
July 15, 2026
Your Team Is Already Using AI Tools
What Happens to Your Data When You Use a Public AI Tool
Governed vs Public AI Tools: Understanding the Difference
What Data Should and Should Not Go Into an AI Tool
AI tools are part of how most teams work now. Staff are using ChatGPT, Claude, Microsoft Copilot, and Google Gemini to draft documents, summarise meetings, research topics, and handle tasks that would otherwise take hours.
For most businesses, that's a good thing. AI tools genuinely help people work more efficiently.
The risk isn't the tools themselves. It's using them without thinking through what data goes in — and what happens to it once it does.
This post covers the practical steps any business can take to use AI tools safely, without turning it into a compliance project.
The first thing worth acknowledging is that AI adoption in the workplace is already well underway. According to the University of Melbourne and KPMG's Trust in AI 2025 global study, 58% of employees regularly use AI tools for work — with 31% using them daily or weekly.
The same study found that 70% of Australian employees are using free, public AI tools rather than employer-provided, governed versions.
That means in most businesses, staff are making their own decisions about what tools to use and what information to put into them — not because they're being careless, but because no one has given them clear guidance.
The practical starting point isn't a policy document. It's understanding what the tools actually do with your data — so you can give your team clear, usable guidance.
When someone enters information into an AI tool, that data doesn't stay on their device. It travels from the device to the AI provider's servers, where it's processed and — depending on the tool and the plan — may be retained and used to train future versions of the model.
The key variable is which plan your team is using.
For the most commonly used tools, the distinction matters significantly:
ChatGPT (Free, Plus, and Pro plans): Conversations are used to train OpenAI's models by default. Users can opt out individually in settings, but there's no central control — meaning the protection depends on each staff member remembering to change a setting. ChatGPT Business and Enterprise plans exclude workspace data from training by default and include admin controls.
Claude (Free and Pro plans): Anthropic's consumer plans default to using conversations for model improvement, with data potentially retained for up to five years if users don't opt out. Claude for Work (Team and Enterprise) plans exclude business data from training by default.
Google Gemini (personal accounts): Personal Gemini usage is subject to Google's consumer terms. Gemini for Google Workspace operates under enterprise data handling terms and does not use Workspace data to train Google's AI models.
Microsoft 365 Copilot: Operates inside your Microsoft 365 tenant. Data processed by Copilot stays within your existing Microsoft security and compliance boundary and is not used to train the underlying models. This is one of the key advantages of Copilot for businesses already on Microsoft 365 — as we covered in our Copilot Cowork post.
The practical implication: if your staff are using free or personal-tier AI tools for work, your business data may be leaving your environment and contributing to model training — under terms your organisation has not reviewed or agreed to.
The most important distinction in AI tool selection isn't which tool is most capable. It's whether the tool is operating under terms that protect your business data.
Public AI tools (free and personal paid tiers of ChatGPT, Claude, and Gemini) are designed for individual consumer use. They process data on external servers under consumer terms of service. They have no admin controls, no central visibility over what's being entered, and no contractual commitment to your organisation about how data is handled.
Governed AI tools (enterprise and business tiers of the same tools, plus Microsoft 365 Copilot and Google Workspace Gemini) operate under business terms that include:
The upgrade from a personal plan to a business plan doesn't just buy more features. It changes the fundamental data relationship between your business and the AI provider.
For businesses that want the full governance and compliance picture — including how AI tool use intersects with the Essential Eight, the Privacy Act, and the Cyber Security Act 2024 — DefenderSuite has published a detailed guide: AI in the Workplace: A Cyber Security Guide for Australian Businesses.
Even with a governed AI tool in place, clear guidance on what data is appropriate to use matters. The tool being secure doesn't mean every type of data should go into it.
A practical way to think about it:
Generally fine in governed, business-tier tools:
Use with care — check your tool's terms and your organisation's policies:
Avoid in any public or unverified AI tool:
The goal isn't to restrict how your team uses AI. It's to give them a clear frame so they can make good decisions without having to guess.
These steps don't require a large IT project. They're the practical minimum that makes a meaningful difference.
1. Find out what tools your team is actually using: Before setting any policy, understand the current state. Most businesses find their staff are using several different AI tools across different teams — often without IT's knowledge. A simple survey or conversation with team leads is usually enough to get a clear picture.
2. Set a clear list of approved tools: Decide which AI tools are appropriate for business use and communicate that clearly. For most businesses on Microsoft 365, Microsoft 365 Copilot is the natural governed option. For businesses that want to use other tools like ChatGPT or Claude, move staff to business or enterprise tiers where data handling terms are appropriate for business use.
3. Give staff simple guidance on what data to avoid sharing: A one-page summary of what's fine and what isn't is more useful than a lengthy policy document. Use the categories above as a starting point and tailor it to your industry and the type of data your business handles.
4. Make sure your Microsoft 365 environment is properly configured: If your team is using Copilot or any Microsoft 365-integrated AI tool, the access controls, permission structures, and sensitivity settings in your Microsoft 365 environment determine what those tools can see. If your environment hasn't been reviewed recently, it's worth getting that done before AI tools are broadly deployed. This is something Superior IT can help with directly.
5. Revisit this regularly: AI tools, their terms of service, and the guidance around them are changing quickly. What's true about a tool's data handling today may be different in six months. Build a simple review into your existing IT or business planning cycle — annually at minimum, or whenever a significant new tool is adopted.
For our managed IT clients, practical AI safety is an extension of the work we're already doing — not a separate project.
We help businesses:
For businesses that need to go further — formal Essential Eight assessments, documented compliance programs, or cyber security governance that satisfies insurers, government procurement teams, or DISP requirements — we work with DefenderSuite, our specialist cyber security and compliance platform. DefenderSuite's Essential Eight Assessment is the structured starting point for businesses with those obligations.
Talk to the Superior IT team about AI tool setup and Microsoft 365 configuration →
Or call us: 1300 93 77 49
University of Melbourne and KPMG – Trust in AI Global Study 2025: https://kpmg.com/au/en/insights/artificial-intelligence-ai/trust-in-ai-global-insights-2025.html
OpenAI – ChatGPT Business: https://openai.com/chatgpt/business/
Anthropic – Claude for Work: https://www.anthropic.com/claude-for-work
Google – Gemini for Google Workspace: https://workspace.google.com/products/gemini/
Microsoft – Microsoft 365 Copilot: https://www.microsoft.com/en-us/microsoft-365-copilot
OAIC – Guidance on privacy and the use of commercially available AI products: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products
If you're looking for more info or assistance, we're a call, email or message away.
App Development, Business & Tax, and Digital Marketing. Super Charge Your Growth.
Existing Customer Support Portal, speak to one of our experts in no time.