The release is under embargo until Tuesday at 6 a.m. It is 9:40 p.m. on a Sunday, the lede is soft, and the associate knows exactly how to fix it. She opens a free chatbot in a fresh browser tab, pastes the whole thing in — headline, dateline, the unannounced acquisition price, the CEO quote that has not cleared legal — and asks for three tighter versions. Ninety seconds later she has a better lede. The release goes out Tuesday on schedule. Nothing leaks. The client never finds out.
That last sentence is the dangerous one. Nothing visibly went wrong, so nothing felt wrong. But for those ninety seconds, a market-moving, embargoed, legally-uncleared document sat on a third party's servers under a consumer agreement no one at the firm had read, retained for a period no one could state, potentially eligible to train a model no one controls. The disclosure incident already happened. It just has not surfaced yet.
This is the part of running a communications firm that nobody puts in the pitch deck. PR's confidentiality stakes are unusually sharp — embargoes, M&A, crisis, privileged strategy — and unusually invisible, because the material that does the most damage is exactly the material that flows fastest through the fewest hands. The PRSA “Promise & Pitfalls” ethics guidance and the CIPR's AI guidance both name confidentiality as a first-order professional duty, not an IT footnote. This piece maps the actual exposure — the perimeters a pasted paragraph crosses, the material that should never cross them in a public tool, where free tools quietly fail you, and what a structural answer actually looks like.
The three perimeters, PR edition
Every document a strategist handles lives inside a set of nested perimeters. Confidentiality is not a single wall; it is a sequence of them, and each paste, upload, or prompt pushes the material outward through one or more. The mistake is treating the innermost perimeter — the one you can see — as if it were the whole boundary.
Perimeter 3 · The provider & its sub-processors
Where a consumer chatbot sends the text. Retention windows, training eligibility, sub-processors, and jurisdictions you never chose.
Perimeter 2 · Your firm
Shared drives, account-team inboxes, project channels. Inside the NDA, but wider than the people actually cleared for this matter.
Perimeter 1 · Your machine
The embargoed release. The holding statement. The deal memo.
A free chatbot moves the document from Perimeter 1 straight to Perimeter 3.
For most knowledge work, crossing into Perimeter 3 is an acceptable trade. A blog outline, a public-event summary, a press release that is already live — the material is non-sensitive, so the provider's retention and training policies barely matter. The PR-specific problem is that the firm's most valuable work is concentrated in the category where crossing that boundary is precisely what you are paid to prevent. The associate who tightens a live press release in a chatbot is doing something unremarkable. The associate who tightens an embargoed one is doing the same keystrokes with a categorically different document underneath them — and the tool cannot tell the difference. You have to.
The high-risk material list
The discipline is not “never use AI.” It is knowing which documents are categorically off-limits to any tool that crosses Perimeter 3. In communications work, four classes carry asymmetric downside — the kind where a wrong move is not a redraft but a retraction, a blown deal, or a malpractice conversation.
Never in a public tool
Embargoed releases
An embargo is a promise of timing. The whole value is that the information does not exist publicly until the agreed moment. A retention log or a training set is a publication path you did not authorize — and an early leak that traces back to your tool chain is your firm's problem, not the vendor's.
M&A and material non-public information
Deal names, prices, timelines, and counterparties are market-moving and, in many engagements, regulated. Pasting them into a consumer tool is not a style decision; it is a potential securities and confidentiality exposure that implicates the client, not just the firm.
Crisis holding statements
The draft that acknowledges what went wrong — before the client has decided whether, when, or how to acknowledge it — is the single most sensitive artifact in a crisis. It frequently sits under legal privilege. Its premature existence anywhere outside the cleared team is the nightmare.
Privileged strategy & counsel-directed work
Communications work performed at the direction of counsel can carry privilege. Privilege is fragile: disclosure to an unnecessary third party can waive it. A chatbot is a third party. Treat anything counsel touched as Perimeter 1 only.
The common thread is timing and waiver. For the rest of knowledge work, a confidentiality slip is a leak: the information was always going to be sensitive, and now it is exposed. For these four classes, the slip attacks something more specific — the firm's control over when information becomes public and whether a legal protection survives. That is why the verification instinct from general AI practice is not enough here. You cannot review your way out of a document having already left the building.
Where free tools fail you
It is tempting to treat a consumer chatbot and a properly procured AI platform as the same engine with a different login screen. The technical literature — and the terms of service — do not support that view. Three differences decide whether a tool is fit for confidential PR work, and a free tab fails all three by design.
Notice what the failure is not. The free model is not less capable — frontier models are remarkable, and the associate's tighter lede was genuinely better. The failure is entirely on the perimeter side. A consumer chatbot is engineered to be one shared environment for the whole world, retaining inputs on terms tuned for product improvement, with no concept of a client boundary. None of that is a defect to be patched. It is the design. For confidential PR work, the design is the problem.
The regulatory overlay
Confidentiality is the inner wall; deception is the outer one. The FTC's endorsement guidance makes clear that AI in the workflow does not relax the rules on truthfulness, substantiation, and honest endorsement. A firm that loses control of its inputs has usually also lost the audit trail it would need to defend its outputs — so the data-handling discipline and the disclosure discipline are the same discipline, viewed from two sides.
What a structural answer looks like
The usual response to all this is a policy: a one-page memo telling people not to paste sensitive material into public tools. Policies are necessary and almost entirely insufficient. The associate at 9:40 p.m. was not malicious or ignorant; she was under deadline pressure with a capable tool one tab away and a soft lede in front of her. A rule that depends on the most pressured person making the most disciplined choice at the worst possible moment is not a control. It is a hope.
The structural answer is to remove the choice. If the AI the firm actually has on hand is already inside the perimeter — isolated, zero-retention, contractually barred from training — then the associate tightening her lede in it is not a confidentiality event at all. The discipline shifts from “remember not to use the convenient tool” to “the convenient tool is the safe one.” That is the only version of this that survives a Sunday night under deadline.
Three properties separate a structural answer from a hopeful one, and they map directly onto the three failure modes above.
Property 01 · Isolation
A perimeter that is real, not assumed
Confidential work needs an environment with an actual boundary around it — ideally one where each client's material sits in separate infrastructure, so the question “could another client see this?” has a structural answer rather than a trust-us answer.
Property 02 · Retention you can name
A zero-retention posture, in writing
“How long is the embargoed draft kept, and where?” should have a contractual answer you can show a client — not a link to a terms-of-service page that can change without notice. A retention window you cannot state is one you do not control.
Property 03 · No training, guaranteed
Your inputs never become someone's model
The hardest exposure to reason about is the one with no timestamp: material absorbed into a training set has no retraction path. A no-training guarantee — enforced upstream with every model provider in the chain — is the only thing that closes it.
In Hone Studio
The isolation posture is stated precisely because precision is the point. Every client gets their own database, their own infrastructure, their own deployment — your documents never touch another client's system. Your data is never used to train AI models: that is contractually guaranteed by every provider in the chain, with zero data retention confirmed with Google and Perplexity. The associate tightening an embargoed lede inside that environment is not crossing Perimeter 3 at all — the convenient tool and the safe tool are the same tool.
Isolation does more than close the embargo-in-a-chatbot gap; it changes what the firm can safely do with AI at all. When the environment is inside the perimeter, the Knowledge Base can hold the firm's actual work — prior coverage, approved positioning, fact sheets — and the Assistant can ground every answer in those materials with citations, because the sensitive corpus never had to leave to be useful. The confidentiality architecture and the quality architecture turn out to be the same architecture. You cannot build the second on a foundation that fails the first.
In Hone Studio
Because confidential material can live inside the perimeter, it can also be put to work there. Enable Knowledge Base mode and the Assistant searches your uploaded documents to ground answers in your own approved materials, with inline citations and a sources panel showing what was retrieved. Citations are assistive — they trace claims back to your source material so a person can verify fast — and every AI output is a draft a person signs off on. Confidentiality is not the price of using AI well here; it is the precondition.
Confidentiality is an architecture, not a policy
The reflex, after a near-miss, is to write a stronger rule. Tighten the memo. Add the line about embargoes. Require the training. All of that is worth doing, and none of it addresses the actual failure, which was never that the associate did not know the rule. She knew it. The failure was that the system handed her a fast, capable, out-of-perimeter tool at the exact moment her judgment was most loaded and her deadline most immediate, and asked her to decline it on principle.
A rule that only holds when nobody is tired, rushed, or pressured is not a confidentiality control. It is a confession written in advance. The firms that handle the most sensitive communications work — embargoes, M&A, crisis — without quietly accumulating disclosure incidents are not the ones with the sternest policies. They are the ones that arranged for the convenient choice and the confidential choice to be the same choice.
Confidentiality, done right, is invisible the way good infrastructure is invisible. Nobody notices the embargoed release that did not leak, the deal that closed on schedule, the holding statement that stayed in the cleared room. That silence is the deliverable. It is not produced by a rule everyone agrees to and someone eventually breaks at 9:40 on a Sunday. It is produced by an architecture in which there was nothing to break.