Something subtle has shifted in how people talk about AI at work. A year ago, the conversation was dominated by excitement, which tools were fastest, which generated the most impressive output, and which could replace the most steps in a workflow.
But lately, before anyone opens a new tab, there’s a quiet hesitation. People are starting to ask: “Is it actually safe to put this in there?”
It’s a fair question. We’ve moved past using AI for simple tasks like drafting birthday emails or summarising news. Today, we’re asking these tools to handle legal contracts, financial models, HR records, and strategic plans.
That’s a completely different category of risk. Most of us instinctively feel that weight, even if the tools themselves haven’t changed much to reflect it.
The Gap Between Capability and Comfort
Between high-profile data leaks and murky terms of service, people have been given plenty of reasons to be cautious.
McKinsey’s 2024 State of AI report shows that 72% of organisations have adopted AI in some capacity, up significantly from last year. But those numbers don’t tell the whole story. Most of that usage is “safe” stuff—drafting emails or taking meeting notes. The high-value work, the kind that actually moves the needle, is largely being left untouched because people don’t trust the pipes.
The data backs this up. A Cisco survey found that over a quarter of employees have already been reprimanded for how they used AI at work, usually over privacy concerns². Meanwhile, Salesforce found that 82% of users believe secure data is the only way to build real trust in these systems³. These aren’t fringe worries; they are the mainstream reality.
We’re seeing a split in how AI is adopted. Power users in technical roles are diving in headfirst. Everyone else is dipping a toe in the water, hesitant to use AI for anything with real stakes. This isn’t a training problem—you can’t “upskill” your way out of a lack of trust.
Why “Private-by-Design” Can’t Be an Afterthought
The phrase “privacy by design” has been around since the 90s, but it’s never been more relevant than it is right now. It shouldn’t be a feature we bolt on after a security scare; it has to be the foundation.
In the AI world, “private-by-design” means a few specific things. It starts with data minimisation: a system should only see the data it absolutely needs to do the job. It means trade-offs that are written in plain English, not buried in legalese. And it requires a clear audit trail so organisations actually know what happened to their data once it entered the “black box.”
We’re also seeing regulation catch up. The EU AI Act is already setting the tone, pushing for AI that is explainable and controllable. But organisations shouldn’t wait for a law to tell them what to do. They should be building these architectures now, giving employees clear boundaries that protect them just as much as they protect the company.
From Consumer AI Experimentation to genuine confidence
One of the most significant dynamics in AI today is that people are already using it for sensitive work. They are not waiting for official guidance. They are turning to whatever tools are accessible and effective — often consumer AI products — to help with research, analysis, drafting, and decisions that carry real consequences.
This isn’t a policy failure; it’s a signal. People want help with the work that matters. The real question is whether the tools they’re using were built to keep that work private.
The organisations and tools that win the next phase of AI adoption will not simply be the most capable. They will be the ones who earn the right to be used for sensitive work. That means privacy protections that are real and verifiable, not just marketed.
It means clarity about what happens to data, written in plain language rather than buried in terms of service. And it means building the kind of trust that makes people reach for a tool without hesitation, even when the stakes are high.
Getting this right is increasingly a competitive issue. Organisations that can put powerful AI into the hands of their people for consequential work — with genuine confidence — can move faster, protect institutional knowledge, and build capabilities that compound over time. Those who cannot will remain in cautious, low-stakes experimentation indefinitely.
The questions worth asking
There is a simple test worth applying to any AI tool you are considering for serious work: would the people using it actually reach for it when the stakes are high, or would they hesitate? That hesitation — the pause before pasting something sensitive — is more revealing than any security certification, because it reflects whether trust has genuinely been earned or just claimed.
Earning it requires real clarity, not the kind buried in terms of service documents. People need to know where their data actually goes, how long it stays there, and whether it could ever find its way back into model training or be shared in ways they did not anticipate. Jurisdiction matters too, not as an abstract compliance concern, but because data moving across regions without explanation creates uncertainty that reasonable people find difficult to ignore.
What makes this hard is that many platforms are built on terms deliberately broad enough to preserve flexibility for the vendor, which means the burden of interpretation falls on the user. That is not a reasonable position to put people in, particularly when the work is consequential.
The lock-in question is worth raising too, not as a procurement consideration but as a trust one. The deeper AI becomes embedded in how a team works, the more that team is exposed to practices that could shift. Genuine trust includes knowing that you are not trading short-term convenience for long-term dependency on terms you cannot control.
Trust as Competitive Advantage
There is a version of this story where privacy concerns are cast as obstacles, a compliance burden slowing down an otherwise straightforward technology adoption. That framing misses the point entirely.
The OECD’s AI Principles, endorsed by 46 countries, explicitly identify trustworthiness as a foundation of responsible AI deployment, alongside transparency, accountability, and robustness. These are not aspirational values. They are becoming the baseline expectations of regulators, institutional investors, and the people who actually have to use these tools every day.
Leaders who treat trust-building as a cost will find themselves constantly reactive: patching problems after they emerge, managing incidents, responding to regulatory inquiries. Leaders who treat it as an investment will find themselves ahead of requirements, with governance infrastructure already in place when it is needed.
The next phase of AI adoption will not be won by the most capable models. It will be won by the tools and organisations that people genuinely trust with work that matters. Without that trust, there are only two outcomes: AI that never gets used for anything important, or AI that does — and creates the kind of risks that make headlines for the wrong reasons.
