top of page
Search

Locking Down AI Tooling: Securing Claude, ChatGPT, Copilot, and Gemini Before Someone Pastes in Something They Shouldn’t

  • Writer: Shannon
    Shannon
  • May 24
  • 9 min read

One of the more interesting things about enterprise AI adoption is how quickly people become comfortable with these tools. We spent years teaching users to be skeptical of links, cautious with downloads, thoughtful about where sensitive data goes, and generally a little suspicious of shiny new software. Then AI assistants showed up, proved useful in about thirty seconds, and a lot of that caution went straight out the window. Suddenly people are pasting customer contracts in for summaries, uploading spreadsheets to clean up formatting, dropping production errors into chat windows for troubleshooting help, and asking copilots to synthesize internal strategy documents from collaboration platforms that probably should have had a permissions cleanup three fiscal years ago.


That is not weird behavior...that is very normal human behavior. This is what adoption actually looks like when people find a tool genuinely helpful. The problem is that the conversation often gets framed as though the model itself is the risk, when in most cases the bigger issue is the environment surrounding it. The model is doing exactly what you asked it to do. The governance problem is that many organizations have introduced powerful AI tools into environments with inconsistent access controls, vague acceptable use guidance, questionable data classification discipline, and a very fuzzy understanding of the difference between consumer AI products and enterprise AI platforms.


I intentionally focused on Claude, ChatGPT, Microsoft Copilot, and Google Gemini for this blog in particular because these are the four platforms I see most often in real conversations with customers, peers, architects, and security teams. There are plenty of others, and yes, I am fully aware that if I leave your personal favorite off the list, someone will want to remind me in the comments. These four matter because they are showing up everywhere (doesn't matter if it's for personal use or corporate use). Claude has built strong credibility with technical users. ChatGPT remains the default “throw literally anything at it” platform. Copilot is increasingly part of the Microsoft ecosystem whether organizations planned for it or not. Gemini keeps expanding its footprint in Google productivity experiences that users already live in every day. If these tools are already in your environment or realistically being used whether your governance teams love that fact or not, this is where I would start.


Start With Identity Before You Start With AI Settings

Before you start obsessing over privacy toggles, retention settings, memory controls, or API policies, start with identity. That sounds painfully obvious until you realize how many AI accounts get created quickly, tied to personal identities, used heavily for months, and never get revisited from a security perspective. If someone gains access to one of these accounts, they may inherit conversation history, uploaded documents, remembered preferences, contextual instructions, connected integrations, and a surprisingly detailed operational snapshot of what you or your organization have been doing.


Multi-factor authentication should be enabled everywhere, full stop. Claude supports it. OpenAI supports it. Microsoft supports it. Google supports it. If an AI account becomes a doorway into organizational context, internal discussions, or sensitive workflows, treat it accordingly. If you are operating in a team or enterprise context, SSO should be the default expectation rather than an aspirational checkbox you hope to get around to later. Centralized identity gives you cleaner onboarding, cleaner offboarding, better policy enforcement, and auditability when someone inevitably asks who had access to what.


Session management is one of those painfully unglamorous things that almost nobody checks, but it matters. If you have used one of these tools from a shared machine, an old laptop, a contractor workstation, a lab environment, or frankly any device you are no longer actively thinking about, review active sessions and revoke stale access. It takes very little time and closes a surprisingly common gap.


Claude

Claude has earned a strong reputation among technical users, and I understand why. It handles long context well, performs strongly for analytical work, and Claude Code has become genuinely compelling for engineering workflows. That does not mean privacy assumptions should go unchallenged just because the model happens to be useful.


Anthropic’s privacy controls live here:


The first thing I would verify is whether model improvement settings are configured the way you think they are. Anthropic’s privacy posture has evolved over time, which means relying on something you heard in a hallway conversation six months ago is not a serious governance strategy. Check the actual current setting for your account and your plan. The practical question is simple: is your data being used for model improvement, and what retention policy applies to that usage?


Model improvement details:


Memory is another area worth auditing, particularly if you have been using Claude consistently for work-related conversations. Persistent memory is useful precisely because it helps the assistant maintain continuity, but that same continuity means contextual details can accumulate over time in ways users often forget about. Deleting a conversation does not necessarily mean every associated contextual artifact disappears with it, so it is worth reviewing what Claude actually remembers about you and whether that still makes sense.


Shared conversation links deserve attention too, mostly because they are genuinely helpful and therefore easy to overuse. Collaborative troubleshooting, sharing analysis, or sending someone “look at this weird thing Claude just said” links all seem harmless until months later when nobody remembers what was exposed or whether that link is still accessible. Governance is often less about malicious behavior and more about ordinary convenience left unmanaged. Claude Code changes the trust conversation more meaningfully because now we are no longer talking only about prompts and responses.


Claude Code documentation lives here:


Once an AI tool starts interacting with repositories, files, commands, and execution environments, the conversation becomes much closer to privileged tooling governance than consumer chatbot hygiene. Anthropic does a reasonable job with scoped permissions and explicit approval workflows, but agentic tooling changes the blast radius. If you are authorizing actions rather than just generating text, your risk model should evolve accordingly.


MCP integrations add another layer worth treating with healthy skepticism:


The moment you connect external MCP servers, you are extending trust beyond Anthropic into third-party providers, APIs, or services. That is not automatically a problem, but it is exactly the same integration trust conversation we have always had in enterprise architecture...new acronym, familiar risk.


If sensitive or regulated workloads are involved, API usage is generally the cleaner answer:


Consumer convenience is not the same thing as enterprise governance, and that distinction matters more the moment sensitive data enters the conversation.


ChatGPT

ChatGPT remains the platform people instinctively reach for because it is flexible, familiar, and increasingly capable across an absurd range of use cases (absurd!). That familiarity is both its greatest strength and one of its biggest governance risks, because people get comfortable very quickly and comfort tends to lower scrutiny.


OpenAI’s data controls documentation lives here:


If you are using a consumer ChatGPT account, review your data controls intentionally rather than assuming defaults align with enterprise expectations. Consumer usage may be used to improve models unless you explicitly opt out, while business offerings, API usage, and temporary chats follow different rules. The nuance matters, but the practical advice is straightforward: if you are using a personal account for work content, stop assuming that “it probably works like enterprise.”


Memory deserves real scrutiny:


One of the genuinely useful things about ChatGPT is continuity. It can remember preferences, projects, workflows, tone expectations, recurring tasks, and contextual details that make interactions feel far less repetitive. That same convenience means contextual information can accumulate over time in ways users completely forget about. If you have ever used ChatGPT heavily for work brainstorming, architecture conversations, writing, or operational troubleshooting, it is worth reviewing exactly what it has retained.


Custom instructions are another quiet governance landmine. People configure them once, often with perfectly reasonable intentions, then forget they exist. If you told ChatGPT about your environment, role, technical preferences, customer context, or internal systems months ago, that information may still be influencing future responses. Convenience and persistence tend to go hand in hand.


Temporary chats exist for a reason:


Shared conversation links deserve the same skepticism they do everywhere else. Useful collaboration features are wonderful until nobody remembers which conversations were shared, with whom, or whether those links should still exist.


Custom GPTs and integrations widen the trust boundary considerably. The moment you connect third-party services, allow external actions, or extend capabilities beyond the base platform, this stops being purely an OpenAI conversation and becomes a broader SaaS governance conversation. Evaluate permissions accordingly.


If regulated workloads matter, enterprise privacy commitments live here:


The API and enterprise platforms tell a very different governance story than casual consumer usage and pretending those are interchangeable is how organizations create preventable problems.


Microsoft Copilot

Copilot is where conversations get messy quickly because “Copilot” is not one thing. Consumer Copilot and Microsoft 365 Copilot are materially different products with different governance implications and collapsing them into one generalized privacy conversation creates confusion almost immediately (thanks, Microsoft!).


Consumer privacy details live here:


Privacy controls live here:


If you are using consumer Copilot, review personalization, privacy, and account settings intentionally rather than assuming enterprise protections magically apply because the logo looks familiar.


Microsoft 365 Copilot is a very different conversation:


Microsoft contractually separates enterprise customer data from foundation model training in Microsoft 365 Copilot. That is good and important. What matters operationally, though, is that Copilot is grounded in Microsoft Graph data. That means SharePoint, OneDrive, Teams, Exchange, calendars, documents, collaboration history, and everything else your permissions model already governs.


This is where organizations discover whether their collaboration hygiene is actually as disciplined as they thought.


Microsoft Graph permissions overview:


Copilot generally does not create access that does not already exist. It makes existing access dramatically easier to interrogate. If SharePoint permissions are overly broad, stale, messy, or historically over-granted in the name of convenience, Copilot becomes a very efficient spotlight.


Audit and compliance visibility matter too:


If you are rolling out Copilot, governance conversations should happen before rollout, not after the first awkward executive discovery exercise.


Google Gemini

Gemini is interesting because Google’s AI ecosystem spans multiple experiences with meaningfully different governance implications. Consumer Gemini, Google Workspace Gemini, and Vertex AI do not belong in the same privacy bucket, even though users may perceive them as variations of the same product.


Gemini activity controls live here:


If you are using Gemini with a personal Google account, review activity controls directly rather than assuming defaults are acceptable. Consumer AI products tend to optimize for convenience first, and governance expectations in enterprise environments usually require more deliberate control.


Gemini’s integration depth is one of its most compelling features and one of its most important governance considerations. Gmail, Docs, Drive, Calendar, Meet, and surrounding productivity experiences create enormous convenience because the assistant already lives where users work. That convenience also means the effective data surface becomes much broader very quickly.


Workspace commitments are much stronger:


If you are operating in Workspace enterprise environments, Google provides materially different contractual privacy commitments than casual consumer usage. That distinction matters, especially if sensitive workloads or regulated data are involved.


Vertex AI governance details live here:


As with every other provider in this conversation, governed enterprise AI platforms tell a very different risk story than free consumer convenience tooling.


The Shared Risk Across All Four

What is interesting about all four platforms is that while their privacy settings, product packaging, and enterprise controls differ, the underlying operational risk is remarkably consistent. These tools process what users give them. That means the biggest AI governance failures are often not caused by the model behaving badly. They are caused by organizations failing to define what should never be handed to external systems in the first place.


AI tends to expose operational messes that already existed. Overly broad access. Weak identity discipline. Poor collaboration hygiene. Unclear acceptable use policies. Users expensing personal subscriptions because official procurement moves slower than reality. Sensitive information handled casually because convenience won the argument. AI did not invent those problems. It simply made them easier to notice.


That is why the most useful AI governance conversations are rarely about fearmongering over the models themselves. They are about trust boundaries, access models, retention expectations, identity governance, and user behavior.


Quick Lockdown Checklist


Identity

☐ MFA enabled everywhere

☐ SSO enforced for organizational deployments

☐ Active sessions reviewed and stale access revoked


Claude

☐ Model improvement settings reviewed

☐ Memory audited

☐ Shared conversation links reviewed

☐ Claude Code permissions evaluated☐ MCP integrations assessed intentionally


ChatGPT

☐ Consumer data controls reviewed

☐ Memory audited

☐ Custom instructions reviewed

☐ Shared links reviewed

☐ Third-party integrations evaluated


Copilot

☐ Consumer vs enterprise usage clearly distinguished

☐ Microsoft Graph permissions reviewed

☐ SharePoint hygiene assessed before rollout

☐ Audit and compliance visibility configured


Gemini

☐ Gemini activity settings reviewed

☐ Workspace governance validated

☐ Integration surface understood

☐ Enterprise controls preferred for sensitive workloads


Governance

☐ Acceptable use policies updated

☐ Sensitive data handling clarified

☐ Consumer vs enterprise distinctions communicated clearly

☐ Users trained with practical examples instead of PDFs nobody reads


Final Thought

These tools are genuinely useful, and pretending otherwise is not a serious strategy. The organizations getting this right are not the ones trying to ban every AI interaction out of fear, nor are they the ones enabling everything blindly because the demos looked impressive. They are the ones treating AI platforms the same way they would treat any other powerful technology touching data, workflows, and trust boundaries. In most environments, the biggest AI risk is not the model. It is the set of assumptions the organization made around it.

© 2020 Shannon B. Eldridge-Kuehn

  • LinkedIn
  • Twitter
bottom of page