Francesco Gadaleta PhD is a seasoned professional in the field of technology, AI and data science. He’s the founder of Amethix Technologies, a firm specialising in advanced data and robotics solutions. He hosts the popular Data Science at Home podcast, and over his illustrious career he’s held key roles in the healthcare, energy, and finance domains.
In this post, Francesco discusses the biggest unseen security threat to enterprise – a threat employees use every day to boost productivity. While traditional security is designed to stop bad actors breaching a company’s firewalls, no-one is addressing the data flowing out of the front door via AI coding assistants and chat tools.
How can companies retain AI capability without data leaving the controlled environment? Francesco explores some promising alternatives:
Somewhere right now, A defence contractor’s engineer is pasting classified system architecture into ChatGPT to get help writing a comment block.
A law firm’s associate is feeding a confidential M&A document into Copilot to fix the formatting.
A security company, one that sells security posture to Fortune 500 clients, has all its developers streaming proprietary vulnerability research to Microsoft’s servers in real time, every single day, through their IDE.
And nobody is panicking. Nobody is filing an incident report. Nobody is getting fired.
Because they’re all just trying to be productive.
In this article, I’ll discuss the most elegant, most widespread, most completely ignored corporate espionage operation in human history The best part? The victims are doing it to themselves.
The Illusion of Security
Let’s start with a scenario:
You’re the CISO of a mid-sized company. You’ve done everything right. You’ve got a VPN. Zero-trust architecture. Multi-factor authentication on everything. Strict BYOD policies. You run quarterly security awareness training, you know, the ones where employees click the fake phishing email and get a passive-aggressive reminder about cyber hygiene.
You sleep well at night. You’ve built a fortress.
And then one Tuesday morning, your lead developer opens VS Code, enables GitHub Copilot, and starts working on your core proprietary algorithm. And just like that, your fortress has a screen door.
Here’s what people fundamentally misunderstand about security. Traditional security is designed around one threat model: bad actors trying to get in. Firewalls, intrusion detection, encrypted tunnels, it all assumes the enemy is outside, trying to breach your perimeter.
AI coding assistants and chat tools operate on a completely different axis. They don’t breach your perimeter. They don’t need to. Your own employees, your most trusted people, following your own sanctioned workflows, walk the data out the front door voluntarily. With good intentions. While feeling productive.
Your VPN protects the connection between the laptop and your office network. It does absolutely nothing about what the developer pastes into a browser tab five seconds later.
Your own employees, your most trusted people, following your own sanctioned workflows, walk the data out the front door voluntarily. With good intentions. While feeling productive.
Your access controls ensure only authorised people see your sensitive data. They say nothing about what those authorised people then feed to a third-party AI to get their job done faster.
Every single layer of your security stack was designed for a threat model that AI tools completely sidestep.
The Chat Interface: Thinking Out Loud at Scale
Now let me tell you what’s actually in those chat logs.
When people talk to AI assistants, they don’t perform. They don’t write an audience. They think out loud. They paste the real thing. The actual numbers. The genuine strategic concern. The real problem they’re trying to solve.
Email? People know email is a record.
They’re careful. Legal has told them to be careful. They’ve been trained. But ChatGPT feels like a scratchpad. It feels like talking to yourself. So you get:
- Executives drafting communications about upcoming layoffs, restructuring, or acquisition talks in full detail, asking the AI to “make this sound better.”
- Legal teams working through liability exposure with actual case facts attached.
- Sales teams refining competitive pitches that reveal exactly how the company is positioned, what discounts are authorised, and where the floor is on pricing.
- HR departments handling sensitive terminations, compensation disputes, and internal investigations.
- Engineers describing system vulnerabilities they’re trying to fix in precise technical detail to a tool that is definitely listening.
This is more candid, more detailed, and more strategically valuable than almost any other data source you could imagine. It’s better than email archives because people are less guarded. It’s better than meeting recordings because people actually explain their thinking.
And it has been flowing, continuously, into the infrastructure of a handful of companies, since late 2022.
Samsung figured this out the hard way in early 2023 when engineers leaked proprietary chip design code and internal meeting transcripts through ChatGPT. It made headlines. Samsung banned the tool internally.
But Samsung is the story we now know about. How many didn’t make headlines? How many companies don’t even know it happened?
The IDE Plugin: The Invisible Firehose
Now here’s where it gets really interesting. The chat interface at least requires a conscious decision. The employee thinks, “I will paste this thing.” There’s agency. There’s a moment where they could think twice.
IDE-integrated AI tools? No such moment exists.
Copilot, Cursor, Tabnine – these tools live inside your development environment. They watch your code as you type. They analyse the surrounding context, open files, imports, and configurations to generate better suggestions. This is happening continuously, invisibly, in the background.
There’s no past event. There’s no “send” button. The developer isn’t thinking “I am now transmitting data to Microsoft.” They’re thinking “oh nice, it autocompleted that function.”
But the transmission is real. Your code, not just the file you’re working on but context pulled from across your project, is being streamed to remote servers as a normal part of the development workflow.
For a SaaS company, that codebase is the product. It’s the asset. It represents years of engineering decisions, domain-specific optimisations, architectural choices that competitors would spend millions to understand. And it’s leaving the building, continuously, through a tool that every developer considers essential and basically harmless.
For a defence contractor or a critical infrastructure company, this isn’t just a competitive intelligence problem; it may be a regulatory violation. Many of these organisations operate under compliance frameworks, FedRAMP, ITAR, and various national security classifications that explicitly restrict where code can be processed. Using a cloud-based AI coding assistant may put you in breach of those requirements whether or not anyone noticed.
And here’s the kicker: the tool is genuinely useful. That’s what makes this so hard. You’re not asking people to stop using a frivolous toy. You’re asking them to give up something that makes them meaningfully more productive. The incentive structure points entirely in the wrong direction.
The Geopolitical Dimension: Let’s Get Uncomfortable
Hypothetically – and I want to be clear this is a thought experiment – imagine you had query access to the aggregate conversation history of a major LLM provider. Not the model weights. The actual conversations.
What you’d have is a continuously updated, self-organising intelligence database covering essentially every sector of the global economy. Engineering decisions at aerospace companies. Drug development strategies at pharmaceutical firms. Financial risk models at banks. Merger discussions at private equity firms. Vulnerability research at cybersecurity companies.
And unlike a document leak or an email archive, this data is already in a format that’s queryable, summarisable, and cross-referenceable. The analysis practically does itself.
Traditional state-level espionage required enormous infrastructure, human assets, signal intelligence, years of patient data collection. What I’ve just described would make all of that look quaint.
And here’s the uncomfortable truth: the major AI providers are extraordinarily high-value targets precisely because of this data concentration. OpenAI disclosed an internal security breach in 2023; they claimed no customer data was accessed. Maybe. But nation-state threat actors think in decades and they absolutely understand the value of what’s accumulating in those systems.
We voluntarily created the most valuable intelligence asset in history, distributed it across three or four companies in one country, and called it productivity software.
THE SECURITY COMPANY PARADOX
I want to return to something because I think it’s the sharpest illustration of the absurdity here.
Consider a security company – an organisation whose entire business model is built on being better at protecting information than everyone else. These companies invest heavily in security culture. Their employees understand threat models. They’ve read the OWASP top ten for fun.
And if that company lets its engineers use Copilot or its consultants use ChatGPT, all of those credentials, all of that expertise, all of that investment in security culture, is undermined by a browser extension.
Not only is their own proprietary research leaving the building – client data may be leaving too. Vulnerability assessments. Penetration test findings. Network diagrams. The exact information clients are paying them to protect.
If you sell security and you haven’t explicitly addressed AI tools in your data handling policies, not with a vague “be careful” memo but with actual technical controls, you’re not a security company. You’re a security theatre company. Which is worse, because you should know better.
WHAT ACTUALLY HELPS
I’m not going to end this article with “therefore ban AI tools and go back to a Stack Overflow.” That’s not a realistic or even desirable conclusion.
But let me tell you what actually changes the risk profile.
First, you have to update your threat model.
AI tools are a data egress channel; treat them like one. The same way mature organisations eventually got serious about USB drives and personal email, you need technical controls, not just policies, on what can be transmitted to external AI endpoints.
DLP tools can be configured to detect sensitive content going to these services. It’s not perfect, but it’s not nothing.
Second, there’s a meaningful difference between AI providers’ offerings.
Enterprise tiers with contractual data isolation, Microsoft’s enterprise Copilot with Azure data boundaries, Anthropic’s enterprise offering and Google’s Workspace AI all provide contractual guarantees about data handling that free tiers don’t. You’re still trusting a third party, but you have legal recourse and the data isn’t going into training.
For organisations that can’t accept third-party data processing at all, self-hosted open-source models – Llama, Mistral, Code Llama – are genuinely capable now, and keep everything on your infrastructure.
Third, the most effective intervention is specificity.
Vague policies fail. “Don’t share confidential information with AI tools” means nothing because employees don’t experience what they’re doing as sharing confidential information; they experience it as asking for help.
Name the categories. Source code. Client data. Financial projections. Legal matters. M&A discussions. Active vulnerability research. The more concrete you are, the more likely the policy changes behaviour.
Fourth, and this is the one nobody wants to hear: audit whether your security-sensitive roles should be using these tools at all for certain classes of work.
Yes, it creates a productivity gap. That’s a real cost. But for some organisations and some categories of work, the risk calculus genuinely doesn’t favour convenience.
You need AI capability without data leaving your controlled environment.
THE CORE PROBLEM TO SOLVE
You need AI capability without data leaving your controlled environment.
That means the model, the inference engine, and the data it reasons over all need to live inside your perimeter. The two main architectural patterns that address this are secure/private inference and confidential RAG.
1. Secure / Private Inference
What it is: Running the AI model itself on infrastructure you control, so prompts and completions never leave your environment.
The spectrum of options:
Self-hosted open source models
You deploy Llama 3, Mistral, Code Llama, Falcon, or similar on your own servers or private cloud. The model weights sit on your hardware. Nothing leaves. This is the most radical form of data sovereignty.
Feasibility: genuinely practical today for mid-to-large organisations. A capable coding assistant or document analysis model runs on 2–4 high-end GPUs. Tools like Ollama, vLLM, and LM Studio have made deployment dramatically simpler. The gap between frontier models, GPT-4 and Claude, has narrowed significantly; for many enterprise use cases, a well-configured Llama 3 70B is good enough.
Private cloud deployment
Using Azure, AWS, or GCP but in a dedicated, isolated instance with contractual guarantees that your data stays within defined boundaries and isn’t used for training.
Microsoft’s Azure OpenAI Service works this way: you’re using GPT-4 but in an Azure tenant you control, with a data processing agreement.
Feasibility: straightforward, but you’re still trusting a cloud provider. For most commercial companies this is acceptable. For defence or classified environments, probably not.
Confidential computing
An emerging hardware-level approach using technologies like Intel TDX or AMD SEV, where the inference happens inside a cryptographically verified “trusted execution environment” that even the cloud provider’s staff can’t access. Essentially, the server can’t see what it’s computing.
Feasibility: early but real. Companies like Edgeless Systems and Opaque Systems are building on this. It’ll matter more in three to five years.
2. Confidential RAG
What it is: RAG (Retrieval-Augmented Generation) is the technique where, instead of baking all your knowledge into a model, you store it in a vector database and retrieve relevant chunks at query time to give the model context.
Confidential RAG means doing this entire pipeline inside a secure, access-controlled environment.
Why RAG Matters for Enterprise
It solves two problems at once. You don’t need to fine-tune a model on your proprietary data (expensive, risky). And the model only sees the specific information relevant to each query, rather than having free-form access to everything.
The Architecture in a Secure Setup
Your documents, internal wikis, codebases, contracts, and technical documentation are chunked and embedded into vectors using a locally-running embedding model.
Those vectors live in a private vector store (Weaviate, Qdrant, Chroma, pgvector, all self-hostable). When an employee asks a question, the relevant paragraphs are assembled, the relevant chunks are assembled, and they’re passed to a locally-running or private-cloud LLM. Nothing touches external infrastructure.
The Access Control Layer
This is what makes it “confidential” RAG.
Specifically, you can apply document-level permissions so that the retrieval step only surfaces content the querying user is actually authorised to see.
A junior employee’s RAG query shouldn’t pull board-level financial documents even if they’re in the same corpus.
Tools like LlamaIndex and LangChain have mechanisms for this, though implementing it properly requires care.
Benefits
- The model’s answers are grounded in your actual current documentation rather than its training data, which eliminates hallucination on internal topics.
- The sensitive data never leaves your perimeter.
- You get audit logs of what was retrieved and when.
- And you can update the knowledge base without retraining anything; just re-embed new documents.
1. Additional Mitigations Worth Knowing
Prompt Firewalls / AI Gateways
Tools like Portkey and Lakera Guard, or custom API gateways that sit between employees and external AI providers, can scan outbound content for sensitive patterns (PII, credentials, code signatures) and either block or redact before transmission.
Not a complete solution but a useful layer if you’re not ready to go fully private.
Fine-Tuned Smaller Models for Specific Tasks
Instead of sending everything to a frontier model, you train a smaller specialised model on non-sensitive representative data for a specific task (code review, document summarisation).
Lower capability ceiling but dramatically lower risk surface.
Air-Gapped Inference for Classified Environments
Fully disconnected hardware, no network access at all.
Feasible for defence and intelligence contexts where this is already standard operating procedure for other systems.
Solution Comparison
Solution Technical Complexity Cost Data Protection Capability vs GPT-4 Self-hosted OSS model Medium Medium (GPU hardware) Excellent 80–90% for most tasks Private cloud (Azure OpenAI) Low Low-Medium Good (contractual) Full Confidential RAG (self-hosted) High Medium-High Excellent Depends on base model AI Gateway / Prompt Firewall Low Low Partial Full (passthrough) Confidential Computing Very High High Excellent Improving fast
The technology to do this properly exists today and is increasingly accessible.
A year ago, self-hosted models were a compromise. Today, for the majority of enterprise use cases, document analysis, code assistance, internal Q&A, and report drafting, a well-deployed private stack is genuinely competitive with external services.
The barrier is no longer primarily technical.
It’s organisational: somebody has to own the decision, budget the infrastructure, and do the integration work. Most companies
haven’t done that because the risk, budgetary, and operational. Most companies haven’t made the investment because the risk hasn’t felt urgent enough yet. It will.Here’s the Meta-Point I Want to Leave You With
We spent decades building security infrastructure on the assumption that data leakage was something that happened to you, through attacks, through breaches, through adversarial action.
We built walls, moats, detection systems, and response playbooks.
And then we handed every employee a tool that makes leakage the default behaviour of doing their job well, and we acted surprised when the walls didn’t help.
The AI productivity revolution is real. The benefits are real.
But we adopted it with essentially no collective deliberation about what we were giving up.
A handful of companies in one country are now the custodians of an extraordinary concentration of corporate knowledge, technical IP, and strategic intelligence, accumulated not through hacking or espionage but through people trying to fix their code faster.
That’s the world we’re in. And the first step to dealing with it intelligently is actually seeing it clearly.
