The Core of the Problem: How Leaks Happen
The fundamental risk with public AI tools like ChatGPT, Gemini, and others is simple: what you put in can get out. When an employee pastes a chunk of internal source code, a sensitive client email, or details from a confidential report into a public AI's
prompt window, that data is no longer exclusively within the company's control. These platforms often use user inputs to train their models. This means proprietary information could, in theory, surface in a response to another user's query somewhere else in the world. A high-profile case involved Samsung engineers who accidentally uploaded sensitive source code to ChatGPT, prompting the company to swiftly ban the tool internally. This isn't a theoretical vulnerability; it's a demonstrated risk that can lead to the loss of intellectual property, trade secrets, and competitive advantage.
Rules vs. Reality: Policy, Not Law (For Now)
The headline's mention of "rules" can be slightly misleading. As of mid-2026, there isn't a single, overarching government law in India or globally that explicitly bans public AI in the workplace. Instead, the "rules" are overwhelmingly internal corporate policies. Companies like Apple, JPMorgan Chase, Verizon, and many others across finance, tech, and defense have implemented restrictions or outright bans. Their motivation is risk management, not legal mandate. In India, while there isn't a specific AI ban, the Digital Personal Data Protection Act (DPDP) of 2023 puts strict obligations on companies (as 'data fiduciaries') to protect personal data, with hefty penalties for breaches. Using a public AI tool that processes data in unclear ways could easily violate these obligations, making a corporate ban a prudent defensive measure.
Why Companies Are Taking Action Now
The stakes are incredibly high. A data leak via an AI tool can result in severe financial penalties under laws like the DPDP Act, not to mention crippling reputational damage. Imagine a company's future product plans or private customer data becoming public knowledge; the loss of trust could be irreversible. Furthermore, there's the issue of "hallucinations," where AI models generate plausible but incorrect information. If an employee relies on faulty AI-generated data for a critical business decision, the consequences could be disastrous. Faced with this combination of data privacy violations, security vulnerabilities, and reliability issues, many organizations have concluded that the productivity gains from public AI are not worth the potential fallout. A recent survey found that around 75% of companies have either implemented or are considering bans on such tools.
The Rise of 'Shadow AI'
Despite the clear risks and growing number of corporate bans, employees are not necessarily stopping. This has led to the rise of 'Shadow AI'—the unsanctioned use of AI tools at work. One recent study found that a staggering two-thirds of office workers have used AI tools they believed were banned by their employer. Many employees do this to boost efficiency or because they feel the approved corporate tools are too restrictive. This creates a dangerous situation where companies have a false sense of security. They may have a ban on paper, but in practice, their sensitive data is still being fed into public platforms, often from employees' personal devices, making the activity even harder to track.
The Path Forward: Private and Governed AI
The solution isn't to abandon AI altogether. The productivity benefits are too significant to ignore. Instead, the future lies in enterprise-grade, private AI solutions. Many companies that have banned public tools, like Goldman Sachs and Amazon, are simultaneously investing heavily in building their own internal AI chatbots or using secure, private versions of existing models. These private environments ensure that a company's data remains within its own secure servers, never used for external model training. For businesses in India, establishing a clear AI Governance Policy is becoming essential. This involves defining what tools are permissible, training employees on the risks, and setting up secure, sanctioned alternatives that allow staff to innovate without compromising security.
