Michael Cohen is a seasoned finance professional and venture capital entrepreneur with decades of experience in investing, technology, and data infrastructure. Based in the San Francisco area, Michael Cohen serves as an investment director at Shanghai Automotive Industrial Corporation, where he identifies and develops strategic investment opportunities across emerging sectors such as artificial intelligence, mobility, and advanced data systems. His background includes leadership roles in venture capital, data center operations, and investment oversight, along with extensive experience in due diligence and technology strategy. With direct exposure to AI-driven innovation and enterprise data environments, his perspective aligns closely with the operational and governance considerations organizations face when evaluating the use of AI tools with sensitive information.
Checks to Make Before Using AI With Sensitive Data
As AI tools become easier to use at work, risk can move faster than internal review can keep up. An employee can paste a customer email thread, a contract draft, or part of a product plan into a polished tool in seconds. AI here means software that generates answers, drafts, or summaries from prompts and source material. Before employees use sensitive information in that kind of system, a company needs to verify the rules and safeguards governing the tool, the data, and the task.
That review starts with the meaning of sensitive data. In a business setting, it can include customer information, employee records, financial results, legal documents, health-related information, and other confidential internal material. If employees send that information outside approved channels, store it without safeguards, or enter it into an unapproved service, the company can face legal exposure, security problems, customer distrust, or disclosure of internal plans.
One early check is whether employees understand what they may and may not enter into the tool. Many mistakes begin when staff treat an AI product as a consumer app rather than a business system governed by internal rules. Teams need clear examples and approval rules showing which uses are prohibited, which are lower risk, and when review is required.
Another check is what happens to the submitted material after entry. A company should know whether the service stores prompts, keeps uploaded files, records interactions, or sends information outside the company’s controlled environment. It should also know where the service stores information, how long the provider keeps it, and which steps send data outside the company.
That review does not end with storage and transfer. A separate question is whether the provider reuses submitted material for training or model improvement. Because the answer can vary by vendor and product tier, the company should defer higher-risk uses until it confirms the commitment in clear product or contract language.
Rules alone are not enough if too many employees can access the tool. Structural limits reduce exposure by restricting who can use the system and which tasks require approval. Not every employee needs the same permissions, especially when the work involves regulated data or valuable internal material. Limiting access by role is usually more responsible than opening the tool to the whole organization.
Some categories of information also come with binding restrictions that a company cannot waive internally. Customer agreements may limit outside processing, health-related information can trigger formal compliance duties, and confidentiality terms may narrow where data may go and how vendors or connected systems may use it. Before a team uses AI with regulated, confidential, or client-provided material, it needs to know which legal, contractual, and security requirements already apply.
Vendor review matters as much as internal policy. A polished demo can show speed and ease of use, but the more important review concerns retention practices, security controls, incident handling, contractual responsibility, administrative settings, and connected tools. The company should review the specific product it plans to use, not marketing language.
Even a satisfactory vendor review should not lead straight to a company-wide rollout. A better approach is to begin with lower-risk uses such as formatting, routine drafting, or summarizing material that does not contain highly sensitive information. That limited rollout tests whether approvals, restrictions, and monitoring hold up in ordinary work. When a company still cannot pin down where sensitive material goes, who can reach it, or what duties follow it, that uncertainty is a warning sign, and delaying broader use becomes the sounder business decision.
About Michael Cohen
Michael Cohen is a finance professional and venture capital entrepreneur with extensive experience in investing, technology, and data infrastructure. He serves as investment director at Shanghai Automotive Industrial Corporation, where he focuses on identifying and developing strategic opportunities. His background includes leadership roles at Global Crossing Ventures, Advanced Data Centers, and Venovate Marketplace. Cohen has worked extensively in software, data centers, and AI-related sectors, and has guided investments in companies across mobility and advanced technology markets.
