With consumer accounts, no. Confidentiality, privilege, and your regulatory duties follow the data wherever it goes, and a consumer AI account is a place your firm does not control, cannot audit, and has no agreement with. With a governed enterprise deployment, the answer becomes it depends: on configuration, on policy, and on which data categories you have decided to permit. The uncomfortable part is that your staff have probably already answered this question for themselves, without asking you.
Why is the consumer account answer a hard no?
Because nothing about your obligations changes when the tool is convenient. A lawyer's duty of confidentiality, an accountant's duty over client records, and an advisor's obligations under the GLBA Safeguards Rule and SEC Regulation S-P all attach to the information itself. Paste a client matter into a personal chatbot account and that information now lives under a consumer terms-of-service agreement your firm never signed, in an account your firm cannot open, with no audit trail your firm can produce.
It does not matter whether anything bad ever happens with it. The exposure is the point: you could not answer a client, a regulator, or a cyber insurance carrier who asked where that data went. Carriers increasingly ask exactly that at renewal, alongside the control attestations covered on our cybersecurity and compliance page.
What changes with an enterprise deployment?
Enterprise AI offerings exist because businesses need what consumers do not: a contract between the provider and the firm, commitments about how prompt data is handled, admin control over accounts and retention, and audit visibility into usage. That structure moves AI inside your governance perimeter, which is where client data has to stay.
Inside that perimeter, "can we use client data" becomes a policy decision you get to make deliberately: which tools are approved, which data categories are permitted in prompts, which are prohibited, and how usage is monitored. Firms running Microsoft 365 often start with Copilot precisely because it lives inside the tenant they already govern. The sequencing and controls are the core of our AI governance practice.
What are employees already doing without asking?
A common pattern looks like this: a staff member under deadline pressure discovers that a chatbot drafts a first pass in seconds. It works, so it becomes a habit. It happens in a personal browser session or on a phone, so nothing appears in your IT reporting. Nobody mentions it, because nobody is sure whether it is allowed and nobody wants to be the test case. Multiply that across a firm and leadership ends up governing an AI footprint it cannot see.
This is not a discipline problem, it is a visibility problem. The tools are genuinely useful and one browser tab away. Bans do not remove the usage, they hide it: people switch to personal devices and the data keeps flowing, now with even less visibility.
How do you find out what is actually in use?
Anonymously. Employees tell the truth about AI usage when the truth cannot be used against them. An anonymous survey, answered in under five minutes with no names and no individual reports, gives leadership the aggregate picture: which tools are in use, roughly how widely, and what categories of client data may be flowing into them. That picture is what you need before writing policy, choosing approved tools, or deciding where monitoring should go first.
Measure first, then govern. Firms that start with measurement end up with AI that helps the business inside guardrails. Firms that start with prohibition end up with the same usage, just invisible.
