For regulated work, public AI is quietly becoming a no-go
The pattern across regulated industries in 2026 is consistent: public AI and confidential data do not mix. JPMorgan and Deutsche Bank restricted staff use of ChatGPT years ago over leakage fears; in healthcare, entering patient information into an external model runs straight into HIPAA; and law firms keep finding associates quietly pasting privileged material into chatbots. For client, patient, or regulated data, the consumer tiers are simply off the table.
The defaults made it worse. As of 2026, the consumer tiers of the major chatbots train on your prompts unless you opt out, and a court has ordered a provider to retain user logs indefinitely. For a bank, hospital, or firm, “we might train on it, and we might have to keep it” fails the test before the AI does anything useful. The realistic floor is now a private model with zero data leaving the network.
- Every few months the bar for “compliant AI” rises. The only configuration that clears it permanently is one where the data never leaves your building.
- You can’t bolt confidentiality onto a public chatbot. You can run a private model that was built for it.
See HIPAA-compliant AI, defense & CMMC, and our security posture.