Private AI: Promise, or Proof

Private AI: Promise, or Proof

Last updated on July 17, 2026

PrivateBox Team

PrivateBox Team

PrivateBox AI

TABLE OF CONTENTS

Ferdie Pieterse
Ex-CEO Experian Africa · Ex-COO Standard Chartered · CA(SA), CISA
June 29, 2026


I have spent most of three decades as a custodian of other people's information. As an auditor first, then through the finance and operations of banks across more than twenty markets, and, most recently, at the head of a credit bureau. My working life has come down to one unglamorous responsibility: holding data that belongs to someone else, and being accountable when it is exposed. I have been responsible for information that millions of people trusted us to keep, and you do not hold that lightly. It is not a weight you put down at the end of the day.

So I want to say something plainly, in a way the technology industry generally prefers to talk around.

Right now, inside most organisations whose work depends on discretion, law firms, banks, hospitals, advisory practices, anyone who is paid in part to keep a confidence, that confidence is leaking. Quietly, every day, through a channel almost no one is watching. And the people accountable for protecting it tend to find out, if they find out at all, long after it has happened.

The cause is not negligence. It is productivity.

A security firm called Cyberhaven once studied how 1.6 million workers actually use these tools, and found that a striking share were pasting confidential material straight into public AI, roughly one in nine of everything pasted was sensitive (Cyberhaven, 2023). More recent work by LayerX puts it more starkly still: around 45% of enterprise staff now use generative AI, more than three-quarters of them paste data into it, and over 80% of that activity happens through personal accounts the organisation cannot see, never mind govern (LayerX, 2025). The favoured destination, by a wide margin, is the free version of a tool that may keep and learn from whatever you give it (LayerX, 2025).

This is not a story about reckless people. It is a story about capable, conscientious people using the fastest tool within reach. When an associate drafts a memorandum in half the usual time, or an analyst condenses a hundred-page report into a usable summary in seconds, they are not thinking about data custody. They are thinking about the work in front of them, and the deadline behind it. Samsung discovered this the hard way when its own engineers pasted proprietary source code into a chatbot to help them debug it. The act was competent, deliberate, well-intentioned, and the information was gone.

What makes this different from every data risk that came before it is that it is invisible. A credit-card number has a shape your systems can recognise and stop. A litigation strategy, a merger mandate, a patient history, a client's private affairs, these have no shape at all. Copy them out of a document and into a browser, and the controls most firms rely on simply never register that anything left. You cannot defend against a loss you are unable to see, and most organisations cannot see this one. It is worth being precise about what actually happens to a confidential prompt once it leaves the building.

When it does surface, the cost is not theoretical.

IBM's 2025 study of real breaches, the most rigorous of its kind, puts the average data breach at $4.44 million. In financial services it is $5.56 million. In healthcare it has been the most expensive of any industry for fifteen years running, now $7.42 million, and takes the better part of a year to contain (IBM, 2025). Where unsanctioned AI played a part, the breach cost an additional $670,000 on average (IBM, 2025). The figure I find most revealing, though, is this one: 97% of the organisations that suffered an AI-related breach had no proper controls over how AI touched their data in the first place (IBM, 2025). They had policies, in many cases. What they did not have was control.

And I would offer one last number, because it is the one that ought to keep principals awake. By one credible estimate, only around 17% of organisations have any technical means of preventing confidential data from going into these tools at all (Kiteworks, 2025). The remainder are relying on training sessions, good intentions, and an email asking everyone to be careful. I have signed a few of those emails in my time. They do not work, because they are asking people to be slower and more cautious at precisely the moment the tool is making them faster.

For a long time, the industry's answer to all of this was about location. Keep the data inside your building. Keep it on your own servers. That instinct is sound as far as it goes, but it quietly misses the real question, and once you have seen the real question, it is difficult to unsee.

The question was never truly where your data sits.

It is who can read it, and whether they can prove they did not.

There is a profound difference between handing your most confidential work to someone who promises not to read it, and handing it to something that cannot read it, and can prove it did not. A promise can be forgotten, overridden, compelled by a court, or simply broken by a failure at the other end. The 225,000 sets of AI credentials that researchers found offered for sale on criminal markets are a fair reminder of how thin a promise can be when the device holding it is compromised (Group-IB, 2024). Proof is a different category of thing entirely. And this is a distinction every lawyer, banker and doctor understands in their bones, because their whole professional standing rests upon it. We do not ask our clients to trust that we are discreet. We are bound to be, and we can demonstrate it.

That, I have come to believe, is the only honest basis on which a confidentiality-bound organisation should use artificial intelligence at all.

There are two credible ways to reach it.

The first is to bring the intelligence to the data rather than sending the data away. The AI runs on hardware inside your own environment, and the file never leaves the building. For the institution whose risk committee or regulator will accept nothing short of physical custody, this is the clean and obvious answer.

The second is the more interesting one, because it dissolves the objection I hear most often, that anything touching the cloud has, by definition, left your control. It need not have. It is now possible to encrypt a query before it leaves you, have it decrypted only inside a sealed piece of hardware that even the operator running the system cannot see into, process it in memory that remains encrypted throughout, and re-encrypt the result before it returns to you. The hardware then issues a cryptographic record of exactly what ran. Your data has left the building, yes, but it has gone somewhere no one can read it, and you are left holding the proof. That is not a promise dressed in technical language. It is the proof itself

None of this is my invention.

It is, in truth, what the rules already ask for. South Africa's POPIA requires every responsible party to secure personal information with "appropriate, reasonable technical and organisational measures", and pasting a confidential file into a public AI tool like ChatGPT is precisely the unlawful processing it exists to prevent. Europe's GDPR goes a step further and actually names encryption as the kind of measure a serious organisation should reach for. The European Union's new AI Act demands cybersecurity and resilience of the systems it regulates. The 2022 revision of ISO 27001, the security standard most of our clients are measured against, added a control on data-leakage prevention whose own guidance points directly at tools like Claude. And the King V code of governance, which takes effect this year, makes the governance of data, information and artificial intelligence an explicit duty of the board, not a task to be left to the IT department. Read those provisions for yourself; I would encourage it. Each of them is reaching for the same thing, control you can evidence. A promise does not satisfy that. Proof does.

Let me be candid about what this does not do, because anyone who tells you otherwise is selling you comfort rather than control. Using AI privately does not, on its own, discharge every obligation you carry. Governance, human oversight and sound judgement remain yours, as they should. What provable private AI does do though is remove the single largest uncontrolled exposure most confidential businesses now have - public AI - by replacing a promise you cannot stand behind with proof you can show a regulator, a client, or a court.

If any of this sounds uncomfortably familiar, the useful next step is a small one. We spend the first 30 minutes with any organisation doing a single thing: mapping where its confidential data actually goes today, and where it could go instead. You bring your own situation, and you see it with your own eyes. If you do not like what you find, you will have lost half an hour and gained a map you did not have before.

Every leader I speak to already suspects the answer to the question I began with. The only real choice is whether you would rather arrive at it deliberately, in a private conversation about how your own data moves, or after the fact, when the choice has been made for you.

You can carry on relying on a promise. Or you can hold the proof.

For the kind of custodian your clients already believe you to be, I do not think that is a difficult decision. Send me a message if you would like the proof.


Ferdie Pieterse is the Chairman of PrivateBox and the former Chief Executive Officer of Experian Africa.

References

Cyberhaven (2023) 11% of data employees paste into ChatGPT is confidential. Available at: https://www.cyberhaven.com/blog/4-2-of-workers-have-pasted-company-data-into-chatgpt (Accessed: 25 June 2026).

Group-IB (2024) Hi-Tech Crime Trends Report 2023/2024. Reported in: The Hacker News (2024) 'Over 225,000 Compromised ChatGPT Credentials Up for Sale on Dark Web Markets'. Available at: https://thehackernews.com/2024/03/over-225000-compromised-chatgpt.html (Accessed: 25 June 2026).

IBM (2025) Cost of a Data Breach Report 2025. Available at: https://www.ibm.com/reports/data-breach (Accessed: 25 June 2026).

Kiteworks (2025) The 2025 AI Security Gap: Why 83% of Organizations Are Flying Blind. Available at: https://www.kiteworks.com/cybersecurity-risk-management/ai-security-gap-2025-organizations-flying-blind/ (Accessed: 25 June 2026).

LayerX (2025) Enterprise AI and SaaS Data Security Report 2025. Available at: https://layerxsecurity.com (Accessed: 25 June 2026).

Share this post

Written by

PrivateBox Team