Data classification — by risk level.
Walk through each category with Legal and the line-of-business owners. Anything not on this table defaults to the highest classification that touches it.
| Data type | Risk level | Required mitigation |
|---|---|---|
Customer PII & records Names, emails, SSNs, health data |
Critical | Never input to external AI. Enterprise tools with air-gapped data isolation only. |
Proprietary IP & trade secrets Formulas, pricing models, strategy |
Critical | Classified AI-prohibited. Require explicit committee approval for any AI use. |
Financial data & forecasts Internal P&L, budgets, unreported results |
High | Anonymize or summarize before AI use. Full audit trail required. |
Employee data Compensation, performance reviews, HR files |
High | HR-specific AI tools only, with signed Business Associate Agreements. |
Legal documents & contracts Pending litigation, contract terms, NDAs |
Medium | Legal sign-off required. Redact sensitive terms before any AI review. |
Internal communications Slack, email threads, meeting notes |
Medium | Context-dependent. Policy must specify exactly what can be shared. |
General business content Marketing copy, job postings, public docs |
Low | Approved for standard AI tools. Human review before external publication. |
Consumer vs. enterprise AI — a critical distinction
Free-tier consumer AI tools may use your inputs to train future models. Enterprise and API tiers typically offer data isolation and zero-retention guarantees — but you must verify in the contract, not the marketing page.
How exposed is your data right now?
The Enterprise AI Adoption Index includes a Data & Risk category that estimates the gap between your current safeguards and a defensible baseline.
Begin free assessment →