AI risk

What your team is actually sending to LLMs.

A primer on generative-AI data exposure in enterprise organisations. Where the leaks happen, what regulators notice first, and how to build controls before your first inspection.

The data

The surface area has grown faster than most organisations have measured it.

14

average distinct LLM tools in active use at a mid-sized regulated organisation (we find 8–23)

RedactGate customer audit data, 2025–26
38%

of employees who've pasted content they wouldn't send externally without legal review

Gartner AI TRiSM Survey, 2026
$4.88M

average cost of a data-leakage incident involving a generative-AI tool

IBM Cost of a Data Breach, 2026
72h

window under EU AI Act Article 73 to report a serious AI incident to your national competent authority

Regulation (EU) 2024/1689
Categories at risk

Six data categories that consistently show up
in our customer audits.

Not all AI paste events are equal. These are the categories our customers find being sent to LLMs, and then realise shouldn't have been.

01

Client identifying information

Names, email addresses, organisational identifiers pasted from CRM records into chatbots for summary or outreach help.

02

Protected health information

Medical records, patient identifiers, treatment history pasted for translation, summary, or diagnostic-aid workflows.

03

Source code and secrets

Proprietary code, API keys, credentials, and internal architecture pasted for debugging, documentation, or explanation.

04

Financial records

Account numbers, transaction records, invoice data, and management accounts pasted for reconciliation help.

05

Contractual terms and IP

Draft contracts, negotiation strategy, strategic planning documents pasted for critique or rewriting.

06

Employee personal data

CVs, appraisal text, internal communications involving named employees pasted for summary or coaching help.

We realised we were a paste-accident away from a reportable incident. It wasn't a policy problem. It was a measurement problem, we had no visibility into a leak surface that didn't exist in our risk register three years ago.

Chief Risk Officer

Top 10 UK law firm

Anonymised at customer request.

See your own exposure.

Our briefing team runs the 60-second audit with you and produces a clean view of your organisation's current LLM surface area. No tool install required.

Book a briefing Read the 60-second audit

Output is yours to keep. No sales follow-up unless you ask for one.