Component 2 — Be Thoughtful With Sensitive Data

Component 2 — Be Thoughtful With Sensitive Data

As we covered in the data privacy lesson, paid AI tools from reputable providers aren’t inherently less secure than the cloud software your organization already uses. That said, good data hygiene applies everywhere — including AI tools. This component is about being proportional, not paranoid.

The Principle

Apply the same data awareness to AI tools that you apply to any other software. If your organization has policies about what goes into Google Docs, emails, or cloud databases, those same standards apply to AI tools. You don’t need a separate, stricter standard just because it’s AI.

What Deserves Awareness

Some categories of information deserve thoughtfulness regardless of what software you’re using:

• Personally identifiable information (PII). Names, addresses, contact details, case IDs of the people your programs serve
• Health and financial data. Protected health information, financial records, income data
• Sensitive organizational data. Staff salary details, board member personal information, confidential strategic plans

For organizations with regulatory obligations — HIPAA, FERPA, and similar frameworks — your existing compliance requirements apply to AI tools the same way they apply to any other software. No new rules needed; just consistent application of the rules you already have.

Where to Be More Careful

There’s one area where AI tools do deserve additional thought: tools from providers you haven’t evaluated. As we covered in Component 1, the proliferation of AI tools means some will have weaker data handling than others. A reputable paid tool with clear terms is comparable to your other enterprise software. An unknown free tool with vague terms deserves more caution.

The practical rule: if you wouldn’t put sensitive data into a random website you just found, don’t put it into a random AI tool you just found either. But if you’re using a tool your evaluator has checked and you trust the provider, apply the same data standards you apply elsewhere.

Anonymization as Good Practice

Even with reputable tools, anonymizing sensitive data when possible is good hygiene — not because the AI is uniquely dangerous, but because minimizing PII exposure is a sound practice everywhere:

Example:

Before: “Maria Gonzalez, a 34-year-old mother of three, came to Sunrise Shelter on November 12, 2025, after fleeing domestic violence. She participated in our job training program and now works at Target.”

After: “A participant in her mid-30s with three children came to our shelter after fleeing domestic violence. She completed our job training program and secured retail employment.”

The AI works with the anonymized version just as effectively. But if someone on your team pastes the first version into a reputable paid tool, that’s not a crisis. It’s the same level of exposure as putting it in a Google Doc or an email — which your team probably does daily.

The Goal Is Awareness, Not Anxiety

The point of this component isn’t to make people afraid of the AI input box. It’s to make sure your team thinks about sensitive data consistently across all their tools — AI included. If someone accidentally includes a client name in an AI conversation, the response is “good to anonymize next time” — not a security incident.

### Next Lesson

You have tool evaluation and data awareness. Component 3 is about building review controls that match the stakes — a spectrum from light checks to close human sign-off.