Brief IA

ChatGPT: When AI Threatens Business Security

🤖 Models & LLM·Tom Levy·

ChatGPT: When AI Threatens Business Security

ChatGPT: When AI Threatens Business Security
Key Takeaways
1A director from CISA transferred sensitive documents to ChatGPT, exposing security vulnerabilities.
2Samsung banned ChatGPT after critical data leaks via its engineers in 2023.
3AI-generated errors cost businesses time and money, according to a 2025 study.
💡Why it mattersInadequate management of AI exposes companies to security and productivity risks, necessitating strengthened governance.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

Data Breaches: An Omnipresent Risk

Recent data breach incidents in companies are not merely isolated events but reflect a worrying trend where human judgment is often sidelined. Take the striking example of the acting director of CISA, the U.S. federal agency responsible for cybersecurity, who was caught transferring internal documents to ChatGPT, a publicly accessible artificial intelligence tool. This incident, which occurred in early 2026, was uncovered through the administration's internal monitoring systems. Although the agency claimed that access was authorized and usage limited, the fact that sensitive information was entrusted to an uncontrolled system remains concerning.

Such situations could occur in any organization. The problem does not lie with the tool itself but with the attitude of users who choose to delegate their judgment and share information without prior verification.

When Data Escapes

The unauthorized and unsupervised use of artificial intelligence tools, often referred to as "ghost AI," has become commonplace. According to a study published by IBM, the use of generative AI by employees increased from 74% to 96% between 2023 and 2024. Among these users, 38% admitted to inputting sensitive business information into these tools without authorization.

The Samsung case in 2023 is a striking example of this issue. Within twenty days, three incidents of data leakage via ChatGPT were reported: an engineer shared the source code of a semiconductor database, another leaked confidential testing models, and a third requested a summary of an internal meeting. Once entered, this data could be used to train the AI model, thus escaping the company's control. In response, Samsung banned the use of generative AI tools in the workplace.

Leaks are not limited to technical teams. In February 2026, U.S. federal judge Jed Rakoff ruled that analyses produced by a former executive of GWG Holdings with an AI assistant, in the context of a stock fraud case, could be disclosed. The argument was that interaction with an AI could be considered an exchange with a third party, thereby nullifying attorney-client privilege.

In your company, do you know exactly which AI tools are being used by your teams and with what data?

When AI Invents and No One Verifies

Another, more insidious risk is that of errors generated by AI that go unnoticed. AI can produce texts that appear credible but are, in fact, false. If no one verifies them, these errors can have serious consequences.

In October 2025, a consulting firm had to partially reimburse the Australian government for a report containing AI-generated errors, including non-existent academic references and a fabricated quote attributed to a federal judge.

The legal sector has also experienced similar incidents. In 2023, in the case of Mata v. Avianca in New York, a lawyer was fined $5,000 for submitting court decisions fabricated by ChatGPT. In Canada, in 2024, a lawyer had to pay the opposing party's costs after citing fictitious case law in a child custody dispute. The underlying problem is always the same: the lack of proofreading and verification.

Beyond these spectacular cases, a more discreet phenomenon, "work slop," affects daily productivity. This term refers to AI-generated content that seems professional but lacks depth, forcing the recipient to redo everything. A study by BetterUp Labs and Stanford, published in the Harvard Business Review in September 2025, estimates that each occurrence of "work slop" costs nearly two hours of correction on average, amounting to about $186 per month for each affected employee.

Three mechanisms fuel these deviations: overconfidence (suspending critical thinking in the face of well-crafted text), the rush to adopt (managers deploying uses faster than controls can keep up), and excessive delegation (entrusting the machine with synthesis, advice, or even decision-making without verifying the result).

On your recent high-stakes deliverables, how many were reviewed by a human capable of spotting a substantive error?

Regaining Control

Banning the use of AI is not a viable solution, as it drives users to circumvent the rules. A charter or isolated training is insufficient in the face of the pressure to deliver quickly. To structurally reduce risks, an organization must develop three essential capabilities that directly address the identified risks.

  • Visibility of Actual Uses: As long as the company is unaware of which tools are being used, by whom, and with what data, it remains in the dark. It is crucial to detect not only officially declared applications but also browser extensions, AI features integrated into business software, and uses via personal accounts.

  • Control at the Moment of Interaction and Execution: Blocking sites is no longer enough. It is necessary to analyze the content of a message before it is sent to an external model and to monitor the actions that the AI proposes to execute. This requirement becomes critical with autonomous agents capable of acting directly on information systems.

  • Local Execution for Sensitive Data: For cases involving professional secrecy, strategic information, or high-risk personal data, systematically routing information to an external provider creates permanent exposure. Executing the model on internal infrastructure—or via a secure gateway to a more powerful model when necessary—keeps the data within the company's perimeter.

These three capabilities do not replace the culture of use; they make it operational. Without visibility, one cannot train or hold accountable. Without real-time control, good reflexes remain insufficient. Without local execution, employees may sometimes be forced to choose between productivity and compliance.

This culture varies by profession. A legal professional never sends the facts of a sensitive case to an external tool. A manager requires human proofreading on any client-impacting or strategic deliverable, as well as traceability of AI usage. A developer tests and secures the generated code instead of assuming it is ready to use.

Evidence that this approach is effective exists. A construction sector platform obtained the world's first ISO 42001 certification within six months by structuring both its control tools and validation processes. According to feedback from publishers, a major global health technology company has, on its part, brought unauthorized AI usage down to nearly zero among over 60,000 users by combining automated discovery and monitoring of interactions.

The Cost of Inaction

The question is no longer whether AI will be deployed in your company. It is already deployed. The real question is at what cost. Organizations that still treat governance as a secondary issue accumulate hidden costs: time spent on corrections, data incidents, decisions based on fragile foundations, and a gradual erosion of the quality of deliverables.

Those that build visibility, real-time control, and local execution capability—and embed good reflexes in every profession—reduce these costs while making adoption faster and more stable.

The next incidents will not come from an isolated technical flaw but from a chain of daily actions repeated without a framework. In your organization, is AI governance still a set of rules to enforce, or a system of capabilities to build?

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.