Your AI sessions are outside your control perimeter.

A public demonstration has shown that files shared within a Claude AI chat session can be exfiltrated by a third party without the user’s awareness or consent. The mechanism, scope, and conditions of the demonstration beyond this outcome are not confirmed here. What is relevant at board level is the observable result: content placed inside an AI assistant session was retrievable by a party who was not the intended recipient, and the user was not alerted at the time it occurred. That outcome, on its own, is a material risk statement.

The business significance is not the novelty of the technique. It is the category of asset involved. Files uploaded into AI chat sessions are typically working documents, contracts under review, source code, customer records, financial models, board materials, and internal correspondence. These are the same assets that sit behind data loss prevention controls, access reviews, and confidentiality obligations elsewhere in the environment. The outcome indicates that those assets, once introduced into an AI session, may sit outside the control perimeter the organisation believes it is enforcing.

The consequence is not theoretical. Where confidential material is exposed without the user’s knowledge, the organisation carries the same obligations it would for any other unauthorised disclosure: regulatory notification where applicable, contractual disclosure to counterparties, and reputational accountability to clients and shareholders. The fact that the disclosure occurred through a sanctioned productivity tool does not reduce that obligation. It increases it, because the user had a reasonable expectation that the tool operated within the organisation’s control environment.

The operating assumption across most enterprises has been that AI chat tools function as an extension of the user’s own workspace. Material shared in a session has been treated as material shared with the assistant, and nothing more. Identity, session boundary, and content confidentiality were assumed to behave the way they behave in established collaboration tools. That assumption underpinned the speed at which these tools were adopted across legal, finance, engineering, and executive functions.

That assumption also shaped the controls that were, and were not, applied. In many organisations, AI assistants were brought inside the perimeter through enterprise licensing, single sign-on, and acceptable use policy. The controls applied were largely governance controls: who may use the tool, for what purpose, and under what classification of data. Runtime controls over what the session itself permits, what content can be drawn out of it, and by whom, were generally assumed to be the provider’s responsibility and were not independently verified.

The further assumption was that any exposure would be visible. That a user would see, or an audit log would record, an event sufficient to trigger investigation. The demonstration does not support that assumption. No evidence of user-visible alerting at the time of exfiltration was identified in what has been shown. Whether internal telemetry on the provider side captured the event cannot be determined from available information. From the organisation’s standpoint, the working assumption that exposure would be detectable is not confirmed.

What the demonstration changes is the standing of AI chat sessions as a trusted container for sensitive content. Access to files shared in a session was not constrained to the intended participants under the conditions shown. The session boundary, which the user relied on as the limit of disclosure, did not function as that limit at runtime. The specific mechanism is a matter for the provider; the board-relevant fact is that the boundary was not enforced in the demonstrated case.

It also changes the basis on which AI assistants can be treated as equivalent to other enterprise tools for the handling of confidential material. Equivalence was assumed on the strength of contractual assurances, certifications, and enterprise tier features. The outcome indicates that contractual and configuration-level assurances are not, by themselves, sufficient evidence that confidentiality is preserved through the session. What must be evidenced now is enforcement at runtime, not commitment in writing.

Finally, it changes the exposure calculation for material already shared. The duration over which similar conditions may have existed, the number of sessions potentially affected, and whether any organisational content was retrieved by an unintended party cannot be determined from available information. Absence of a confirmed incident inside the organisation is not evidence that no exposure occurred. The board should treat the question of historical exposure as open until it can be evidenced otherwise.

The failure is not located in a single control. It is located in the gap between where the organisation believed the control perimeter ended and where, at runtime, it actually ended. Confidentiality of content shared in the session was treated as a property of the platform. The demonstration indicates that, under the conditions shown, that property was not enforced. Access to the files was not constrained to the user and the assistant. The session did not behave as a closed container, and the user received no signal that it had ceased to behave as one.

The drift is between governance posture and runtime behaviour. Governance posture, as it stood, recorded that the tool was approved, that data classifications were defined, and that acceptable use was communicated. None of those instruments act at the moment content is retrieved from a session. They define intent. They do not enforce outcome. What the demonstration exposes is that the enforcement layer beneath those instruments was not independently verified by the organisations relying on them. The control that did not function at runtime is the one that was assumed to be functioning by default.

There is a second layer of drift, which is detection. The organisation’s ability to know that an exposure has occurred depends on telemetry it can see and act on. In the demonstrated outcome, no evidence of user-visible alerting was identified, and provider-side visibility into the event cannot be determined from available information. The practical position is that the organisation is dependent on a third party to surface an event the organisation would be accountable for disclosing. That dependency was not contracted for explicitly. It was inherited by adoption.

This pattern is not specific to one AI assistant. It applies to the category. Across the enterprise, AI tools have been onboarded on the strength of provider assurances, enterprise tier configuration, and identity federation. The same assumption that applied to this session applies to the others: that the boundary of the session is the boundary of disclosure, that identity controls extend into the runtime of the conversation, and that any exposure would be visible to the user or to the organisation’s logging. None of those assumptions has been independently evidenced for the broader set of tools in use. The demonstration in question concerns one product. The exposure model it surfaces concerns all of them.

The pattern also extends to adjacent integrations. AI assistants do not sit in isolation. They are connected to mail, to file repositories, to code stores, to ticketing systems, and to internal knowledge bases through enterprise connectors and plug-ins. Each connection extends the surface across which content can be drawn into a session and, by extension, the surface across which content drawn into a session may be retrievable. The organisation’s exposure is not defined by the assistant alone. It is defined by the assistant plus everything the assistant has been authorised to read. That composite exposure has, in most environments, not been mapped with the same rigour applied to traditional data flows.

The broader signal is about the standing of provider assurance as a substitute for organisational verification. Across cloud services, software-as-a-service platforms, and AI tooling, the operating model has been to accept contractual and certification-based assurance as sufficient evidence of control effectiveness. The outcome here indicates that, for tools that mediate confidential content at runtime, that model carries residual risk the organisation cannot transfer. Liability for disclosure remains with the data controller. The provider’s posture does not change that allocation. The board should assume that any tool handling confidential material requires evidence of enforcement that the organisation itself can examine, not only assurances the organisation has been given.

What must be true going forward is that AI chat sessions are treated as an in-scope data handling channel, not as a productivity feature. That means the same standard of evidence applied to other channels carrying confidential material is applied here. The organisation must be able to state what data is permitted into these sessions, what controls govern its retrieval, and what visibility exists when those controls are tested. Where that evidence cannot be produced, the appropriate position is that the channel is not approved for material at that classification, regardless of how widely it is already in use.

It must also be true that the question of historical exposure is closed on evidence rather than on absence of complaint. The duration over which similar conditions may have existed and the number of sessions potentially affected cannot be determined from available information. The board should require that the organisation establish, to the extent it is able, what content has been placed into these sessions, by whom, and over what period, so that any disclosure obligation can be assessed against fact rather than against assumption. The work to reconstruct that picture is not optional. It is the basis on which the organisation will defend its position to regulators, counterparties, and shareholders if exposure is later confirmed.

The final condition is one of accountability. Adoption of AI tooling has, in most organisations, outpaced the assignment of ownership for the risk it carries. The outcome demonstrated here does not require a new category of control. It requires that someone, at a named level of seniority, is accountable for the runtime behaviour of these tools against the confidential content they handle, and is required to evidence that accountability to the board on a defined cadence. Until that accountability is named and that evidence is produced, the organisation’s position is that it does not know the extent of its exposure. That is the position the board must work from, and the position from which it must require change.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.