AI Foundations Series โ Vol. 2
What NOT to Put Into AI
A plain-language safety guide for anyone using AI tools at work. Understand what data is off-limits, why it matters, and what you can safely use instead.
๐ด
When you paste data into a public AI tool, that data leaves your control. Depending on the tool and its settings, it may be stored, used for training, reviewed by staff, or exposed in a data breach. Once it's out, you can't take it back โ and your client's trust goes with it.
๐ก
This isn't about the AI doing something evil. It's about data handling policies, breach risk, and your obligations under client agreements and compliance frameworks like SOC 2 and HIPAA. The same rules that apply to email and USB drives apply here.
02
Never Paste These Into a Public AI Tool
๐
Passwords & Credentials
Any password, API key, secret token, or service credential. Even if you're "just asking for help with a script." Rotate any credential that was accidentally pasted.
Passwords
API Keys
SSH Keys
Auth Tokens
Connection Strings
๐ค
Client PII โ Personal Identifiable Information
Full names, email addresses, phone numbers, Social Security numbers, or anything that identifies a real person. This includes ticket data with real client names and support logs with user details.
Full Names
Email Addresses
Phone Numbers
SSN / DOB
Home Addresses
๐ข
Client Business Data
Confidential client information you're under NDA or contract to protect. Financial figures, employee counts, internal processes, proprietary systems. If you wouldn't post it publicly, don't paste it into AI.
Financial Data
Revenue Figures
Internal Process Docs
NDA-covered Info
๐
Network & Infrastructure Details
IP addresses, internal hostnames, VLAN configs, firewall rules, or network diagrams for client environments. This gives attackers a roadmap. Sanitize or anonymize before using in a prompt.
Internal IPs
Hostnames
Firewall Rules
Network Diagrams
VLAN Details
โ๏ธ
Health or Legal Information
Patient records, insurance data, legal case details, or any information subject to HIPAA, CMIA, or attorney-client privilege. These carry specific legal obligations โ violations can result in fines or breach of contract.
Patient Records
Insurance Data
Legal Case Files
HIPAA-covered Data
๐ฐ
Internal Company Financials
MSP AI Resource Hub' own pricing, margins, contract values, or internal financial data. Even if you're trying to build a model or calculator โ use placeholder values instead of real figures.
Contract Values
Margins
Internal Pricing
Budget Data
03
What You CAN Safely Use
Generic / Anonymized Scenarios
Replace real names with "Client A", real IPs with "192.168.x.x", and real people with "the end user". You get just as good a result with none of the risk.
Public or Generic Technical Questions
"How do I configure MFA in Entra ID?" or "What does this PowerShell command do?" โ no client-specific data required, completely safe.
Drafting & Writing Tasks
Emails, SOPs, runbooks, training materials โ as long as you're using placeholder or anonymized examples rather than live client data.
Summarizing Your Own Notes
Meeting notes you took yourself, internal process documentation, draft ideas โ as long as they don't contain client PII or credentials.
Code Without Secrets
Scripts and code snippets are fine โ as long as you've removed any hardcoded credentials, connection strings, or internal hostnames before pasting.
04
Quick Scenarios โ OK or Not?
"Can I paste a ticket to get a summary?"
Caution
Only if you've removed or replaced the client's real name, their users' names, and any IP addresses or hostnames. Use "Client A" and "User 1" instead. The technical details are usually fine.
"Can I ask AI to help me write a PowerShell script?"
OK
Yes โ describe what you want the script to do in plain English. Just don't paste existing scripts that contain real credentials, server names, or internal IPs.
"Can I paste a client's firewall log to analyze it?"
No
Firewall logs contain real internal IPs, hostnames, and traffic patterns โ this is sensitive infrastructure data. Describe the pattern generically instead: "I have traffic from internal host to external IP on port 445, what could this mean?"
"Can I use AI to draft a client-facing security report?"
Caution
Yes, but write the draft using placeholder data, then fill in the real details yourself after. Never feed raw scan output with real client hostnames or IPs directly into the prompt.
"Can I ask AI to explain what a specific error code means?"
OK
Totally fine. Error codes, event IDs, and generic error messages are not sensitive. Paste away.
"Can I paste an email thread to get a summary?"
No
Email threads typically contain real names, email addresses, and confidential business context. Describe the situation manually instead: "A client is asking about X, they're concerned about Y, how should I respond?"
05
The Simple Rule to Remember
โ
Before you paste anything, ask yourself: "Would I be comfortable if this appeared in a public data breach?"
If the answer is no โ anonymize it first, or describe the situation in your own words without pasting the raw data.
๐ก
When in doubt, use our PII Sanitizer tool before pasting anything. It automatically detects and redacts names, emails, IPs, and other sensitive patterns from text โ so you can use AI safely without the manual work.