
The quiet risk sitting in your team's browser tabs
Walk through almost any office today, in Port Louis or anywhere else, and you will find employees pasting work material into AI assistants: client emails, draft contracts, salary spreadsheets, meeting notes. Most of it is well-intentioned. People are trying to work faster. The problem is that nobody decided what was acceptable, so everyone decided individually, and the decisions are invisible.
This is the real data leakage risk with AI assistants. It is rarely a dramatic breach. It is a slow drip of confidential material into consumer tools under personal accounts, outside any policy, with no record of what went where.
Understand what actually happens to pasted data
Before writing rules, understand the mechanics. When someone pastes text into an assistant, three separate questions apply:
- Is it stored? Almost always yes, at least as conversation history, sometimes for extended retention periods.
- Is it used for training? This depends entirely on the tier. Many consumer free tiers may use conversations to improve models. Business and enterprise tiers generally do not, and say so contractually.
- Who can see it? Under a personal account, the company has no visibility and no control. If the employee leaves, the history leaves with them.
The practical conclusion: the same assistant can be fine or reckless depending on the account it runs under. The tool is not the risk. The account and the habits are.
Classify before you regulate
A blanket ban fails immediately, because the productivity gain is real and people will route around the ban on their phones. A better approach is a simple traffic-light classification that fits on one page:
- Green: fine to paste. Public information, generic drafting, your own writing with no client details, brainstorming, learning.
- Amber: paste only after redaction. Internal documents with names, amounts, or identifiers removed. "Client A owes a six-figure sum, 60 days overdue" works as well as the real details for drafting a reminder.
- Red: never paste. Passwords and keys, personal data of customers or staff, medical information, unannounced financials, anything covered by an NDA.
In Mauritius, the Data Protection Act gives personal data legal weight, and sectors like financial services and healthcare carry their own obligations. Even without those, the commercial logic stands: if you would not email it to an outside contractor without a contract, do not paste it into a consumer chatbot.
Give people a safe default, not just a warning
Policies that only say "no" push behaviour underground. The organisations that handle this well pair every restriction with a sanctioned alternative:
- Provide business-tier accounts with training switched off, so the compliant option is also the convenient one.
- Publish the traffic-light sheet where people will see it, and include real examples from your own workflows.
- Teach redaction as a skill. Replacing names with roles takes seconds once it is a habit.
- Name one person as the point of contact for "can I paste this?" questions, so uncertainty has somewhere to go.
For smaller companies without an IT department, this whole setup is a one-to-two week project, and it is exactly the kind of engagement a local firm like Nexus (nexus.mu) handles: choosing the tier, writing the one-page policy, and training the team on it.
Trust, verify, and revisit
Finally, accept that no policy eliminates judgment. Someone will always face a case the sheet does not cover. Two habits keep the system healthy over time.
First, make near-misses discussable. If an employee pastes something they should not have, you want to hear about it the same day, not discover it in an audit. That only happens if the response to honesty is a fix, not a punishment.
Second, review the policy every six months. Assistants gain features, tiers change their data terms, and your own use cases evolve. A rule written for chat becomes outdated the moment your team starts using assistants inside email and documents, where the data exposure is broader and the controls are different.
AI assistants at work are not a security problem to be eliminated. They are a normal tool with a normal risk profile, like email, laptops, and cloud storage before them. Companies that gave staff clear rules and safe defaults got the benefit of those tools. The same playbook works here, and the sooner it is written down, the less there is to clean up later.
A well chosen assistant gives every person on your team an extra pair of hands. Explore the wider Nexus health ecosystem.



