What actually happens to your company data when it enters an AI prompt
When a marketer uses an AI tool that is not an enterprise-licensed, contractually isolated product, what they paste into the prompt crosses the enterprise boundary. The data travels to the vendor's infrastructure, is processed by the model, and depending on the product tier, may be retained for model improvement, safety review, or support. Most marketing teams treating AI tools as extensions of their internal workflow have not mapped this path.
Training contamination. The most consequential risk for company confidential data is training contamination. Consumer-tier products and most standard API tiers include terms permitting the vendor to use submitted content to improve their models, unless the user opts out or holds an enterprise agreement with training exclusions. A campaign brief, a competitive positioning document, or a media plan submitted via a consumer account may contribute to future training cycles. Language models trained on specific content can surface statistical patterns from that content when prompted in related ways. The risk is not that a competitor directly queries your strategy. The risk is subtler: a well-trained model may generate outputs that reflect the strategic framing, product positioning language, or creative assumptions embedded in data it has seen during training.
Model memorization. Research on model memorization has shown that language models can reproduce verbatim fragments from their training data under specific conditions, particularly for text that is distinctive or repeated. For branded content such as distinctive taglines, pricing logic, or campaign strategy language, this represents a non-zero exposure channel if such content enters model training.
Inference-time access. Even where training is contractually excluded, the vendor's infrastructure processes every prompt in real time. Depending on the vendor's access controls and support practices, prompt contents may be accessible to vendor staff for safety review, abuse prevention, or support resolution. Enterprise API agreements with audit log access and zero-log commitments reduce this risk, but they do not eliminate it in all configurations.
Data residency. Most commercial AI APIs process data in data centres in the United States or the European Union by default. For organisations subject to local residency requirements, such as MAS-regulated financial institutions in Singapore or entities handling health data under Australia's My Health Records Act, processing via a US-hosted API without a data residency agreement may constitute an unauthorised cross-border data transfer, independent of whether any customer data is involved.
The tier distinction most teams have not checked
Enterprise API agreements with training exclusions and zero-log options are materially different from consumer products. The product tier your team is using determines your exposure. Consumer products (ChatGPT Free, Gemini consumer, Claude.ai free) are not appropriate for prompts containing company strategy, client information, or customer data. Standard API access without a signed data processing agreement sits somewhere in between, and the specific terms vary by vendor.
The three data risk categories for marketing teams, in the order they actually happen
Most AI data risk discussions lead with customer PII. That framing is backwards for most marketing teams. Company confidential data is present in almost every AI-assisted marketing workflow. Customer PII appears in a specific, narrower subset of workflows. Regulated-sector compliance obligations are the third layer, applying when customer data and regulatory frameworks converge.
Category 1: Company confidential data
This is the data type most likely to enter an AI prompt in day-to-day marketing work. It includes campaign briefs and creative strategy documents, competitive positioning analyses, media plans and budget allocations, campaign performance reports with internal benchmarks, product launch timelines and go-to-market strategies, and pricing documents or commercial terms.
When this data is submitted to a non-enterprise AI product, it crosses the enterprise boundary without the controls that govern internal document sharing: data loss prevention scanning, document classification, or NDA frameworks. The legal exposure runs to trade secret law (Singapore's Trade Secrets Act, the US Defend Trade Secrets Act, the EU Trade Secrets Directive) and breach of confidentiality clauses in employment agreements and contractor terms.
The risk is not only legal. A model trained on your competitive positioning may influence outputs for other users working in adjacent markets. A performance report submitted during model training may inform how the model frames benchmarks for similar industries. The data you submit does not stay contained.
Category 2: Client and third-party data
For agencies and consultancies, client documents carry a separate exposure layer. Pasting a client's brief, campaign performance data, or audience segments into an external AI tool may breach the NDA governing that engagement, regardless of whether the data contains personal information. Audience segment data provided by a client often carries usage restrictions that prohibit processing by unauthorised third-party platforms. This exposure exists independent of any customer data protection framework.
Category 3: Customer PII in regulated-sector workflows
Customer PII enters AI prompts in a narrower set of workflows than most practitioners assume. Standard marketing tasks such as writing copy, generating creative variations, or summarising platform reports do not inherently involve personal data. PII typically enters AI prompts when personalised email copy is drafted using real customer names or account details, when CRM exports are uploaded for segmentation work, when customer service chat logs are used as input for AI-generated response templates, or when survey responses containing identifying information are processed for insight extraction.
It is in this specific category that the sector-specific regulatory frameworks (PDPA, GDPR, HIPAA, MAS guidelines) become relevant. The industry sections below map those frameworks by sector and market.
The incident pattern that keeps repeating
A marketing manager, under deadline pressure, pastes the full Q3 campaign brief into a consumer AI writing tool to get a creative framework faster. The brief contains the brand's competitive positioning, product pricing rationale, and budget allocation by channel. The tool is a consumer-tier product. That document has now left the enterprise boundary, entered a third-party system without a Data Processing Agreement, and may be retained for model training. The creative framework it produced is fine. The strategic data that preceded it is not.
Banking and financial services: AI marketing data risks by market
Financial services marketing sits at the intersection of the most demanding data protection regimes in each jurisdiction. The volume of customer financial data that flows through marketing systems. CRM records, campaign audiences, behavioural analytics. means the exposure surface is large.
Banking · Singapore
AI marketing in Singapore banking: MAS, PDPA, and TRM obligations
Singapore banks and financial institutions are regulated by the Monetary Authority of Singapore (MAS). Key frameworks that apply to AI marketing use:
- MAS Technology Risk Management Guidelines (TRM Guidelines, revised January 2021). Require financial institutions to identify risks from third-party technology services, maintain inventories of all systems processing customer data, and ensure outsourced providers meet MAS's security standards. Using an external AI API for marketing constitutes a third-party technology service under this framework.
- MAS Model AI Governance Framework (2nd edition, January 2020). Outlines four pillars: internal governance, human oversight, operations management, and customer relationship management. Marketing AI tools that generate customer-facing content fall under the customer communication pillar and require documented governance.
- MAS FEAT Principles (Fairness, Ethics, Accountability, Transparency). Apply to all AI and data analytics uses in financial services. Customer segmentation and targeting built on AI models must be explainable and must not discriminate on protected characteristics.
- PDPA 2012 with 2020 amendments. Data transfers to AI vendors require contractual data protection undertakings equivalent to Singapore's PDPA standard. The 2020 amendments strengthened accountability and introduced mandatory breach notification within three days of discovery of a notifiable data breach.
The practical implication: a Singapore bank using an external AI API to draft product marketing emails must have a signed Data Processing Agreement with the AI vendor, confirm the vendor meets MAS TRM standards (or accept the residual risk with documented board-level approval), and maintain a record of the processing activity under PDPA accountability obligations.
Banking · Australia
AI marketing in Australian banking: APRA, ASIC, and the Privacy Act
Australian banks and financial institutions face a layered regulatory environment for AI marketing:
- APRA CPS 234 Information Security. Requires APRA-regulated entities to classify information assets, implement security controls, and ensure third-party services handling material information meet APRA's security standards. Marketing AI tools that access customer data may fall within scope depending on data classification.
- APRA CPS 231 Outsourcing. Material outsourcing arrangements must be notified to APRA. Whether a specific AI API contract constitutes a material outsourcing depends on the data processed and the operational dependency created. Legal advice is required per-arrangement.
- ASIC Regulatory Guide 234 (updated June 2026). Covers advertising of financial products and services. AI-generated marketing content for financial products must meet all RG 234 requirements on truthfulness, balance, prominence of warnings, and the prohibition on misleading or deceptive conduct. regardless of whether the content was written by a human or generated by an AI tool. ASIC's enforcement stance treats AI-generated content and human-authored content identically for regulatory purposes.
- Australian Privacy Act 1988 (APPs). APP 8 restricts cross-border transfers of personal information unless the overseas recipient is subject to an equivalent privacy standard or the entity takes reasonable steps to ensure equivalent protection. Most US-hosted AI APIs require a contractual solution under APP 8.
Banking · United States
AI marketing in US banking: OCC, FDIC, FINRA, and the CFPB
US financial institutions operating under federal and state banking regulators face specific obligations:
- Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (FTC, revised 2021). Requires financial institutions to implement comprehensive information security programs covering all customer financial information. Third-party AI services processing customer financial data are service providers under the Safeguards Rule and require written contracts with security obligations, oversight of their performance, and vendor assessment documentation.
- FINRA Rule 2210 on communications with the public. Applies to broker-dealer marketing. AI-generated content in any retail communication must be reviewed by a registered principal before distribution if it contains investment recommendations or product descriptions. The review obligation does not transfer to the AI tool.
- CFPB and fair lending. The Consumer Financial Protection Bureau has signalled active interest in AI decision-making in lending and marketing. AI audience segmentation that results in differential delivery of marketing across demographic groups may raise Equal Credit Opportunity Act (ECOA) and Fair Housing Act concerns even where no intentional discrimination occurs.
- State law: CCPA/CPRA (California). California consumers have the right to opt out of the sale or sharing of personal information. Passing customer data to an AI vendor that uses it for model improvement may constitute a "sale" or "sharing" under CCPA definitions, triggering opt-out obligations and the requirement for a CCPA-compliant Data Processing Agreement.
Banking · Canada
AI marketing in Canadian banking: OSFI, PIPEDA, and Bill C-27
- OSFI Guideline B-10 (Third-Party Risk Management, 2023). Requires federally regulated financial institutions to manage risks from third-party arrangements, including technology services. AI API contracts fall within scope. OSFI expects documented risk assessments, contractual protections, and ongoing monitoring of material third-party arrangements.
- PIPEDA (Personal Information Protection and Electronic Documents Act). Governs personal information used in commercial activity. Transfer of customer data to an AI vendor requires a contractual arrangement ensuring the vendor provides comparable protection to PIPEDA, or express consent from the data subject.
- Bill C-27 (Consumer Privacy Protection Act, CPPA). proposed. As of July 2026, Bill C-27 has passed the House and is under Senate review. When enacted, the CPPA's Artificial Intelligence and Data Act (AIDA) component will impose specific obligations on "high-impact AI systems" including requirements for risk assessments, transparency, and regulatory notification. Financial marketers should build AIDA-compliance readiness into their AI governance now rather than retrofitting after enactment.
Banking · Malaysia
AI marketing in Malaysian banking: BNM, PDPA, and the FSA
- Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT) Policy Document (revised 2020). Requires financial institutions to manage risks from technology deployments, including third-party cloud and API services. AI tools processing customer financial data fall within RMiT scope.
- PDPA 2010 (Personal Data Protection Act Malaysia). Prohibits transfer of personal data outside Malaysia unless the destination country provides an adequate level of data protection or the data subject has consented. Most external AI APIs are US-hosted. A contractual solution is required. The PDPC Malaysia's enforcement of this provision has increased since 2022.
- Financial Services Act 2013 (FSA) and Islamic Financial Services Act 2013 (IFSA). Require BNM-licensed institutions to ensure customer information is not disclosed to unauthorised parties. External AI vendors without appropriate contractual protections may constitute an unauthorised disclosure of customer financial information.
Healthcare and pharma: HIPAA, TGA, HSA, and AI-generated marketing content
Healthcare marketing sits at the intersection of the most stringent privacy regimes (HIPAA in the US, My Health Records Act in Australia) and strict advertising regulations (TGA in Australia, HSA in Singapore, FDA in the US) that prohibit misleading health claims. AI tools introduce risk on both dimensions simultaneously.
Healthcare · United States
AI marketing for US healthcare: HIPAA Business Associate Agreements and PHI boundaries
The fundamental HIPAA question for any AI marketing tool is whether Protected Health Information (PHI) enters the system. PHI is broader than most marketers assume: it includes any information that could identify a patient in combination with their health status, treatment, or payment information. This covers:
- Patient names in combination with any health-related context
- Appointment or treatment dates linked to a patient identifier
- Geographic data smaller than a state (including ZIP codes for small populations)
- Customer service notes that reference health conditions
- Email open data from health-related campaigns, where the recipient is a patient
An AI vendor that processes PHI is a Business Associate under HIPAA and must sign a Business Associate Agreement (BAA) before any PHI is transmitted. Most consumer AI products explicitly disclaim HIPAA compliance in their terms and do not offer BAAs on standard plans. Submitting PHI to these products is a HIPAA violation regardless of whether a breach occurs.
FDA oversight of AI-generated health marketing. The FDA regulates prescription drug advertising under the Federal Food, Drug, and Cosmetic Act. AI-generated content for prescription drugs must meet the same fair balance requirements (presenting risks alongside benefits) and substantiation standards as human-authored content. AI tools that generate promotional copy for Rx products require the same pre-dissemination review process as any other promotional material.
Healthcare · Australia
AI marketing for Australian healthcare and pharma: TGA, the Privacy Act, and My Health Records
- TGA Therapeutic Goods Advertising Code 2021. Governs advertising of therapeutic goods (medicines, medical devices, complementary medicines) to the general public and to health professionals. AI-generated content for any therapeutic good must comply with the Code's restrictions on claims, endorsements, and price references. AI tools do not reduce the advertiser's obligation to ensure compliance.
- My Health Records Act 2012. Imposes strict limitations on collection, use, and disclosure of health information from the My Health Record system. No marketing use of My Health Record data is permitted under any circumstances.
- APP 3 (collection of sensitive information). Health information is sensitive information under the Privacy Act. Collection and use for marketing purposes requires express consent from the individual, not just a general privacy consent.
Healthcare · Singapore
AI marketing for Singapore healthcare: HSA, MOH guidelines, and PDPA sensitive data
- Health Sciences Authority (HSA) advertising guidelines. Regulate advertising of health products, medical devices, and therapeutic products in Singapore. AI-generated health marketing content must comply with HSA's claim substantiation requirements. The HSA does not exempt AI-generated content from its advertising standards.
- Ministry of Health (MOH) Private Hospitals and Medical Clinics Regulations. Medical clinics and private hospitals advertising their services must comply with Singapore Medical Council (SMC) Ethical Code and Ethical Guidelines on advertising. These prohibit certain claim types that AI tools commonly generate, including comparative claims, superlatives, and patient testimonials in specific formats.
- PDPA sensitive data provisions. Health information is classified as sensitive personal data under Singapore's PDPA. The consent requirement for collecting and using sensitive data for marketing is higher than for general personal data: explicit consent is required, and purpose limitations apply strictly.
Insurance marketing: AI disclosure obligations, product suitability, and data risks
Insurance marketing is regulated as a subset of financial services in most markets, but with specific provisions around product disclosure, suitability, and non-discrimination that create additional AI risk dimensions.
Insurance · Singapore
AI marketing for Singapore insurance: MAS FAA, PDPA, and personalised product promotion
Insurance marketing in Singapore is regulated by MAS under the Financial Advisers Act (FAA) and the Insurance Act. AI-generated marketing content for insurance products must comply with the FAA's restrictions on misleading representations and must accurately describe product features, exclusions, and risks. The MAS Fair Dealing Guidelines require that customers receive clear and objective information to make informed decisions. a standard that AI-generated copy must meet regardless of how it was produced. Using customer health data or financial data to target insurance product promotions triggers the same PDPA sensitive data obligations described in the healthcare section above.
Insurance · Australia
AI marketing for Australian insurance: ASIC RG 234, ICA Code, and differential pricing risks
ASIC regulates general and life insurance advertising under the Corporations Act 2001 and the Insurance Contracts Act 1984. ASIC's RG 234 (updated June 2026) applies to all insurance product advertising. AI audience targeting in insurance marketing raises specific concerns about differential delivery: an AI model that delivers certain insurance product promotions more frequently to customers in lower-socioeconomic postcodes or specific demographic segments may create indirect discrimination liability under state equal opportunity legislation, even where the AI's decisions were not intentionally discriminatory. The Insurance Council of Australia's Code of Practice sets additional standards that apply to member insurers' customer communications.
Insurance · United States
AI marketing for US insurance: NAIC model bulletin, state-level regulation, and discriminatory pricing
Insurance in the US is regulated at the state level. The National Association of Insurance Commissioners (NAIC) issued a Model Bulletin on the Use of Artificial Intelligence Systems in December 2023, which most major states have adopted or are adopting. The Bulletin requires insurers to ensure AI systems used in underwriting, rating, and marketing do not result in unfair discrimination based on protected characteristics. In marketing specifically: AI-driven audience targeting that uses proxy variables (such as ZIP code as a proxy for race, or credit score as a proxy for economic status) may create liability under state insurance anti-discrimination statutes even where race or income are not explicitly used as targeting signals.
Legal services: attorney-client privilege, professional conduct rules, and AI marketing
Law firms and legal departments face a distinct set of constraints when using AI tools for marketing, separate from the general data privacy concerns applicable to all regulated industries.
Attorney-client privilege and confidentiality obligations. Legal professionals in all jurisdictions owe a duty of confidentiality to clients. Submitting any client information. even anonymised or paraphrased descriptions of matters. to an external AI tool may constitute a breach of confidentiality obligations under applicable professional conduct rules (Singapore's Legal Profession (Professional Conduct) Rules 2015, the Australian Solicitors Conduct Rules, the ABA Model Rules of Professional Conduct in the US, and provincial law society rules in Canada). Law society guidance in several jurisdictions has specifically addressed AI tool use: the Law Society of Singapore issued guidance in 2024 advising members to assess confidentiality risks before using AI tools with client data, and to obtain appropriate vendor contractual protections.
Attorney advertising rules. Legal advertising is subject to professional conduct rules in every market. AI-generated marketing content for legal services must comply with restrictions on comparative claims, guarantees of outcomes, and solicitation rules. In Singapore, the Legal Profession (Publicity) Rules 2015 restrict what solicitors may say in advertising. In Australia, state law society rules and the National Law Council guidelines apply. In the US, state bar advertising rules vary significantly. AI tools that generate marketing copy for legal services cannot be assumed to know or apply these jurisdiction-specific restrictions: human review by someone familiar with applicable professional conduct rules is required before any AI-generated legal marketing copy is published.
What compliant LLM use for marketing actually looks like in regulated businesses
The answer is not "do not use AI." The answer is "use AI with the right configuration for your regulatory environment." Three configurations are used in practice.
Configuration 1: Data minimisation before prompting
Strip all PII, financial data, and confidential business information from any prompt before it reaches an external AI system. Use pseudonymised segment descriptors ("segment A is price-sensitive customers aged 35-50 in the home loan category") rather than individual-level data. Write prompt templates that produce useful marketing outputs without requiring real customer data as input. This is the lowest-cost approach and works for most content generation use cases. Its limitation: it cannot support deeply personalised content generation at the individual level, because the individualising data cannot safely enter the prompt.
Configuration 2: Enterprise API with contractual data protections
Use the vendor's enterprise API tier. The minimum contractual requirements for regulated industries:
- A Data Processing Agreement (DPA) that specifies the legal basis for processing, the data categories covered, the retention periods, and the data subject rights procedures
- A no-training commitment: explicit statement that prompt data and outputs will not be used to train or improve the model
- A data residency option that satisfies your jurisdiction's requirements (AU-hosted for Australian financial data, etc.)
- Audit log access so you can demonstrate what data was processed and when
- A Business Associate Agreement (BAA) for any healthcare data subject to HIPAA
- Breach notification provisions consistent with your jurisdiction's mandatory breach reporting timelines (3 days for Singapore PDPA, 72 hours for GDPR, 30 days for US state laws)
Even with all of these in place, some data categories (attorney-client communications, My Health Records data, data subject to MAS's most restrictive classifications) may not be appropriate for external AI processing regardless of contractual protections.
Configuration 3: Private deployment
Run a model entirely within your own infrastructure or a dedicated private cloud tenancy. No data leaves your environment at inference time. Options include open-source models (Llama, Mistral, and their fine-tuned derivatives), private cloud deployments through hyperscalers with dedicated tenancy agreements, and on-premise deployment for the most sensitive environments. This carries the highest setup cost and requires ongoing model maintenance and safety evaluation, but is the only configuration that provides absolute assurance that inference-time data does not cross the enterprise boundary.
| Configuration | Data leaves enterprise boundary? | Suitable for PII? | Suitable for regulated financial / health data? | Setup cost |
|---|---|---|---|---|
| Consumer-tier AI (ChatGPT free, Gemini consumer) | Yes, with potential training use | No | No | None (but non-compliant) |
| Data minimisation + any external API | Yes (prompt only, PII excluded) | If pseudonymised correctly | Only for content generation with no real data inputs | Low: requires prompt engineering discipline |
| Enterprise API with full DPA + no-training clause | Yes, with contractual protections | Yes, with appropriate DPA | With jurisdiction-matched residency and BAA/healthcare-specific terms | Medium: enterprise contract + legal review |
| Private deployment (self-hosted or private cloud) | No | Yes | Yes | High: infrastructure, ongoing model maintenance, safety evaluation |
The governance document that makes compliance defensible
Regulators across all five markets covered in this post assess intent and governance, not just outcomes. A regulated business that can demonstrate: (a) an approved AI tool list, (b) a prompt classification policy, (c) signed vendor DPAs, and (d) staff training on what data categories may enter AI prompts is in a fundamentally different regulatory position than one that cannot. The governance document does not need to be complex. It needs to exist, be current, and be known to the teams using AI tools.