It is 11:47 p.m. The crisis statement needs to be in the partner's inbox by 7 a.m. The client has asked for “something tighter, warmer, less defensive.” You paste the working draft into a chatbot, ask for three rewrites, and pick the best one. The work is good. The work is in by morning.
The question that nobody asks at 11:47 p.m. is the one that matters most. Where did that draft just go? Who can see it? How long is it kept? What happens if the announcement leaks two days early — and the leak path leads back to a system the client never agreed to?
Confidentiality is the single most fragile thing senior practitioners carry. It is the thing that is easiest to lose, hardest to recover, and most expensive when it goes wrong. The AI conversation has skipped past it almost entirely — partly because the answers are legitimately complicated, and partly because the loudest voices in the room have a financial interest in not slowing anyone down.
This piece is the version of the conversation you would have if nobody were trying to sell you anything. It maps the actual data path of a pasted paragraph, the meaningful differences between provider tiers, the five sensitivity classes practitioners encounter every week, and the rules that follow from each.
Shadow AI is the default
78%
of AI users at work bring their own tools — past IT, past procurement, past the org's data policies.
Microsoft Work Trend Index, 2024.
The bill when it goes wrong
$4.88M
average cost of a corporate data breach in 2024 — shadow-AI is an emerging vector that most enterprise DLP cannot see.
IBM Cost of a Data Breach Report, 2024.
In May 2023, Samsung banned ChatGPT company-wide after engineers pasted internal source code and meeting transcripts into the consumer interface. The ban was not a moral judgement. It was a recognition that the engineers genuinely did not know where the code had gone, who had touched it on the way, or how to claw it back. That is the core problem. The defaults are invisible.
What actually happens when you paste
A paragraph dropped into a hosted chatbot does not stay in one place. It crosses several systems on the way to the model and leaves a trace at each one. The path looks roughly like this for almost every consumer-tier AI tool:
The path of one pasted paragraph
The clipboard, browser tab memory, paste-history extensions, Windows Recall snapshots, screen-share buffers if you are presenting. Nothing has crossed a network yet, and there are already three or four places the text can be retrieved from.
An HTTPS request leaves your browser. If your firm runs a monitoring proxy, your draft has now passed through DLP. If you are on personal Wi-Fi at midnight, it has not.
The request lands at the provider's API gateway and is logged with metadata: timestamp, account ID, IP address, request size, sometimes the full request body. This log is retained for a window measured in days to months, depending on the tier.
The model runs. Input and output may be retained for abuse review. On consumer tiers, this is typically thirty days by default, with content-moderation queues that can hold flagged items longer. On enterprise and API tiers, this can be zero days with the right contract.
Cloud hosting (Azure, AWS, GCP), CDN providers, content moderation vendors, customer-support platforms. Each is a separate company with its own retention, breach surface, and government-request posture. The provider's sub-processor list is public; almost nobody reads it.
Five stops, three companies, an unknown number of humans with access in the abuse-review and support paths. That is the floor. It is not a worst-case. It is what happens to the safest, most boring paragraph you can paste.
Three perimeters, one decision
It helps to think of confidentiality as three concentric perimeters rather than a single line. Most discussions collapse them, which is why the conversation feels muddy.
Perimeter 3 · Provider & sub-processors
Perimeter 2 · Your organization
Perimeter 1 · Your machine
Your draft. Your client's memo. The embargoed announcement.
Each paste crosses one or more of these. The question is which.
Pasting into a desktop tool that runs the model on your machine crosses zero perimeters. Pasting into a tool your firm has contracted, hosted in your tenant, with audit logs you can read, crosses one. Pasting into a personal-account chatbot at midnight crosses all three — and lands the text inside a perimeter that has nothing to do with the engagement letter your client signed.
Not all AI tools are the same tool
The single largest source of confusion is that “ChatGPT” and “Claude” are not products. They are families of products with materially different data-handling profiles. The differences across tiers are larger than the differences across vendors.
The same paragraph pasted into the consumer interface and into a single-tenant API call has the same input but a wildly different confidentiality profile. The engineers Samsung banned were not using the wrong AI; they were using the wrong tier of the right one. The internal version of the same conversation, on the right tier, with the right contract, would never have made the news.
In Hone Studio
Single-tenant goes one step further than the API tier. Each client of Hone runs on its own Supabase project, its own backend deployment, its own Sentry workspace, and its own per-workspace isolation inside that. The model itself is reached through Anthropic's API with no training on inputs. Your Knowledge Base, Memory, and conversation history never cross a shared boundary with another firm. The provider perimeter is smaller, narrower, and contractually pinned.
Five sensitivity tiers, five rules
The same paragraph is not the same paragraph. A blog draft, a donor profile, an embargoed earnings memo, and a privileged litigation note carry profoundly different consequences if they leak. The rules for AI use should follow the data, not the tool.
Tier 5 · Embargoed / privileged
Material non-public information
Pre-release crisis statements, embargoed earnings, sealed Title IX matters, attorney-client privileged drafts, M&A papers.
Rule
Local AI only, or no AI.
Never paste into hosted tools. If a model is involved, it runs on the operator's machine and leaves no provider log behind.
Tier 4 · Regulated PII
FERPA, HIPAA, GDPR-scope
Student records, donor health histories, EU-resident personal data, applicant files, financial aid notes.
Rule
Single-tenant only, with the right paperwork.
DPA or BAA on file, region-pinned hosting, zero-day retention, audit logs you can produce on request.
Tier 3 · Client-confidential
Under NDA or engagement letter
Client strategy memos, draft deliverables, internal positioning decks, board prep, third-party counsel briefings.
Rule
Enterprise or single-tenant, no consumer.
Read your engagement letter. If it bars third-party processing, the consumer tier is already a breach.
Tier 2 · Internal, non-sensitive
Working drafts, brainstorms
Internal notes, meeting summaries that name no clients, process documents, training plans.
Rule
Enterprise tier is fine.
Use the tool your firm has contracted. Do not use a personal account, even for “just brainstorming.”
Tier 1 · Public
Already published
Press releases that have shipped, public filings, your own prior writing, public research summaries.
Rule
Anywhere is fine.
Use the most capable model you have access to. The risk surface is essentially zero.
The discipline is to know which tier the thing in your clipboard is before you paste it. Most senior practitioners can do this accurately in under five seconds once they have the map. The damage is almost always done by misclassifying down — treating a Tier 4 record like Tier 2 because the moment was hectic and the deadline was tight.
Three patterns that look safe but aren't
Most confidentiality leaks do not happen through the chatbot window. They happen through adjacent tooling that quietly intercepts text on the way to or from work. Three common patterns:
Pattern 01
The browser extension that “summarizes pages”
It reads every tab you open, including the open client memo, and ships the contents to a vendor whose privacy posture you never reviewed. Treat extensions like sub-processors.
Pattern 02
The meeting bot that “just takes notes”
It joins the call, transcribes everyone, and stores the transcript on a third-party server forever. Most clients assume their words are off-record. Most call transcripts are not.
Pattern 03
The “AI search” you don't recognize
A coworker shared a link to a site that answers research questions. You paste a client's name into it. You have no idea who runs it, where it is hosted, or what it logs. The answer is good. The trade was bad.
The pattern across all three is the same. Tools that intercept text are easier to install than to evaluate. The right default is skepticism: assume any extension, bot, or unfamiliar AI surface is a sub-processor until proven otherwise, and never let one touch Tier 3 or higher.
The other ethics question: disclosure
Confidentiality is about where the data goes. The sister question is about what you tell the client. The norm is settling, and it is more permissive than the loud voices of 2023 suggested.
For utility uses — search, summarization of public material, copy-editing your own writing, brainstorming structure — the emerging convention is no proactive disclosure required, the same way you do not disclose that you used a spell-checker. For high-stakes drafts where the AI did meaningful authorial work on the final deliverable, disclose by default. When asked directly, always answer honestly. The fast way to ruin a relationship is to be vague when the client is specific.
Before you paste
A 30-second discipline that catches almost every avoidable mistake:
Before-you-paste check
What tier is this?
If it is Tier 4 or 5, stop. If you are not sure, treat it as one tier higher than your first guess.
What tier is the tool?
Consumer, enterprise, or single-tenant. If you are signed in to a personal account, you are on the consumer tier no matter what the URL says.
What does the engagement letter say?
Many corporate and university contracts now bar third-party processing without notice. Read it once per client; the rest is muscle memory.
Can you paraphrase instead of paste?
For Tier 3 work the safe move is often to share the shape of the problem rather than the artifact. The model rarely needs the whole memo.
If it leaked tomorrow, where would the trail lead?
If the trail leads anywhere your client did not authorize in writing, you have your answer.
In Hone Studio
The whole architecture is built around perimeter discipline. Each client's deployment is single-tenant: its own database, its own backend, its own audit trail. Inputs are sent to Anthropic's API under commercial API terms that prohibit training on your data. Knowledge Base, Memory, and conversation history are scoped per workspace and never cross client boundaries. The security posture is documented in a self-administered first-party OWASP-methodology assessment available on request. The point is not that any single feature is unique. The point is that the defaults are aligned with how senior practitioners actually need to work — Tier 3 and 4 by reflex, with Tier 5 handled by deliberate exception rather than accident.
The teams that get this right are not the ones with the strictest AI policies. They are the ones whose people can answer, in five seconds, what tier the thing on the screen is and what tier the tool is. That is not training. That is a map. The map is above. Pin it somewhere you will see it at 11:47 p.m.