Critical issue? Call (205) 418-3800
Evolv IT

AI

Can our staff put client data into ChatGPT?

Last updated: July 13, 2026 · By Daniel, CEO

With consumer accounts, no. Confidentiality, privilege, and your regulatory duties follow the data wherever it goes, and a consumer AI account is a place your firm does not control, cannot audit, and has no agreement with. With a governed enterprise deployment, the answer becomes it depends: on configuration, on policy, and on which data categories you have decided to permit. The uncomfortable part is that your staff have probably already answered this question for themselves, without asking you.

Why is the consumer account answer a hard no?

Because nothing about your obligations changes when the tool is convenient. A lawyer's duty of confidentiality, an accountant's duty over client records, and an advisor's obligations under the GLBA Safeguards Rule and SEC Regulation S-P all attach to the information itself. Paste a client matter into a personal chatbot account and that information now lives under a consumer terms-of-service agreement your firm never signed, in an account your firm cannot open, with no audit trail your firm can produce.

It does not matter whether anything bad ever happens with it. The exposure is the point: you could not answer a client, a regulator, or a cyber insurance carrier who asked where that data went. Carriers increasingly ask exactly that at renewal, alongside the control attestations covered on our cybersecurity and compliance page.

What changes with an enterprise deployment?

Enterprise AI offerings exist because businesses need what consumers do not: a contract between the provider and the firm, commitments about how prompt data is handled, admin control over accounts and retention, and audit visibility into usage. That structure moves AI inside your governance perimeter, which is where client data has to stay.

Inside that perimeter, "can we use client data" becomes a policy decision you get to make deliberately: which tools are approved, which data categories are permitted in prompts, which are prohibited, and how usage is monitored. Firms running Microsoft 365 often start with Copilot precisely because it lives inside the tenant they already govern. The sequencing and controls are the core of our AI governance practice.

What are employees already doing without asking?

A common pattern looks like this: a staff member under deadline pressure discovers that a chatbot drafts a first pass in seconds. It works, so it becomes a habit. It happens in a personal browser session or on a phone, so nothing appears in your IT reporting. Nobody mentions it, because nobody is sure whether it is allowed and nobody wants to be the test case. Multiply that across a firm and leadership ends up governing an AI footprint it cannot see.

This is not a discipline problem, it is a visibility problem. The tools are genuinely useful and one browser tab away. Bans do not remove the usage, they hide it: people switch to personal devices and the data keeps flowing, now with even less visibility.

How do you find out what is actually in use?

Anonymously. Employees tell the truth about AI usage when the truth cannot be used against them. An anonymous survey, answered in under five minutes with no names and no individual reports, gives leadership the aggregate picture: which tools are in use, roughly how widely, and what categories of client data may be flowing into them. That picture is what you need before writing policy, choosing approved tools, or deciding where monitoring should go first.

Measure first, then govern. Firms that start with measurement end up with AI that helps the business inside guardrails. Firms that start with prohibition end up with the same usage, just invisible.

Is it safe to put client data into a paid individual ChatGPT subscription?
A paid individual subscription is still a consumer account. It belongs to the person, not the firm, and it sits outside your contracts, your audit trail, and your control of the data. For confidential client information, treat individual accounts the same as free ones: not appropriate.
What makes an enterprise AI deployment different?
Enterprise deployments give the firm the contract, admin control over accounts and retention, commitments about how data is used, and audit visibility. That moves AI use inside the firm's governance, where policy and configuration decide what data categories are permitted.
How do I find out what my staff are already pasting into AI tools?
Not from firewall logs or IT reports, because consumer AI use happens in personal browser sessions and on personal devices. An anonymous survey works because employees tell the truth when the truth cannot be used against them. It gives leadership an aggregate picture of tools in use and data categories at risk, without blame.

Free and Anonymous

Find out what your team is already using.

The AI Shadow Survey takes under five minutes per person and names no names. Get the honest picture before you write the policy.