AI Tool Security Requirements: A Pre-Adoption Checklist for Enterprises

Column
AI Tool Security Requirements: A Pre-Adoption Checklist for Enterprises

Introduction

A checklist-style guide for enterprises comparing business AI tools such as ChatGPT, Claude, Gemini and Copilot, organising the points to confirm across data retention, training use, data destinations, authentication, logging, permissions and support.

Tatsuya Ito

Tatsuya Ito

Artificial Intelligence Consultant

company-icon

Third Scope Ltd.

Born in 1985 and originally from Mie Prefecture, Japan. In 2012, he joined an AR startup in Hong Kong as an engineer. Since then, he has been involved in new business development and AI service launches at several AI startups. In 2018, he founded the current ThirdScope Inc. by taking over an AI service and its development team. He now supports companies in adopting and utilizing AI, with a focus on AI-driven business development, operational transformation, and product development. He has also been involved in AI research as a Project Researcher at the University of Tokyo. Today, he continues to work at the forefront of AI project development, providing practical consulting from both technical and business perspectives.

It’s clearly convenient. But is it truly safe to put internal company data into this AI tool?

This is a question that tends to surface, in companies weighing up the adoption of generative AI, between the IT department, the security team, procurement and purchasing, legal, and the front-line business units. It used to be that individuals would try a free version of an AI tool and, finding it useful, would begin using it at a departmental level. These days, however, organisations need to compare several AI tools such as ChatGPT, Claude, Gemini and Copilot, and judge as an organisation whether each is fit for corporate use.

As a worked example, suppose a company of roughly 1,000 people across 20 departments is considering rolling out generative AI. The front-line units care about “being able to use it straight away”, IT cares about “authentication, permissions and logging”, procurement cares about “contract terms and support”, and legal cares about “data retention, training use and where data is sent”. If the selection process proceeds while everyone is looking at a different set of concerns, you can end up with a tool that is excellent on features yet doesn’t fit internal policy, or with clauses you simply cannot operate once the contract is signed.

In this article, we set out the security requirements a company should check when selecting an AI tool, organised into seven areas: data retention, training use, data destinations, authentication, logging, permissions and support. The aim is to reach a state where you can judge “approved”, “approved with conditions”, “needs further checking” or “decline” on the basis of a shared checklist, rather than on any individual’s gut feel. That said, a checklist alone will not make you watertight. Only when it is run alongside internal policy, user training, permission design and periodic review do you genuinely move closer to safe AI use.

Why security requirements deserve a first look when selecting an AI tool

Why security requirements deserve a first look when selecting an AI tool

When selecting an AI tool, it is all too easy to focus on answer quality, ease of use, the models supported and the price. Those things matter, of course. But in corporate use there is something to check before convenience: namely, whether you should be letting that AI tool handle internal or customer information at all.

Generative AI is used across a wide range of tasks: drafting emails, taking minutes, proposals, handling enquiries, internal FAQs, assisting with contract review. In other words, an AI tool is not merely a writing aid; it becomes a place where business information naturally accumulates.

So when selecting an AI tool, you need to confirm not only “what this tool can do” but “what may be entered into it”, “who may use it”, “whether it can be traced after the fact” and “whether you can respond when something goes wrong”.

NIST’s risk-management profile for generative AIAccording to NIST’s risk-management profile for generative AI, the risks of generative AI arise across the entire lifecycle — design, development, operation and decommissioning — making it clear that management after adoption is just as important as the initial checks.

The overall picture of security requirements to check when selecting an AI tool

The overall picture of security requirements to check when selecting an AI tool

Security requirements for AI tools are, examined closely, wide-ranging. Even so, the concerns you should line up first in a selection meeting are the following seven.

The overall picture of security requirements to check when selecting an AI tool
Area What to confirm Primarily responsible
Data retention Where, and for how long, are input data, attached files and conversation history stored IT / Security
Training use Whether input is used to train the AI model, and whether this can be turned off Legal / Security
Data destinations Whether you can confirm the regions of processing, external subcontractors and integration partners Legal / IT
Authentication Whether it supports SSO, two-factor authentication and account management IT
Logging Whether you can trace who did what, and when IT / Audit
Permissions Whether access can be controlled by department, project and role IT / front-line managers
Support Whether there is a contact point or SLA for outages, specification changes and incidents Procurement / Purchasing

Once you have these seven areas in hand, comparing AI tools shifts from “it feels reassuring enough” to “which conditions does it actually meet”.

Data retention: where do your inputs and conversation history end up?

Data retention: where do your inputs and conversation history end up?

The first thing to confirm is where the prompts a user enters, the files they attach, the generated results and the conversation history are stored.

With AI tools, what a user enters is not merely processed transiently; in some cases it is retained as history. For corporate use, you need to confirm who can view that history, whether an administrator can delete it, and how a departing employee’s history is handled.

Checkpoints for data retention
Checklist item The question you want answered
What is retained Which of the prompt, attached files, generated results and conversation history are stored
Where stored In which country or region’s servers is the data held
Retention period Is the retention period fixed, or can the company change it
Deletion method Can a user or administrator delete it
On contract end Is data deleted once the contract ends, and is a deletion certificate issued

Where there is any prospect of handling internal materials or customer information, “whether or not it is stored” is not enough. Confirm the further point: “if it is stored, who can manage it, when, and at what granularity”.

Training use: is your input data used to train the AI model?

Training use: is your input data used to train the AI model?

Next in importance is whether the data you enter is used to train the AI model. Business-oriented AI tools sometimes offer a setting or contract under which input data is not used for model improvement or training. With consumer or free plans, by contrast, the terms can differ.

What you should confirm here is not merely “may we enter sales materials, internal policies or customer information”. You need to confirm, if such data is entered, the extent to which that information is then stored, used and reviewed.

Checkpoints for training use
Checklist item Point to watch
Whether used for training Whether input data is used for model improvement or training
Opt-out Whether training use can be stopped, and what the default state is
Plan differences Whether the terms differ across consumer, team and business editions
Stated in the contract Whether it is set out in the terms of service, the DPA and the security documentation
Exception conditions Whether there are exceptions where data is stored or reviewed for abuse detection or quality improvement

Particular care is needed where the front line has already started on a free version. Moving to a corporate contract does not automatically make things safe. You need to confirm on which plan, with which settings, and under which contract terms your company’s information may be handled.

Data destinations: can you confirm the processing regions and external integration partners?

Data destinations: can you confirm the processing regions and external integration partners?

With AI tools, input data may be sent not only to the service provider’s own platform but to cloud infrastructure, the model provider, sub-processors and connected applications. A sub-processor is an external party to which the provider delegates data processing.

If you cannot explain where your own data travels, it tends to get stuck in legal and security review.

Checkpoints for data destinations
Checklist item What to confirm
Processing region In which country or region is it processed
Storage region Can you specify the region in which it is stored
Sub-processors Is a list of external subcontractors published
External integrations What is sent when integrating with the likes of Slack, Teams and Google Drive
Change notifications Are you notified when a sub-processor or processing region changes

When comparing the security of AI tools, what matters is not only model performance but whether the data flow can be explained. Companies handling personal data, customer information or contract details in particular should be cautious about rolling out, company-wide, a tool whose data destinations are hard to pin down.

Authentication: does it support SSO and two-factor authentication?

Authentication: does it support SSO and two-factor authentication?

For corporate use, the login method matters too. Running on individual email addresses and passwords alone tends to invite gaps in disabling leavers’ accounts, shared accounts, and use via personal email.

Checkpoints for authentication and account management
Checklist item What to confirm
SSO Whether it can connect to your authentication platform via SAML, OIDC and the like
Two-factor authentication Whether 2FA or MFA can be made mandatory
Account provisioning Whether an administrator can invite and disable users
Handling leavers Whether disabling someone on the IdP side is reflected in the AI tool
Preventing personal accounts Whether use from outside the company domain can be restricted

Kanata, the platform we provide, has an operating manual that sets out the concepts of the concepts of spaces, projects, apps and libraries, explaining that members and permissions can be managed per project. When using an AI tool for corporate purposes, it is similarly important to be able to design “who can access which business data”.

Logging: can you trace, after the fact, who did what?

Logging: can you trace, after the fact, who did what?

Once an AI tool is in use, a great deal of business information gets entered into it. So, should an incident or an internal query arise, you need to be able to trace who entered, generated or shared what, and when.

Log items to confirm in an AI tool
Log item What to confirm
Login history Who logged in, and when
Input history Who entered something into which chat or app
File operations Upload, deletion and access history for attached files
Sharing history To whom output or chats were shared
Administrator actions Management actions such as permission changes, adding members and deletions
Export Whether logs can be exported for auditing

Without logs, even when something goes wrong you cannot tell “who did what”. This is an important checkpoint not only for the security team but for procurement and legal too.

That said, being able to obtain logs is not in itself sufficient. Include in your operating procedures who reviews the logs, for how long they are retained, and whether they are reviewed monthly or quarterly.

Permissions: can you separate access by line of business?

Permissions: can you separate access by line of business?

In permission design for an AI tool, you need to avoid a state where every employee can see the same scope. Sales’ deal information, HR’s appraisal information, finance’s financial information and legal’s contract information should each have separate sets of people able to view them.

Checkpoints for permission design
Checklist item What to confirm
Organisational unit Whether it can be divided by whole company, department or team
Project unit Whether members can be separated by matter or task
Roles Whether permissions such as administrator, editor and viewer can be set
Least privilege Whether you can show only the necessary scope to only the necessary people
Handling transfers Whether permissions are easy to change when someone moves department

Kanata’s best-practice guide recommends carving up projects by “whether the people involved may all see the same information”, and narrowing highly confidential projects to “only those with a need to know”. This thinking applies directly to AI tool selection as well.

If you roll out an AI tool with weak permission design across the whole company, it may feel convenient at first — but you will soon be left wondering ‘how far may I enter things?’ and ‘who can see this information? At the selection stage, confirm whether access control by line of business is possible.

Support: can they respond on outages, specification changes and incidents?

Support: can they respond on outages, specification changes and incidents?

An AI tool is not done once adopted. Outages, specification changes, model changes, security updates and changes to contract terms may all occur. Confirm whether, when they do, you as a company have a contact point to raise queries and a notification regime in place.

Checkpoints for support and contractual handling
Checklist item What to confirm
Support desk Whether there is English-language support, and how to make contact
Hours of cover Whether it is weekday business hours only, or there is emergency cover
SLA whether there is a stated uptime target and incident response time
Specification-change notice Whether there is notice of feature changes, price changes and contract-term changes
Incident notice The deadline and method for notification when a security incident occurs
On contract end Handling of data deletion, export and deletion certificates

Generative AI is a fast-moving field. Don’t judge on the specification at adoption alone; what matters is confirming whether your company can stay informed when changes occur, and whether you are entitled to contractual notice.

A security checklist for AI tools you can use in a selection meeting

A security checklist for AI tools you can use in a selection meeting

Here we pull the foregoing together into a form you can use in a selection meeting. For each AI tool, fill in the following items and compare.

A security checklist for AI tool selection meetings
Area Checklist item Verdict
Data retention Whether the retention scope for input data, attached files and conversation history is clear OK / Needs checking / NG
Data retention Whether the retention period and deletion method are clear OK / Needs checking / NG
Training use Whether it is stated whether input data is used for model training OK / Needs checking / NG
Training use Whether training use can be stopped or controlled OK / Needs checking / NG
Data destinations Whether the data processing region and storage region can be confirmed OK / Needs checking / NG
Data destinations Whether sub-processors and external integration partners can be confirmed OK / Needs checking / NG
Authentication Whether it supports SSO and two-factor authentication OK / Needs checking / NG
Authentication Whether disabling accounts for leavers and transferees is easy to operate OK / Needs checking / NG
Logging Whether an administrator can review operation logs and audit logs OK / Needs checking / NG
Logging Whether the log retention period and exportability are clear OK / Needs checking / NG
Permissions Whether permissions can be separated by department, project and role OK / Needs checking / NG
Support Whether there is a contact regime for outages, specification changes and incidents OK / Needs checking / NG
Contract Whether the conditions for deleting or returning data at contract end are clear OK / Needs checking / NG

For the verdict, rather than simply scoring, it works better in a meeting to sort into the following four categories.

Verdict categories for AI tool selection
Verdict Meaning
Approved Meets the main requirements and fits the company’s policies
Approved with conditions Usable if restricted to certain departments, uses or data types
Further checking Documentation or contract terms need to be confirmed
Decline Too risky to handle company data, or too many items that cannot be confirmed

What matters is comparing all tools against the same criteria. Evaluate one tool on features, another on price and a third on impression, and the basis for your selection becomes muddy.

How to translate this into internal policy

How to translate this into internal policy

Once you have selected an AI tool, you need to translate it into internal policy and usage guidelines. Even if the tool’s contract terms are sound, risk remains if how it is used is left vague.

The first thing to decide is “information that may be entered” and “information that must not be entered”.

Information categories when deciding your input policy for AI tools
Information category Example Input policy for the AI tool
Public information Official website, published IR, press releases Permitted in principle
General internal information Internal manuals, general work materials Permitted in an internal-use environment
Customer information Deal history, proposal content, contract terms Permitted in a limited way subject to contract and NDA checks
Personal data Names, contact details, employee numbers Masked in principle
Sensitive information Health information, beliefs, account numbers and the like Prohibited in principle
Non-public information Unpublished results, personnel, M&A information Prohibited in principle

Kanata’s best-practice guide likewise sets out categories, public information, general internal information, customer transaction information, personal data, sensitive information, unpublished financial information and so on, presenting a way of thinking through how each should be handled.

In addition, you need a rule that AI output is not sent outside the company as-is. Figures, proper nouns, dates, quotations and anything touching legal or regulatory matters in particular should be run against the original source as a matter of practice.

Kanata: Managing Enterprise AI Use on a Per-Project Basis

Kanata: Managing Enterprise AI Use on a Per-Project Basis

Kanata is described as a business-support platform encompassing AI chat, AI summarisation, e-learning and more. Its operating manual introduces asking and consulting the AI while drafting and researching; summarising meeting recordings, minutes and materials into a specified format; building training material from video as a starting point and distributing it as learning content; and organising users, data and apps on a per-project basis.

Kanata also has the concepts of spaces, projects, apps and libraries, with members and permissions manageable per project, and AI settings, prompts and training data storable in a library,these are among Kanata’s core strengths.

Such characteristics give companies wanting to organise AI use by department and by line of business something to consider. That said, Kanata aside, whenever you adopt an AI tool you must confirm it against your own security policy, contract terms, the data types you handle and your audit requirements. Whether you can actually use it should be judged after confirming the contract terms, the usage plan, the management features and the conditions for handling data.

Common pitfalls in AI tool selection

Common pitfalls in AI tool selection

Deciding purely on front-line ease of use

A tool the front line finds easy to use has the advantage in gaining traction after roll-out . But put off the IT and legal checks and you can find yourself halted just before signing. The more practical approach is to confirm the security requirements first, and then choose the most usable tool within that scope.

Assuming “it’s a business plan, so it’s safe”

Even on a business plan, data retention, training use, external integrations, log capture and support terms differ from product to product. Don’t judge by the words “business plan” alone; confirm the contract, the security documentation, the management console and the scope of support.

Making only input-prohibition rules and leaving it there

Merely writing “don’t enter personal data” and “don’t enter confidential information” leaves the front line unsure how to judge. You need to give concrete examples: whether a customer’s name may go in, how deal notes should be treated, and how far contract clauses may be entered.

Not setting a date to review after adoption

AI tools are a field where specifications change readily. The conditions confirmed at adoption may not still hold six months later. At least once a quarter or half-year, we’d recommend reviewing usage, permissions, logs, policy and contract terms.

In closing: choose an AI tool not on “can we use it” but on “can we keep using it safely”

In closing: choose an AI tool not on "can we use it" but on "can we keep using it safely"

When selecting an AI tool, you need to confirm not only answer quality and price but whether your company can keep using it safely.

At the centre of what you should confirm are the following seven.

  1. Data retention
  2. Training use
  3. Data destinations
  4. Authentication
  5. Logging
  6. Permissions
  7. Support

Translate these into a shared checklist and IT, security, procurement and purchasing, legal and the front-line units find it easier to evaluate all tools against the same criteria. .

That said, a checklist is the starting point for the adoption decision. In actual operation, internal policy, user training, rules on input data, permission management and periodic reviews are indispensable.Using an AI tool safely is not about reducing risk to zero; it is about deciding, as an organisation, what you will confirm, how far you will permit, and how you will respond when something goes wrong.

Q&A: common questions on AI tool selection

What should you confirm first when selecting an AI tool?

The first thing to confirm is the handling of input data. Specifically, whether the prompts, attached files, conversation history and generated results you enter are stored, whether they are used for model training, and in which country or region they are processed. While that remains vague, comparing authentication or pricing will not get you to an adoption decision.

If it’s a business plan, is it fine to enter company data?

Even on a business plan, one cannot say it is unconditionally fine. Data retention, training use, sub-processors, log capture and the deletion conditions at contract end vary by tool and by plan. What matters is confirming it not by the name “business plan” but in the contract, the DPA, the security documentation and the management console.

How much logging do you need from an AI tool?

At a minimum, login history, input and file operations, permission changes by administrators, and sharing and export history are items you’ll want. You needn’t retain every log forever, but you should decide the period needed for incident investigation and auditing, who reviews them, and how they are stored.

If the front line is already using a free AI tool, how should you respond?

First, grasp the reality of use: which departments are entering which kinds of information into which tools. Then sort out the prohibited inputs, the permitted uses, whether a move to a corporate contract is needed, and the cases where use must be stopped. Since an outright ban can push the front line into using it covertly, it is more realistic to address this alongside offering an alternative.

What sorts of companies is Kanata suited to?

Kanata is a candidate for companies wanting to use AI chat, AI summarisation and e-learning together as a business-support platform, and for those wanting to organise members, apps and training data on a per-project basis. As with any AI tool, though, the final decision needs to confirm the contract terms, data handling, permission management, logging and support regime against your own requirements.

AI Tool Security Requirements: A Pre-Adoption Checklist for Enterprises
Share this article