, under your network controls, subject only to your policies.
When you evaluate any private AI solution, ask for specific answers to each of these questions. Vague reassurances are a signal, not a comfort. Providers who have genuinely built their systems around privacy can answer these questions precisely, because the architecture makes the answers clear. Providers who cannot answer them precisely have not built their systems that way, regardless of what the marketing says.
What this means in practice for your business
For a real estate brokerage, private AI means every agent has an AI trained on the firm's scripts, SOPs, and market-specific processes. They get instant, accurate answers without ever sharing those documents with an external system. The knowledge stays inside the business. The competitive advantage stays intact. The compliance team has nothing to concern itself with.
For a professional services firm, it means a team that can draft, research, and think through problems at AI speed, with the confidence that client information stays where it belongs. For a financial services business, it means an AI that handles client communications, status updates, and enquiry management without any personal financial data ever leaving the firm's environment. The speed advantage is the same as with a public tool. The risk profile is entirely different.
The question worth asking today
The question for most businesses is not whether to use AI. That decision has effectively been made by your team, with or without your involvement. The question is what kind of AI, on whose terms, with what guarantees about where your information goes.
A general-purpose public tool answers that question in the vendor's favour. A private AI answers it in yours. The architecture is different. The ownership of information is different. The compliance position is different. And for any business that takes its obligations to clients, staff, and shareholders seriously, that difference is not a technical detail. It is the whole point.
The businesses that will look back on this period most comfortably are the ones that made a deliberate decision early: not to abandon AI, and not to accept it on terms they did not control. There is a version of AI adoption that is fast, capable, and safe. It just requires choosing the right architecture from the start.