How Are You Stopping Sensitive Documents Getting Pasted Into AI?

A radio presenter said this morning he'd asked AI a throwaway question about the NRL standings, and it told him, unprompted, "your beloved team the Warriors are second on the table." That's when he realised it must have remembered. Has it been keeping track of everything he'd told it? Before he could finish the thought, the other presenter called him out: "you won't even get a supermarket loyalty card." He doesn't want them tracking what he buys, but he pastes anything and everything into AI without a second thought. He'd never stopped to think about it until now.

There's a gap there. He'd thought about the loyalty card and decided it wasn't worth the trade. He'd never thought about the AI chat at all. That's an easy habit to fall into. A chat window doesn't look like a place that needs a security decision. It looks like a text box. So whatever's in front of someone when they need help, a file, a log, a paragraph from a document, goes in, because that's the fastest way to get the help.

A policy as a security decision

Plenty of companies have written a line into a policy by now: don't paste sensitive material into AI tools. We have one too. But the connection doesn't always get made. The rule lives in a policy document we agreed to months ago, and the paste happens in a text box people open fifty times a day. Nothing at the moment of pasting reminds anyone the rule exists, and if it did, would it stop you?

AI doesn't feel like sharing a document with anyone. A policy says "don't share with competitors" or "don't send this externally," and people can picture who that's protecting against. AI doesn't fit that picture. It doesn't feel like handing a document to a person, or to a rival, it feels like asking a colleague a question. The sensitivity check that fires automatically for an email to an external address never fires here, because nothing about the interface says "this is leaving the building."

Whose knowledge is it once it's in the chat

The moment something goes into an AI tool, it's sitting in a system the company doesn't fully control, governed by whatever that vendor's terms say, rather than whatever assumptions existed about who was supposed to see it. Nobody decided to hand it over. It just ended up there, because handing over the whole thing was faster than describing it. That's not a hunch: 77% of employees admit to pasting company information into AI prompts, and 82% of those pastes go through unmanaged personal accounts, not anything the business sanctioned. LayerX's research goes further: it ranks copy/paste into GenAI tools as the single biggest channel for unauthorised corporate data movement, ahead of file uploads. Most of that data moved through a tool nobody had configured to be watched the way email or file transfer already are.

The model itself isn't really the risk. We've said this before and we'll keep saying it: a model is a single input producing a single response. It has no memory between turns, no personality, nothing sitting there thinking about what you sent it once it's answered. The risk is everything wrapped around that single exchange, the software that receives the file before the model ever sees it, logs the request, maybe caches it, maybe routes it somewhere for "improving the product." We don't get to see that layer. Every time something gets pasted into a chat window, the trust being extended isn't to the AI. It's to a vendor's infrastructure team, and to whatever their retention policy says this month.

Policy without enforcement is theatre

Saying "we have an AI policy" sounds like the problem is handled. It isn't, because a written rule can't stop a paste before it happens. We don't want to be watching everyone's chat history to catch it after the fact either. That's not the fix we're after. A lot of companies might not even have a policy yet. The ones that do mostly have a document, not a control. The gap between "we told people not to" and "we have something that stops them" is the whole problem, and nearly every non-enterprise organisation is sitting in it, us included.

The gap we're describing here is a workplace-habit one, and it's industry-wide. The EU AI Act's high-risk system obligations were due to land in August 2026, but has now been deferred until December 2027, and even when it lands, it won't touch this specific habit. Pasting into a chat window isn't a regulated system, it's just a window. From what we're seeing, most organisations are still working out what control even means for an AI chat window.

What would actually have to change

Training helps a little, but it won't fix this on its own, because the failure isn't a knowledge gap, it's a habit that happens faster than thinking. The only thing that reliably catches a moment like that is something sitting in the path before the paste lands anywhere. Microsoft Purview's endpoint DLP proves the control is technically possible on a managed device, it can warn or block someone pasting flagged content into a third-party AI site before it ever leaves the machine, and it already covers most of the AI tools people actually use, ChatGPT, Google Gemini, DeepSeek among them. But the protection depends on the data being sensitivity-labelled before the policy can act on it, and Purview itself isn't a feature you flip on, it's a licensing tier and a labelling project most companies don't have sitting around. The tool existing doesn't mean the problem's solved for an SMB. A policy is the cheap version of a control, but it's not the same thing.

We don't have a tidy ending for this one. If your team has actually built something that catches this moment, not just written a rule about it, we'd genuinely like to know what it is. Tweet us on X with #intutobuild and tag us @intutohq.

Authored by Aaron Leggett, Principal Product Architect at Intuto. Photo by Matheus Bertelli.