{"id":494,"date":"2026-03-23T17:43:54","date_gmt":"2026-03-23T17:43:54","guid":{"rendered":"https:\/\/shermanperryman.com\/blog\/loose-lips-large-models-is-your-pipeline-leaking\/"},"modified":"2026-03-23T17:43:54","modified_gmt":"2026-03-23T17:43:54","slug":"loose-lips-large-models-is-your-pipeline-leaking","status":"publish","type":"post","link":"https:\/\/shermanperryman.com\/blog\/loose-lips-large-models-is-your-pipeline-leaking\/","title":{"rendered":"Loose lips, large models: Is your pipeline leaking?"},"content":{"rendered":"<section style=\"max-width:720px;margin:0 auto;font-family:Georgia, serif;line-height:1.8;color:#000;\">\n<style>\n    .label {\n      font-family: Arial, sans-serif;\n      text-transform: uppercase;\n      letter-spacing: 0.08em;\n      font-size: 0.82rem;\n      color: #000;\n      margin-bottom: 0.6rem;\n      display: inline-block;\n      background: #f3f3f3;\n      padding: 0.3rem 0.5rem;\n      border-radius: 4px;\n    }\n    h1, h2, h3 {\n      color: #000;\n      font-family: Georgia, serif;\n      line-height: 1.3;\n      margin: 1.2rem 0 0.6rem 0;\n    }\n    p {\n      margin: 0.6rem 0 0.6rem 0;\n    }\n    .quote-card {\n      background:#111;\n      color:#fff;\n      padding:2rem;\n      border-radius:6px;\n      margin:2rem 0;\n      font-size:1.3rem;\n      font-weight:bold;\n    }\n    .doctrine {\n      counter-reset: doctrine;\n      list-style: none;\n      padding-left: 2.4rem;\n      margin: 1rem 0;\n    }\n    .doctrine li {\n      counter-increment: doctrine;\n      margin: 0.6rem 0 1rem 0;\n      position: relative;\n      color: #000;\n    }\n    .doctrine li::before {\n      content: counter(doctrine) \".\";\n      position: absolute;\n      left: -2.4rem;\n      top: 0;\n      font-weight: 700;\n      color: #b8860b;\n      font-family: Arial, sans-serif;\n    }\n    .subtle {\n      color:#000;\n      opacity:0.9;\n    }\n    .grid {\n      display: grid;\n      grid-template-columns: 1fr;\n      gap: 0.8rem 1.2rem;\n    }\n    @media(min-width: 760px) {\n      .grid-2 {\n        grid-template-columns: 1fr 1fr;\n      }\n    }\n    .cta {\n      border: 1px solid #000;\n      padding: 1rem 1.2rem;\n      border-radius: 6px;\n      margin-top: 1.4rem;\n    }\n  <\/style>\n<div class=\"label\">Ops Risk \u2022 AI Governance<\/div>\n<h1>Loose lips, large models: Is your pipeline leaking?<\/h1>\n<p class=\"subtle\">Uncontrolled chatbot use is bleeding your deals. RFPs, PII, and client intel are getting pasted into public models. One prompt can jeopardize an NDA, nuke a procurement, or expose a pipeline you spent years building.<\/p>\n<h2>Hook<\/h2>\n<p>Your team is pasting sensitive copy into public chatbots to move faster.<\/p>\n<p>That speed tax comes due when an RFP clause, a pricing sheet, or a client name pops up in the wrong log.<\/p>\n<p>Governance isn\u2019t a memo. It\u2019s a control plane. Build it now or pay later.<\/p>\n<h2>The exposure map: where leaks start<\/h2>\n<p>The problem isn\u2019t AI. It\u2019s ungoverned inputs.<\/p>\n<p>Employees are using public chatbots like a scratch pad. No guardrails. No visibility. No memory of the NDAs they signed.<\/p>\n<p>Start with RFP workflows. People paste the full statement of work to \u201csummarize requirements.\u201d They paste technical appendices to \u201cgenerate compliance matrices.\u201d That\u2019s proprietary to the issuer and your bid strategy to you.<\/p>\n<p>Then pricing. \u201cDraft a price rationale for these SKUs and discounts.\u201d Congratulations, you just disclosed margin strategy to a third party you don\u2019t control.<\/p>\n<p>Client intel follows. Points of contact. Org charts. Vendor history. Support tickets with PII. Now you\u2019ve got privacy landmines and contractual constraints in a single prompt.<\/p>\n<p>Internal strategy sneaks in. Roadmaps, sales plays, negotiation positions, architecture diagrams. This is crown-jewel material, and it\u2019s now in someone else\u2019s telemetry.<\/p>\n<p>Legal and compliance aren\u2019t in the loop. Procurement rules get trampled. Data residency obligations get ignored. Audit trails don\u2019t exist.<\/p>\n<p>One reckless paste can compromise a bid, poison discovery, and violate three agreements at once.<\/p>\n<div class=\"quote-card\">If you can\u2019t log it, you can\u2019t allow it.<\/div>\n<h2>The policy that actually protects you<\/h2>\n<p>You don\u2019t need a novel. You need a tight, enforceable AI use policy tied to your contracts and regs.<\/p>\n<p>Make it specific. Make it testable. Make it bite.<\/p>\n<p>Define data classes. Public, Internal, Confidential, Restricted. If a user can\u2019t classify the input, they can\u2019t use it.<\/p>\n<p>Ban categories explicitly. No PII, PHI, PCI, attorney-client, export-controlled, client identifiers, unreleased financials, or RFP content not marked public, in any public model. Period.<\/p>\n<p>Whitelist tools. Approved internal models, approved vendor models via your gateway, and nothing else. Block the rest at the firewall and the browser.<\/p>\n<p>Require identity and logging. Every prompt and response tied to a user, a system, a project code, and a data class. Retention aligned to legal hold and DSAR obligations.<\/p>\n<p>Mandate pre-processing. Redaction and tokenization for anything Confidential or above. Automated, not \u201cremember to delete names.\u201d<\/p>\n<p>For RFPs, add a special rule. Only use AI on sections explicitly labeled as public or via an internal private model with client approval. Record the approval with the bid file.<\/p>\n<p>Vendor terms must be vetted. No training on your data. No derivative rights. Regional data residency consistent with client commitments. Breach notification on model misuse, not just security incidents.<\/p>\n<p>Incident response extends to prompts. If a user pastes Restricted data into a public model, it\u2019s a data incident. Contain, report, notify, document.<\/p>\n<p>Training is not optional. Annual certification plus onboarding. Pass a scenario-based assessment. Fail and you lose access.<\/p>\n<h2>Non-negotiable controls: the stack that stops leaks<\/h2>\n<p>Policies fail without enforcement. Here\u2019s the minimum viable control plane.<\/p>\n<p>1) Data Loss Prevention on endpoints and egress. Block copy-paste of Restricted and Confidential into web UIs. Pattern match for client names, RFP IDs, and PII. Alert, quarantine, educate.<\/p>\n<p>2) Redaction gateway. All AI traffic routes through a proxy that strips PII, hashes identifiers, and masks client names before the model sees it. Keep a reversible map in your vault, not in prompts.<\/p>\n<p>3) Private models for sensitive work. Host or VPC-host managed models. No retention. No training on your data. Region-locked. Use retrieval to bring context, not raw dumps.<\/p>\n<p>4) Identity-aware access. SSO, conditional access, and per-project entitlements. Access to models and domains tied to data classifications and client constraints.<\/p>\n<p>5) Logging you can stand in court. Prompt, response, model version, latency, user ID, client code, data class, reason code. Tamper-evident storage. Indexed for eDiscovery.<\/p>\n<p>6) Content filters. Prevent outputs that regenerate masked details or hallucinate sensitive content. Block on patterns and on similarity to redacted originals.<\/p>\n<p>7) Network segmentation. Public AI endpoints blocked by default. Only the gateway talks out. Split dev, test, prod. No shadow tunnels.<\/p>\n<p>8) Encryption everywhere. Data in transit and at rest. Secrets in KMS. No API keys in prompts. Rotations on schedule, not \u201clater.\u201d<\/p>\n<p>9) Model registries and approval. Only registered models with signed terms and passed security review get traffic. Freeze versions for critical workflows.<\/p>\n<p>10) Kill switch. Central toggle to cut AI access for a user, group, model, or client in seconds. No tickets. One click.<\/p>\n<h2>Build the safe lane: architecture that scales<\/h2>\n<p>Don\u2019t fight usage. Channel it.<\/p>\n<p>Stand up a controlled AI gateway. It authenticates users, classifies inputs, applies redaction, hits approved models, logs everything, and enforces policy.<\/p>\n<p>Attach retrieval and tools inside the lane. Store your knowledge in a vector store under your keys. Pull only the slices needed for the task. Mask before retrieval when possible.<\/p>\n<p>Use tiered models. High-sensitivity traffic uses private or on-prem models with strict terms. Low-sensitivity uses managed models through the gateway with no retention.<\/p>\n<p>Keep prompts modular. Approved templates per workflow: RFP summary, contract clause comparison, tech spec rewrite, meeting notes. Templates embed redaction and disclaimers.<\/p>\n<p>Add evaluation loops. Check outputs for policy violations and information exposure before users see them. Flag and learn.<\/p>\n<p>Instrument with metrics. What data classes, which teams, which models, what success rates, what block reasons. This is your early-warning radar.<\/p>\n<p>Set boundaries at the browser. Managed extensions disabled. Clipboard inspection active. Clipboard logs on Restricted data events with notification to security.<\/p>\n<p>Automate compliance artifacts. Each AI-assisted deliverable gets an attached usage manifest: model versions, data classes touched, redaction status, and approvals. Auditors love receipts.<\/p>\n<h2>Productivity without exposure: proven plays<\/h2>\n<p>You can move fast and keep secrets. You just need lanes.<\/p>\n<p>RFP triage. Users feed only public sections or client-approved excerpts through the gateway. Output is a compliance matrix with placeholders for redacted items. Humans fill gaps offline.<\/p>\n<p>Proposal drafting. Use internal style guides and past sanitized wins in your vector store. The model drafts structure and boilerplate. Pricing and client names are variables filled in by two-person control.<\/p>\n<p>Client updates. Summarize meeting notes captured in your CRM. Redaction runs before the model. Names replaced by role tokens. Output mapped back to real names after approval.<\/p>\n<p>Risk reviews. Feed NDA clauses and procurement rules you own the rights to. No third-party docs unless they\u2019re public or approved. The model flags conflicts and creates a checklist, not a verdict.<\/p>\n<p>Engineering assist. Use private models for code. No secrets in prompts. Env vars mocked. Logs stored internally. PRs carry an AI-assist tag with a diff of AI-suggested chunks.<\/p>\n<p>Marketing support. Public data only. Brand voice models trained on your content under your keys. Social drafts reviewed by humans and legal tags before publish.<\/p>\n<p>Analyst work. Ingest reports you\u2019re licensed to use into the private lane. Cite sources automatically. Never paste behind-paywall text into public systems.<\/p>\n<p>Red-team drills. Quarterly exercises where you try to leak your own data through the gateway. Score teams. Fix gaps. Rerun.<\/p>\n<h2>What to teach your people: prompt hygiene<\/h2>\n<p>Never give the model more than it needs. Partial context beats full dumps.<\/p>\n<p>Replace names, IDs, and financials with tokens. The gateway should do it, but train the habit.<\/p>\n<p>Describe structure, not secrets. \u201cA 12-column pricing sheet with tiers and terms\u201d is enough for a template.<\/p>\n<p>Use references, not raw. \u201cRefer to policy DOC-117 section 4\u201d while the system fetches the snippet, masked.<\/p>\n<p>Mark sensitivity at the start of the request. Force a classification step. If you can\u2019t classify, stop.<\/p>\n<p>Assume logs. If you wouldn\u2019t put it in email without encryption and approvals, don\u2019t put it in a prompt.<\/p>\n<h2>Doctrine: what Black Fortitude enforces every time<\/h2>\n<ol class=\"doctrine\">\n<li>No prompts without a log. If it\u2019s not attributable, it\u2019s not allowed.<\/li>\n<li>Data minimization beats clever prompts. Share structure, not secrets.<\/li>\n<li>Private by default for revenue work. Public models are for public data.<\/li>\n<li>Redact first, retrieve later. The gateway protects the house, not the user\u2019s memory.<\/li>\n<li>Controls over guidelines. Culture helps; enforcement closes risk.<\/li>\n<\/ol>\n<h2>30-60-90: operationalize fast<\/h2>\n<p>Day 0-30: stop the bleeding. Block public AI endpoints at the edge except your gateway. Publish a one-page interim policy and run a mandatory 30-minute briefing.<\/p>\n<p>Stand up a basic gateway. SSO, logging, model whitelisting, and a simple redactor for names, emails, and client codes. Ship approved templates for top three workflows.<\/p>\n<p>Map your promises. Pull NDAs, MSAs, and RFP clauses that govern data use. Tag data residency, retention, and training rights. Feed that into a rules engine.<\/p>\n<p>Day 31-60: harden the lane. Expand DLP patterns. Add Restricted and Confidential classifiers. Integrate your vector store. Build usage manifests into deliverable templates.<\/p>\n<p>Negotiate vendor terms. No-retain, no-train, region lock, and breach-on-misuse. Register models. Freeze versions for regulated processes.<\/p>\n<p>Run your first red-team prompt drill. Try to leak five data types and document blocks. Fix misses. Re-run.<\/p>\n<p>Day 61-90: scale and certify. Roll department-specific playbooks. Enable private models for pricing, legal, and engineering. Add kill switch automation tied to incidents.<\/p>\n<p>Launch certification. Scenario-based test. Grant or revoke access automatically. Put leaders on the hook for their teams.<\/p>\n<p>Publish dashboards. Usage by data class, block reasons, model mix, and top playbooks. Make wins visible and risks boring.<\/p>\n<div class=\"quote-card\">Loose prompts lose deals.<\/div>\n<h2>What to look for in tools (and what to avoid)<\/h2>\n<p>Choose vendors who sign your paper, not just theirs.<\/p>\n<p>Must-haves: customer-managed keys, region pinning, zero data retention, and auditable logs with immutable storage.<\/p>\n<p>Real DLP, not \u201cwe care about privacy.\u201d Pattern libraries you can tune, OCR support, and endpoint agents that catch copies, screenshots, and prints.<\/p>\n<p>Redaction that\u2019s reversible inside your boundary and irreversible outside. Deterministic hashing for cross-system joins.<\/p>\n<p>Model catalogs with approval workflows, per-use policies, and runtime attestations on model version and terms.<\/p>\n<p>A gateway that supports multi-model routing, output filters, and structured manifests. If it can\u2019t enforce your rules, it\u2019s just a router.<\/p>\n<p>Avoid any platform that can\u2019t prove where your data was, who touched it, and what the model retained.<\/p>\n<h2>The board-level message<\/h2>\n<p>This is a fiduciary issue. IP leakage and contract violations are not \u201cIT problems.\u201d<\/p>\n<p>Regulators don\u2019t care about hype. They care about controls that map to laws and contracts and can be proven.<\/p>\n<p>Your moat is operational discipline at scale. AI without governance is just a faster way to break things you can\u2019t afford to replace.<\/p>\n<h2>Close<\/h2>\n<p>You can let people work faster without bleeding secrets.<\/p>\n<p>Stand up the lane. Enforce the rules. Log everything.<\/p>\n<div class=\"cta\">\n<p>Black Fortitude builds AI control planes for operators with something to lose. Sherman\u2019s team locks down pipelines for Fortune 500<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Employees are pasting RFPs, PII, and client intel into public chatbots. One prompt can compromise a bid or breach a contract. Governance can&#8217;t wait.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pagelayer_contact_templates":[],"_pagelayer_content":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[17],"tags":[],"class_list":["post-494","post","type-post","status-publish","format-standard","hentry","category-business"],"_links":{"self":[{"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/posts\/494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/comments?post=494"}],"version-history":[{"count":0,"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/posts\/494\/revisions"}],"wp:attachment":[{"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/media?parent=494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/categories?post=494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shermanperryman.com\/blog\/wp-json\/wp\/v2\/tags?post=494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}