To follow on from our recent discussions regarding the rapid adoption of artificial intelligence in the nonprofit sector, this episode explores the critical technical and privacy distinctions between public and enterprise AI tools.

The CISA Incident and the AI Privacy Gap

Last week, news outlets including Politico reported that the interim director of the Cybersecurity and Infrastructure Security Agency (CISA), Madhu Gottumukkala, mistakenly uploaded sensitive government contracting documents into a public version of ChatGPT. This triggered automated security warnings designed to prevent the unintentional disclosure of government material.

This incident highlights that anyone can mistakenly upload sensitive data to a public tool. Even the head of CISA.

Key Differences Between Public and Enterprise AI:

• Data Privacy: Enterprise versions (like Microsoft Copilot for 365 or Gemini for Workspace) keep your prompts and data within your organizational "cloud boundary." Your information is not used to train the underlying public models.
• AI Search and Permissions: With Enterprise AI, the tool can surface any document a user has permission to see. This makes cleaning up your SharePoint or Google Drive permissions essential to avoid sensitive files being inadvertently surfaced via AI search. Pay attention to files that have been shared with "anyone with this link" because Copilot and Gemini will view that as granting permission to anyone searching. Finally, spend time on staff training on how to save and share files so that permissions will need less clean up going forward.
• Commercial Protections: Enterprise licenses include copyright indemnity that are absent in public versions.
• Security: Enterprise licenses give IT management and administrative controls which are essential to securing your nonprofit's valuable data.

Resources:

Trump’s acting cyber chief uploaded sensitive files into a public version of ChatGPT from Politico by John Sakellariadis, published Jan 27, 2026. https://www.politico.com/news/2026/01/27/cisa-madhu-gottumukkala-chatgpt-00749361

"The interim head of the country’s cyber defense agency uploaded sensitive contracting documents into a public version of ChatGPT last summer, ... The material included CISA contracting documents marked 'for official use only,' a government designation for information that is considered sensitive and not for public release."

Microsoft Copilot vs. ChatGPT: Data Protection Explained from Community IT.

"If you are using Copilot with a 365 subscription, your prompts and data are not used to train the underlying large language model. It keeps your data within your enterprise cloud boundary... This protection only applies when you are signed in to an eligible work or school account."

Upcoming Webinar: Verifying Your AI Security

Join Community IT CTO Matt Eshleman on February 25th to learn how to distinguish between public and enterprise accounts. Register here: How to Use AI Tools Safely at Nonprofits

_______________________________
Start a conversation :)

• Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
• email Carolyn at cwoodard@communityit.com
• on LinkedIn

Thanks for listening.