The Hidden Risk Of Ask AI

Right, quick question. What's the riskiest thing in your business right now? Is it a hacker, a competitor, a complicated contract? No. It's Sandra on a deadline with good intentions and a tab open that says Ask AI. Because the quickest way to accidentally hand over your client list isn't cybercrime. It's someone thinking, I'll just paste this in and get it to sound nicer. And boom, client names, prices, notes, emails, supplier terms, all living in a chat box, like it's totally normal. This is Buzzing About HR, and today we're talking Don't Paste That The AI mistake that could leak your client list. This links back nicely to algorithms and empathy and farewell to the paper round. Because yes, tech is brilliant. Right up until it creates a mess, you have to clean up at 9 pm with a headache and a sinking feeling. Hello and welcome back. It's Kate. Hazel is here too. She's our head of security. Not because she understands technology, because she understands risk. If something feels off, she appears. If a packet of cheese opens, she also appears. So she's basically a very consistent system. Right? I'm not doing a law lecture today. This is a practical episode. Because AI tools are already in your business, whether you've approved them or not. The question isn't should people use them? The question is are they using them safely? Or are they one copy and paste away from chaos? And the reason this matters now is simple. It's current, it's clickable, and it's the kind of risk that happens quietly. Nobody announces it, nobody puts it in a meeting agenda. It just happens. The hive brief. Let's strip it right back. Most SMEs don't need a digital transformation strategy. You need three things, a few clear rules, a couple of approved tools, a calm process when someone messes up. Because here's what your team thinks AI is, like Google, like spell check, like a clever assistant. But what they forget is the moment they paste information into a tool, they've moved it outside your systems. And that matters when the thing they pasted is client lists, pricing, supplier terms, contracts, HR cases, anything with personal data, anything commercially sensitive. Anything that would make you sweat if it ended up somewhere it shouldn't. And yes, you might be thinking, Kate, my staff would never. They absolutely would. Not because they're bad, because they're busy. This is not a bad people problem. It's a no rules problem. The sting. Right. Let's talk about the real world mini disasters I'm seeing in SMS. Mini disaster one. Someone pastes a customer email chain into a bot and asks it to write a response. But that email chain includes names, addresses, order details, complaint history, maybe a health detail, maybe a photo. That's personal data, that's confidential, that's not for pasting in. Mini disaster two, HR content. Manager has a disciplinary or grievance and thinks, I'll get AI to draft a letter. So they paste the whole story. Names, dates, allegations, medical details, that is a hard no. Mini disaster three, proposals and pricing. Someone pastes a quote and says, make this sound more premium. So now your pricing, discounts, margins, and your negotiation position are sitting in a chat box. Mini disaster four. Help me with this contract wording. Someone pastes contract terms, supplier rates, or a client negotiation. Again, commercially sensitive. You've just handed over your playbook. Mini Disaster 5. Evidence and investigations. People using AI to rewrite messages, tidy timelines or summarise evidence. Which sounds harmless until you realise you've now got evidence that's been edited by a tool and nobody can tell what's original. And before anyone gets clever, no, we're not doing CSI Small Business Edition. We're doing normal, sensible records. So what's the fix? Not a 12-page policy. Not banning AI, not pretending it isn't happening. The fix is a one-page rule set and a couple of non-negotiables. Here's your one-page S M E AI policy in plain English. Section one, what tools are allowed? List your approved tools. If it's not on the list, staff ask first why? Because otherwise, people use whatever random app appears on their phone, and you'll never even know. Section two, what AI is allowed for? Give examples people actually use. Drafting generic emails with no client data. Rewriting marketing copy. Job at first drafts with no personal data. Turning rough notes into a tidy outline. Brainstorming ideas, summarizing non-confidential content. Section three. What AI is not allowed for. These are your hard boundaries. No client lists. No personal data about customers. No personal data about staff. No HR cases with names, details, or allegations. No medical information. No contracts, pricing, margins, or negotiation terms. No complaints with identifying info. No, paste the whole spreadsheet in and tell me what's wrong. And yes, I know someone will say, but it's quicker. So is driving too fast. Still not a good idea. Section four. The redaction rule. If someone genuinely needs help with structure, they remove identifiers. No names, no company names, no addresses, no emails, no phone numbers, no order numbers, not anything that could identify someone. And you keep it minimal. Section five, human check. AI can draft. Humans decide. Everything AI produces must be checked for. Accuracy, tone, confidentiality, and whether it reflects real life. Because AI will confidently write nonsense in a lovely tone, which is charming and useless. Now if you remember nothing else from this episode, remember these three rules. These prevent most AI-related mess. Rule one. If it's confidential, don't paste it. If you wouldn't put it on a whiteboard in the staff kitchen, don't put it in a bot. Rule two, if it identifies a person, don't paste it. No names, no HR details, no customer complaints, no medical info, nothing that points to a real human. Rule three. If it affects money or legal risk, don't paste it. Pricing, contracts, disputes, negotiations. Hard no. Now, what happens when someone has already done it? Because they will at some point. Here's your calm, oh no process. Step one. Don't shame them. If you shame people, they hide mistakes. You want honesty, not secrecy. Say, thanks for telling me. Let's sort it properly. Step two. Get the facts. What tool? What was pasted? Was it a work account or personal? Was anything shared or saved? Who else has access? Step three. Contain it. Delete the chat if possible. Remove it from any shared docs. Change passwords if needed. If client data is involved, consider what you need to do next, depending on risk. Step four, fix the root cause. Was there no rule? Was there no training? Was the deadline pressure insane? Was someone trying to be helpful? Then put the rule in place. And here's the messaging to your team, because this is where SMS often get it wrong. Don't say AI is banned, because then people use it anyway, and you lose control. Say, we're using AI safely. Here's what's allowed. Here's what's not. And here's why. Make it about protecting clients, colleagues, the business, and the employee from being the accidental villain in a data story. Hazel is staring at me right now as if to say, yes, boundaries. Love that. Legal Angel. Very quick legal reality without turning this into a lecture. If staff paste personal data or confidential info into AI tools improperly, you can create data protection risk, confidentiality breaches, contract issues with clients, an employment relations mess if staff data is involved. You don't need to be a lawyer, you need reasonable controls. For SMEs, reasonable controls are clear rules, approved tools, basic training, and a calm response process when someone slips up. That's it. Small business actions. Here's what you can do this week. One write your one page AI rules using the five sections. Two send the three non-negotiable rules to the team. Three pick your approved tools and publish the list. We use AI safely. Here's what you can and can't do. Five, do a 15-minute team reset with real examples. And if you want a quick staff message, you can copy. Here it is. We're not banning AI. We're using it safely. Don't paste anything confidential, anything that identifies a person, or anything that affects money or legal risk. If you're unsure, ask before you paste. This week's challenge, pick one today. Either draft the one-page policy. Or send the three rule message or create your approved tool list. And if you're thinking, we've already got people using AI and I'm not sure what they've put into it. Book a call. We can sanity check your risk and put simple safeguards in place quickly without turning your business into a corporate circus. AI can be brilliant, but unmanaged AI is like giving your team a forklift with no training and hoping nobody drives it into the wall. Clear rules, clear boundaries, calm responses when someone slips up. Because nothing ruins your day faster than realizing your client list has been pasted into a bot. And nobody thought to mention it. If you want help putting a simple, sensible AI policy in place that actually fits your business, book a call. Kettle on, standards up. See you next time.