AI tools are everywhere at work, and most people are using them wrong

There is a reasonable chance you used an AI tool at work this week. There is also a reasonable chance you did something with it that your employer's IT or legal team would not be comfortable with.

This is not a criticism. Most people using AI at work have received no training on how to do so safely. They are making reasonable-sounding decisions, "this is just a summary tool, not a database", that happen to be wrong about how these tools actually work.

This guide covers what you actually need to know.

How AI tools handle your data

The first thing to understand is that different AI tools have very different data handling policies, and the distinction matters enormously.

Consumer free tiers (free ChatGPT, free Claude, free Gemini): Your conversations may be used to train future versions of the model. Anthropic, OpenAI, and Google each have training opt-out options, but the default is often to allow training. Your data is stored on their servers.

Enterprise versions (ChatGPT Enterprise, Claude for Work, Microsoft Copilot with enterprise licence): These typically offer data processing agreements (DPAs) that commit the provider not to train on your data, and often include data residency commitments. These are materially safer for professional use.

Local/on-device AI: Some AI tools run entirely on your device, with no data leaving your machine. These are the safest for sensitive information but typically less capable.

The practical rule: check whether your organisation has an enterprise agreement with the AI tool you're using. If you're not sure, assume you're using the consumer version and treat it accordingly.

What to never enter into a consumer AI tool

The risk is not that an AI tool will "leak" your data to a competitor directly. The risk is more diffuse: your data is stored on external servers, may be used for training, and is subject to the security practices of a third party whose breach history you don't control.

Never enter these into consumer AI tools:

  • Customer names, email addresses, or contact details
  • Client financial information, contracts, or commercially sensitive data
  • Employee personal information (salaries, performance reviews, health information)
  • Internal passwords, API keys, or authentication credentials
  • Proprietary business information, trade secrets, or unreleased product details
  • Confidential legal advice, litigation strategy, or settlement terms
  • Patient health information (this triggers additional regulatory obligations in most jurisdictions)

The test: if you would not email this information to a stranger, do not paste it into a consumer AI tool.

Checking your organisation's AI policy

Your organisation likely has, or is developing, an AI usage policy. This is not optional bureaucracy, it is a legal and regulatory instrument.

If you breach your organisation's AI policy:

  • You may have personal liability under employment law
  • Your organisation may have liability under data protection law (GDPR, Australian Privacy Act)
  • You may have created evidence that your organisation did not have adequate controls (relevant in regulatory investigations)

If you don't know whether your organisation has an AI policy, ask your IT department, compliance team, or manager. If the policy doesn't exist, flag it, the absence of a policy is itself a governance gap.

The hallucination problem, and what to do about it

AI language models hallucinate. This is not a bug that will be fixed, it is a property of how these systems work. They generate text that is statistically likely given their training, which is not the same as text that is accurate.

Common hallucination patterns:

  • False citations: AI tools will confidently cite articles, cases, or reports that do not exist
  • Wrong statistics: Numbers are particularly unreliable. AI tools frequently generate plausible-sounding but incorrect figures
  • Outdated information: AI tools have training cutoffs; information about recent events, current regulations, or live data is frequently wrong
  • Confident errors: AI tools don't express uncertainty the way humans do. A hallucinated answer sounds exactly like a correct answer.

The rule for professional use: Any AI-generated content that will be presented to clients, used in decisions, or included in professional communications must be verified against primary sources before use.

This means:

  • Check all citations against the actual source
  • Verify statistics against the original data
  • Check regulatory and legal references against the actual legislation or case law
  • Have a human read AI-generated client communications before sending

Using AI effectively, not just cautiously

Safety does not mean avoiding AI. It means using AI in ways that create value without creating risk.

High-value, low-risk uses:

  • Drafting internal documents (letters, reports, summaries) that you will review before sending
  • Brainstorming and ideation with no confidential inputs
  • Summarising publicly available information
  • Improving the structure or clarity of your own writing
  • Explaining technical concepts in plain language
  • Generating code that you will review and test

Uses requiring extra care:

  • Any task involving customer or client data (use enterprise tools with appropriate data agreements)
  • Any output that will go directly to clients or regulators (verify everything)
  • Legal, medical, or financial analysis (AI assistance only, professional judgement required)
  • Anything where a confident-sounding error would cause harm

The goal is to be the kind of professional who uses AI to work better, not the kind who creates problems by using it carelessly.