Most firms we work with have a defensible cybersecurity posture, including patching cycles, endpoint protection, email filtering, MFA, an annual pen test, and the basics properly maintained. However, none of it stops an employee from pasting a client file into a chatbot.
For fifteen years, cyber programs at small and mid-sized firms have been built around the assumption that sensitive data stays inside the firm. But AI tools break that assumption on the first day of use.
AI is already in the building at most professional services firms, as the first blog of this series laid out, usually well before the firm even knows it. What firms should be checking is whether their current security and compliance setup covers it.
What a public AI tool does with your data
A wealth manager pastes a portfolio summary into ChatGPT to redraft it for a client. The data leaves the firm at that moment, sent over the public internet to OpenAI’s servers and processed there. Depending on the account tier, it may also be retained for some period.
Free and Plus tiers of ChatGPT and similar consumer tools allow the provider to use inputs to improve future models unless the user actively opts out. Enterprise and Team tiers usually don’t. The default for an employee who signed up with a personal email is the more permissive setting.
That single paste is a third-party disclosure of covered information by an employee acting in good faith under a deadline. It bypasses email DLP because nothing was emailed. The firewall sees only a routine outbound connection to a domain it has no reason to flag.
What the regulated rulebooks already say
The fact that AI is new does not reset the regulatory clock.
Legal
The American Bar Association issued Formal Opinion 512 in July 2024, its first formal guidance on lawyers using generative AI. Model Rule 1.6, confidentiality, applies in full. Lawyers are responsible for knowing how a generative AI tool uses the data they put into it, and informed consent from the client is required before client confidences go into a tool that may retain or train on them. Boilerplate consent in the engagement letter doesn’t satisfy the rule. For law firms working with BASE, this is the single change with the biggest impact on how AI is rolled out internally.
Financial
The FTC’s GLBA Safeguards Rule requires financial institutions, including independent RIAs and many smaller financial services firms, to maintain a written information security program covering every system that handles customer information. A consumer AI tool an associate signed up for on a personal Gmail is not part of that program.
Accounting
The AICPA’s confidentiality rule (1.700.001) and the IRS’s Section 7216 restrictions on the use of taxpayer information both predate generative AI but apply to it cleanly. A 1040 dropped into a free AI tool during tax season is a disclosure of client information to an unrelated third party.
Healthcare
For HIPAA-regulated workflows that touch protected health information, the same logic applies. A clinician dictating notes into a public AI transcription tool, a practice manager summarizing patient correspondence in ChatGPT, or a research coordinator drafting a clinical trial protocol with a free model are all third-party disclosures of PHI. A vendor that processes PHI is a business associate under HHS rules, and most public AI tools are not.
The threats your stack wasn’t built to withstand
NIST’s Generative AI Profile of the AI Risk Management Framework, published in July 2024, identifies twelve risk categories specific to generative AI. Several deserve immediate attention from professional services firms.
Sensitive information disclosure now ranks number two on OWASP’s Top 10 for LLM Applications, up from number six in the previous edition. The incidents driving that jump have been employees pasting client information and source code into public chatbots.
Prompt injection sits at the top of the same list. In the indirect form, a malicious instruction is hidden inside something the AI processes, like a contract or a vendor proposal, and the model carries it out. A firm using an AI assistant that can summarize incoming email or search internal documents has just expanded its attack surface in a way last year’s pen test did not cover.
Vendor due diligence is the area where most cyber programs are furthest behind. The process built for cloud and SaaS is well-established at most firms. The AI version usually isn’t. The questions are different. How is the model trained? What data is retained? Where is processing happening? What’s the breach notification window?
AI is not a separate security problem
The mistake we see most often is treating AI security as a new program. It is a set of new questions inside the existing security and compliance program, such as which tools are sanctioned, who has access, what data leaves the firm and through which channels, and what the regulator would say if asked.
Firms that try to bolt AI controls on as a standalone module end up with two programs that don’t talk to each other. Firms that fold AI into the existing posture end up with one defensible program that survives the next regulatory cycle.
Secure the ground before you climb further
The first blog in this series argued that most firms don’t know how much AI is already in their building. The second laid out the policy that gives employees a sanctioned way to use it. The third move is making sure the ground that policy sits on has been checked.
For professional services firms in the DMV, the starting point is a current inventory of every AI tool in use and a map of the regulated data flowing through them. The next step is rebuilding the vendor review process for the questions generative AI raises.
Book a consultation with BASE Solutions to review your AI security and compliance posture.
