Your AI Tools Are Seeing More Data Than You Realize

Your employees are using AI tools right now. Many of them are pasting customer records, financial projections, and internal documents into AI chatbots to get work done faster. According to Cyberhaven’s research on workplace AI usage, roughly 27% of data that employees enter into AI tools is sensitive. Most businesses have no visibility into this data flow and no policies governing it.

We recently covered how to secure the infrastructure that supports AI. This post focuses on the other half of the equation: the data itself. The best firewall configuration in the world won’t help if an employee copies your client list into a free AI tool with no data retention agreement.

This matters even more now that Texas has specific AI governance law on the books. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) creates legal accountability for how businesses deploy AI systems, making data governance a compliance requirement, not just a security best practice.

What Data Is Actually Leaving Your Network

The biggest AI data risk isn’t a sophisticated cyberattack. It’s an employee trying to be more productive.

Sales reps paste CRM exports into AI tools to draft personalized outreach. Finance teams upload spreadsheets to generate summaries. HR staff run candidate evaluations through AI writing assistants. Developers feed proprietary code into AI coding tools to debug faster. In each case, business-critical information leaves your controlled environment and enters a third-party system you may not have vetted or approved.

Microsoft’s Work Trend Index found that 78% of AI users bring their own AI tools to work without IT involvement. This is shadow AI, and it’s the data governance challenge most businesses haven’t addressed yet.

The types of data most commonly shared with AI tools include:

• Customer and prospect information from CRM systems, emails, and support tickets
• Financial data including revenue figures, projections, and vendor contracts
• Proprietary processes like internal playbooks, SOPs, and strategic plans
• Source code and technical documentation
• Employee information including performance reviews and compensation data

Each category carries different risk levels and may trigger different compliance obligations depending on your industry.

Why Traditional Security Doesn’t Catch This

Your firewall sees traffic going to AI services and treats it like any other HTTPS connection. Your endpoint protection monitors for malware, not for someone copying a spreadsheet into a browser tab. Your DLP tools may flag emails containing Social Security numbers, but they weren’t built to monitor what gets typed into an AI chat interface.

Traditional security tools protect against external threats. AI data leakage is an internal workflow problem that happens through approved channels, on managed devices, by employees who are trying to do good work. It looks like normal activity because, from a network perspective, it is normal activity. It just doesn’t have the guardrails it needs.

AI data governance requires a different approach: policies, training, and purpose-built controls that address how people actually use these tools.

Building an AI Data Governance Framework

You don’t need a 50-page policy document. You need clear rules employees can actually follow, enforced by controls that don’t rely on memory or good intentions.

Step 1: Classify your data. Before you can decide what AI tools should and shouldn’t see, you need to know what you have. Group your business data into tiers:

• Public: marketing content, published materials, general company information
• Internal: internal communications, non-sensitive operational data
• Confidential: customer data, financial records, employee information, strategic plans
• Restricted: data governed by specific regulations (HIPAA, PCI DSS, TDPSA)

Public and internal data can generally be used with approved AI tools. Confidential data requires controls and approval. Restricted data should never enter an external AI system without explicit legal and compliance review.

Step 2: Establish an approved tools list. Not all AI tools handle data the same way. Some train on user inputs. Some retain data for 30 days. Some offer enterprise agreements with data processing addendums that give you contractual protection. Evaluate AI tools based on their data retention policies, training practices, and contractual commitments before approving them for company use. Infonaligy’s AI services team helps businesses evaluate and deploy AI tools with data protection built into the selection process.

Step 3: Create clear usage guidelines. Your employees need to know, in plain language, what they can and cannot put into AI tools. A one-page reference guide works better than a lengthy policy manual. It should answer five questions:

• Which AI tools are approved for work use?
• What types of data can be entered into those tools?
• What data must never be entered into any AI tool?
• Who approves exceptions?
• What happens if someone makes a mistake?

Step 4: Implement technical controls. Policy alone isn’t enough. Deploy a CASB (Cloud Access Security Broker) that monitors and controls data flowing to AI services. Configure your managed firewall to block unapproved AI tools entirely. Update your DLP rules for AI-specific data channels. Monitor AI tool usage through your SIEM to spot patterns that suggest policy violations.

Step 5: Train your team. Your employees aren’t trying to create risk. They’re trying to work faster. Training should focus on the “why” behind the rules, not just the rules themselves. When people understand that pasting a customer list into an unapproved AI tool could trigger a TDPSA violation carrying penalties of up to $7,500 per record, they take the guidelines seriously.

What to Look for in AI Vendor Agreements

If you’re adopting AI tools at the organizational level, your vendor contracts need specific protections that standard SaaS agreements don’t always include.

Key provisions to require:

• No training on your data. The vendor must not use your inputs to train or improve their models. Get this in writing.
• Data retention limits. Know exactly how long the vendor stores your prompts and outputs, and ensure deletion within a defined timeframe.
• Data processing addendum (DPA). Required for any vendor handling personal data under TDPSA, HIPAA, or similar regulations.
• Subprocessor transparency. Know which third parties have access to data flowing through the AI tool.
• Breach notification commitments. The vendor should notify you within a defined window if your data is compromised. 72 hours is the standard expectation.

If a vendor won’t agree to these terms, that tells you something important about how they handle customer data.

AI Regulation Has Arrived in Texas

Texas businesses now face direct AI governance requirements. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), passed during the 89th Legislative session, establishes an intent-based framework for AI accountability. The core principle is straightforward: if you deploy or use an AI system with the intent to cause material harm, commit fraud, discriminate, or deceive, you can be prosecuted under the act. This applies to any business operating in Texas, regardless of where the AI system was developed.

The intent-based approach has practical implications for how you think about compliance. TRAIGA does not require exhaustive documentation for every AI tool in your tech stack. It targets intentional misuse of AI for unlawful purposes. But “I didn’t mean to cause harm” is not a blanket defense if your business deploys AI systems that make consequential decisions without reasonable safeguards. In areas like hiring, lending, insurance, and healthcare, the absence of governance itself can demonstrate reckless disregard. Building an AI data governance framework, like the one outlined in the previous section, creates the documentation trail that demonstrates responsible intent.

TRAIGA builds on existing Texas data privacy law. The Texas Data Privacy and Security Act (TDPSA), effective since 2024, already governs how businesses collect, process, and share personal data, including data processed through AI tools. If an employee feeds customer personal data into an AI tool without proper safeguards, that could constitute a processing violation under TDPSA carrying penalties of up to $7,500 per record. TRAIGA layers AI-specific accountability requirements on top of these existing obligations, giving the Texas Attorney General another enforcement tool focused specifically on artificial intelligence.

Other states are moving in the same direction, each with a different emphasis. Colorado’s AI Act (SB 205) takes a more prescriptive approach, requiring algorithmic impact assessments and detailed documentation for high-risk AI systems. Several states, including Illinois, Maryland, and New York City, now require employers to disclose when AI tools factor into hiring, promotion, or termination decisions. At the federal level, the White House Blueprint for an AI Bill of Rights outlined five principles for responsible AI: safe and effective systems, protection from algorithmic discrimination, data privacy, notice and explanation, and human alternatives. The Blueprint is not legally binding, but it signals where federal regulation is heading and influences how state legislatures frame their own laws.

For businesses in regulated industries, AI governance obligations compound further. HIPAA-covered entities face penalties for protected health information that enters unauthorized systems. Financial services firms operating under GLBA have specific data handling requirements that extend to AI tool usage. Defense contractors pursuing CMMC certification need to demonstrate control over Controlled Unclassified Information across all systems, including AI tools employees might use informally.

The bottom line for Texas businesses: AI governance has moved from best practice to legal requirement. The data governance framework outlined above does double duty, protecting your data and building the compliance posture that TRAIGA and TDPSA expect. Businesses that invest in governance now will be well positioned. Those that wait will face a more expensive and disruptive catch-up when enforcement ramps up.

Start With Visibility, Then Build Controls

If you don’t know what AI tools your employees are using or what data they’re sharing, that’s your starting point. Run an audit. Check your network logs for traffic to known AI services. Survey your teams about what tools they use and how. The answers will probably surprise you.

From there, build your governance framework one layer at a time. Classify your data, approve your tools, write your guidelines, deploy your controls, and train your people. You don’t need to do everything at once, but you do need to start.

A cybersecurity risk assessment that includes AI tool usage is the fastest way to understand your current exposure and build a prioritized plan to address it.