Project Management

Please login or join to subscribe to this thread

Before Your Team Uses Public AI Tools, Ask These 5 Risk Questions

linkedin twitter facebook   Artificial Intelligence   Business Analysis   Financial Services   Risk Management  
avatar
Rom C Founder| Questa AI

Public AI tools like ChatGPT and other LLMs are quickly becoming part of everyday work. Teams use them to summarize reports, analyze spreadsheets, and speed up documentation.

From a productivity standpoint, it’s great.

From a project governance standpoint… it’s complicated.

In regulated industries like finance, healthcare, or insurance, even one team member pasting sensitive data into a public AI tool can create:

  • compliance risks
  • data leakage
  • audit issues
  • contractual violations

And most of the time, project managers don’t even know it’s happening.

That’s the real problem — shadow AI usage.

Before adopting AI across your projects, it’s worth asking:

  1. Are team members sharing customer or financial data with public LLMs?
  2. Do we have clear policies on what data can’t be pasted into AI tools?
  3. Is data anonymization or redaction required before use?
  4. Do we know where that data is processed or stored?
  5. Would this pass a compliance or audit review?

AI absolutely boosts productivity. But without guardrails, it quietly introduces risk into delivery, governance, and trust.

As PMs, we’re responsible not just for speed — but for safe execution.

Curious how others are handling this:

👉 Are public AI tools allowed, restricted, or blocked in your projects?
Sort By:
avatar
Luis Branco CEO| Business Insight, Consultores de Gestão, Ldª Carcavelos, Lisboa, Portugal
This is a valid concern, and I would zoom the lens slightly out.

The core risk is not public AI usage itself. It is the growing gap between the speed of adoption and the maturity of governance.

In most cases, people are not leaking data out of carelessness.
They are optimizing their work inside systems that were never designed for AI-mediated decisions.
When friction disappears, policies that rely primarily on individual judgment stop scaling.

Two clarifications matter here.

First, data sensitivity is not binary.
Risk rarely comes from obviously confidential data, but from combinations.
Partial datasets, internal assumptions, or anonymized information that becomes re-identifiable when crossed with other inputs.
These slip through precisely because each element feels harmless in isolation.

Second, the deeper issue is implicit governance.
When there are no explicit rules about what can be shared, by whom, in which context, and with what accountability, the system naturally rewards convenience.
Not because people have bad intent, but because that is what the current design incentivizes.

For that reason, I would not frame the decision as allowing or blocking public AI tools.
A more useful question is: which types of work and decisions can safely use public tools, and which require controlled environments with traceability, data classification, and clear ownership?

A practical starting point is to define simple guardrails.
No customer-identifiable data.
No financial figures tied to real entities.
No contracts, credentials, or personal data.
For anything beyond that, provide a sanctioned alternative, such as a private LLM, approved tooling, or mandatory redaction.

Bans tend to push usage into the shadows.
Clear boundaries, decision thresholds, and accountability bring it into the open.
That is where governance becomes enabling rather than restrictive, and where trust is actually built.
...
1 reply by Rom C
Jan 28, 2026 3:58 AM
Rom C
...
You’ve hit on the most challenging aspect of governance: the "gap between the speed of adoption and the maturity of governance." You are absolutely right that most leaks aren't born of carelessness, but of people optimizing for speed within a system that rewards convenience.
Your point about non-binary data sensitivity is critical. In finance, we often see that the risk isn't just raw data, but the re-identification that happens when "harmless" partial datasets are combined.
I also agree that bans often fail by driving "shadow AI" further underground. The goal should be to replace that "implicit governance" with a trusted pipeline:
  • Defining the "Where": Clear boundaries on which tasks stay in public tools and which require closed, secure environments.
  • Providing Alternatives: Instead of just saying "no," we provide sanctioned tools that enforce access controls and zero-data retention.
  • Traceability: Moving toward auditable logs so that if a transformation occurs, there is a clear, verifiable rationale.
Building that accountability is exactly how we ensure confidentiality becomes a verifiable property rather than just a promise.
avatar
Rami Kaibni
Community Champion
Senior Projects Manager | Field & Marten Associates New Westminster, British Columbia, Canada
Rom, your concern is totally valid. My biggest concern with AI is privacy, security and compliance. This is why I am very cautious when using any AI tools or apps.
...
1 reply by Rom C
Jan 28, 2026 3:58 AM
Rom C
...
I share your caution entirely. In regulated industries, being "cautious" isn't a hurdle to innovation—it’s a prerequisite for it.
When we look at the "basement" of these tools, the risks of data leakage and the loss of data sovereignty are often structurally incompatible with our fiduciary duties. The reality is that speed is never worth the trade-off of a compliance breach or losing the trust of your customers.
The path forward is shifting from "caution" to intentional design—using privacy-first architectures where data is anonymized or isolated within secure boundaries before any analysis takes place.
avatar
Rom C Founder| Questa AI
Jan 27, 2026 9:04 AM
Replying to Luis Branco
...
This is a valid concern, and I would zoom the lens slightly out.

The core risk is not public AI usage itself. It is the growing gap between the speed of adoption and the maturity of governance.

In most cases, people are not leaking data out of carelessness.
They are optimizing their work inside systems that were never designed for AI-mediated decisions.
When friction disappears, policies that rely primarily on individual judgment stop scaling.

Two clarifications matter here.

First, data sensitivity is not binary.
Risk rarely comes from obviously confidential data, but from combinations.
Partial datasets, internal assumptions, or anonymized information that becomes re-identifiable when crossed with other inputs.
These slip through precisely because each element feels harmless in isolation.

Second, the deeper issue is implicit governance.
When there are no explicit rules about what can be shared, by whom, in which context, and with what accountability, the system naturally rewards convenience.
Not because people have bad intent, but because that is what the current design incentivizes.

For that reason, I would not frame the decision as allowing or blocking public AI tools.
A more useful question is: which types of work and decisions can safely use public tools, and which require controlled environments with traceability, data classification, and clear ownership?

A practical starting point is to define simple guardrails.
No customer-identifiable data.
No financial figures tied to real entities.
No contracts, credentials, or personal data.
For anything beyond that, provide a sanctioned alternative, such as a private LLM, approved tooling, or mandatory redaction.

Bans tend to push usage into the shadows.
Clear boundaries, decision thresholds, and accountability bring it into the open.
That is where governance becomes enabling rather than restrictive, and where trust is actually built.
You’ve hit on the most challenging aspect of governance: the "gap between the speed of adoption and the maturity of governance." You are absolutely right that most leaks aren't born of carelessness, but of people optimizing for speed within a system that rewards convenience.
Your point about non-binary data sensitivity is critical. In finance, we often see that the risk isn't just raw data, but the re-identification that happens when "harmless" partial datasets are combined.
I also agree that bans often fail by driving "shadow AI" further underground. The goal should be to replace that "implicit governance" with a trusted pipeline:
  • Defining the "Where": Clear boundaries on which tasks stay in public tools and which require closed, secure environments.
  • Providing Alternatives: Instead of just saying "no," we provide sanctioned tools that enforce access controls and zero-data retention.
  • Traceability: Moving toward auditable logs so that if a transformation occurs, there is a clear, verifiable rationale.
Building that accountability is exactly how we ensure confidentiality becomes a verifiable property rather than just a promise.
avatar
Rom C Founder| Questa AI
Jan 27, 2026 1:23 PM
Replying to Rami Kaibni
...
Rom, your concern is totally valid. My biggest concern with AI is privacy, security and compliance. This is why I am very cautious when using any AI tools or apps.
I share your caution entirely. In regulated industries, being "cautious" isn't a hurdle to innovation—it’s a prerequisite for it.
When we look at the "basement" of these tools, the risks of data leakage and the loss of data sovereignty are often structurally incompatible with our fiduciary duties. The reality is that speed is never worth the trade-off of a compliance breach or losing the trust of your customers.
The path forward is shifting from "caution" to intentional design—using privacy-first architectures where data is anonymized or isolated within secure boundaries before any analysis takes place.
avatar
Gwenola Michaud
Community Champion
Project Manager & Advisor| Geosciences & Monitoring Consulting Milano, Italy
Great input! Thanks.
avatar
Syed Ashir Riaz
Community Champion
AI-Powered Social Media Strategist
Public AI tools boost productivity, but 48% of employees share sensitive data, and 47% use AI without policies, creating risks of data leaks, compliance violations, and audit issues. Without clear rules and oversight, even a single misuse can cause real financial or reputational damage.

Please login or join to reply

Content ID:
ADVERTISEMENTS

"There are only two ways to live your life. One is as though nothing is a miracle. The other is as though everything is a miracle."

- Albert Einstein

ADVERTISEMENT

Sponsors







Vendor Events

See all Vendor Events

Newsletters

Jun 3: The Career Problem Facing New PMs
May 20: Your PM Career as a Project Life Cycle
May 13: The Big Lie After Layoffs

See all newsletters