Just subscribed. CISO at a mid-sized SaaS company. The hardest conversation I have right now isn't *"should we allow AI assistants"* — that battle is lost, devs will use them with or without permission. It's *"how do we give them productive AI without accepting unbounded data egress."*
Three things keep me up at night:
- Vendor data-retention policies that change quietly in ToS updates nobody reads.
- Devs pasting full files into web UIs, where the API-tier guardrails (zero retention, no training) don't apply.
- The "context windows are huge now!" marketing — meaning whole repos get sent in a single prompt, and your IP-leakage surface scales with the model size.
We've started looking at proxying outbound prompts through something that strips identifiers, secrets, and proprietary class names before anything reaches the provider. Curious who else here is doing similar.
u/SteveHaller — 12 days ago