top of page
Search

AI "Security First Checklist"

  • makenatechsolution
  • 9 hours ago
  • 3 min read

AI "SECURITY FIRST" CHECKLIST! 

If you're using AI... 

  • Use Authorized Tunnels: Stick to company approved enterprise plans. These typically offer "Opt-out of training" features that keep your data from being used to train public models.

  • Never input API keys, trade secrets, or other sensitive data. 

  • Never upload personally identifiable information: Do not paste resumes with names, phone numbers, or addresses into public AI tools.

  • It's a massive GDPR/privacy violation. 

  • Don't Trust AI for Salary Benchmarking: AI models are often trained on outdated data (2023-2024).

  • For 2026 market rates, use real-time industry reports, not a chatbot. 

  • The 90/10 Rule: Let AI do 90% of the heavy lifting (drafting, organizing, researching), but spend 10% of your time on manual verification.

1.

"Authorized Tunnels" (Approved Enterprise Plans)

An "Authorized Tunnel" is not a literal tunnel; it refers to using company-sanctioned software pathways.

  • The Problem: If you use a free, personal version of an AI (like a basic ChatGPT or Gemini account), your data is often sent over "public" channels where the AI provider may have the right to review or store it.

  • The Solution: "Enterprise" or "Business" plans act as a secure, private "tunnel" between your computer and the AI provider.

  • This ensures that the data stays within a controlled environment that meets your company's security standards. 

2.

"Opt-out of Training"

When you use a public AI, the company (like OpenAI or Google) typically uses your prompts and uploaded files to "train" the next version of their model.

  • The Risk: If you upload a secret company strategy, a future version of the AI might "learn" that information and accidentally reveal it to a competitor who asks a similar question later.

  • The "Opt-out" Feature: Enterprise plans usually come with a legal guarantee that your data will NOT be used for training.

  • This means your inputs are processed to give you an answer, but they are never "absorbed" into the AI's permanent memory. 


EXAMPLES of Why this matters for your role: 


  • Reports: These could contain salary data, recruiter names, and placement fees.

  • Candidate Resumes: Documents contain personal contact info, work history, and military background.

  • Client Job Descriptions: Here is a breakdown of what to redact or protect before putting a JD into a public AI:

1.

Proprietary Strategic Data (The "Trade Secrets")

Job descriptions often reveal a company's future strategy.

  • Specific Tech Stacks: Listing very specific, high-end cybersecurity tools or proprietary software versions can tell a competitor exactly how a company's internal infrastructure is built.

  • New Market Expansion: A JD for a "Director of Expansion - Brazil" for a company not yet in South America is a major corporate secret.

  • Product Roadmaps: Mentions of "Experience with [Unreleased Project Name]" should be removed.

2.

Sensitive Internal Financials

  • Exact Salary Ranges: Internal "max budget" numbers or specific bonus structures can be sensitive if they differ significantly from market averages.

  • Internal Billing Codes: Often, JDs are copied from internal HR systems and contain cost centers or department codes (e.g., "Charge to Dept 402-B").

3.

Identifiable Personnel Data

  • Direct Supervisor Names: JDs often say "Reports to [Executive Name]." Providing this gives "headhunters" a direct map of the company's hierarchy.

  • Internal Contact Info: Phone numbers or email addresses for HR reps or hiring managers.

4.

Security & Vulnerability Markers

  • Security Clearances: Mentioning that a role requires a specific government clearance level can make the company a target for social engineering.

  • Specific Site Locations: Revealing exactly which subcontractors or managers are on-site can be a physical security risk for the facility.


How to "Sanitize" a Job Description for AI 

If you want to use AI to analyze a JD, follow this "Sanitization" workflow:


  • Company Name: Replace with "[Confidential Bank]" or "[Regional Industry Firm]."

  • Specific Project Names: Replace specifics with vague identifiers like "[Large Scale Industrial Build]."

  • Names/Emails: Replace "Contact John Doe at jdoe@email.com" with "[Hiring Manager]."

  • Location: Instead of a specific street address, use "Los Angeles Metro Area."


The Bottom Line: If you want to use AI to summarize a report or screen a resume, only use the tool provided by your headquarters. Using a personal account could violate privacy laws or company policy because those free tools often "harvest" the data you feed them.

 
 
 

Comments

bottom of page