Employee NDAs and AI Tools: What Employers Should Know

Reviewing and signing a business agreement. Photo: Mikhail Nilov via Pexels.

Artificial intelligence tools can help employees work faster — summarizing information, drafting communications, and analyzing large amounts of text. But when employees use public or third-party AI tools with company information, those same tools can create confidentiality, data-security, and compliance risks. For employers, the question is not whether AI should be used at all. It is whether employees understand what information they may enter into AI tools, which tools are approved, and what safeguards apply when confidential or proprietary information is involved.

An NDA Helps, But It Is Not a Complete AI Policy

A nondisclosure agreement is an important tool for protecting confidential information. It can define what information is confidential, restrict how that information may be used, and provide remedies if an employee discloses it improperly. But an NDA alone does not prevent an employee from making a mistake.

If an employee copies customer data, source code, financial projections, product plans, or other sensitive information into an external AI platform, that information may leave the company’s controlled environment. Depending on the wording of the NDA, the company’s policies, the AI provider’s terms, and the surrounding facts, that conduct may create a breach-of-contract, trade-secret, privacy, or compliance issue. That is why employers should not assume a general confidentiality clause is enough. AI use should be addressed directly in employee agreements, internal policies, training materials, and technology controls.

Why AI Inputs Can Create Confidentiality Risk

The risk depends on the tool. Some AI providers offer enterprise settings, data-retention controls, contractual privacy commitments, and options that restrict whether user inputs are used to improve the service. Other tools may store prompts, allow human review, route data through third-party systems, or provide fewer administrative controls. For that reason, employers should evaluate AI tools before employees use them for business purposes. Important questions include:

• What information does the tool collect?
• Are prompts or uploaded files stored?
• Can the provider use inputs to train or improve its models?
• Are human reviewers permitted to access submitted content?
• Where is the data processed or retained?
• What security, audit, and deletion controls are available?
• Does the tool meet the company’s contractual, privacy, cybersecurity, and industry-specific obligations?

Employees often think of AI prompts as informal work instructions. In practice, a prompt can contain sensitive business context, confidential documents, personal information, customer details, or proprietary strategy. Even a short prompt can disclose more than intended.

Possible Consequences of Improper AI Use

Improperly entering confidential information into an AI tool can create serious consequences. Depending on the circumstances, those may include:

• Breach-of-contract claims — if the conduct violates an NDA, employment agreement, invention-assignment agreement, vendor contract, or internal policy incorporated into an agreement.
• Trade-secret issues — if the disclosure undermines reasonable efforts to maintain secrecy.
• Privacy or data-protection concerns — if personal information, employee records, customer data, health information, financial information, or regulated data is involved.
• Employment consequences — if the employee violates company policy or mishandles confidential information.
• Regulatory or contractual exposure — if the company has obligations to customers, business partners, regulators, or industry bodies.

Not every AI-related mistake will result in litigation or loss of legal protection. The legal effect depends on the specific facts, the type of information disclosed, the agreements in place, the AI provider’s terms, and the steps the company took to protect the information. But the risk is significant enough that employers should address it before a problem occurs.

How Employers Can Reduce the Risk

Employers should take a layered approach — combining contract language, clear policies, training, and technical controls.

1. Update confidentiality language

Employee NDAs and confidentiality provisions should address whether and how confidential information may be used with AI tools. The language should be specific enough to cover prompts, uploaded files, pasted text, screenshots, recordings, source code, datasets, and other inputs.

2. Create an AI-use policy

A separate AI-use policy can explain which tools are approved, what types of information may not be entered into external tools, who can approve exceptions, and what employees should do if information is submitted by mistake.

3. Train employees with practical examples

Training should not rely on abstract warnings. Employees should see examples of risky prompts — prompts that include customer names, unreleased product details, confidential pricing, source code, deal terms, personnel information, or privileged communications.

4. Review vendor terms and settings

Before approving an AI tool, employers should review the provider’s terms, privacy commitments, retention settings, security controls, audit features, and model-training options. Enterprise or API-based tools may offer stronger protections than consumer-facing tools, but the details matter.

5. Use technical controls where appropriate

Policies are easier to follow when supported by technology. Employers may consider access controls, approved-tool lists, data-loss-prevention systems, logging, monitoring, and restrictions on uploading certain types of files or data.

6. Plan for mistakes

Employees should know how to report accidental disclosure quickly. A prompt-reporting process can help the company investigate what was submitted, assess contractual or regulatory obligations, and take mitigation steps.

The Bottom Line

AI tools can be valuable, but they should not be treated as private workspaces by default. Employers should decide which tools are appropriate, define what information may be used, and make sure employees understand the rules. A well-drafted NDA is still important — but in the AI era, confidentiality protection also requires clear policies, employee training, vendor review, and practical safeguards. Companies that update their approach now will be better positioned to use AI productively while protecting confidential information.

Frequently Asked Questions

Can using ChatGPT or another AI tool violate an NDA?

It can, depending on the facts. If an employee enters confidential information into an AI tool in a way that is not authorized by the NDA, company policy, or applicable agreement, the conduct may create breach-of-contract or confidentiality issues.

Should employee NDAs mention AI tools?

In many cases, yes. An NDA does not need to list every technology by name, but employers should consider language that clearly covers AI tools, prompts, uploaded files, automated processing, and third-party platforms.

Is it safe to use AI tools for work if no confidential information is included?

The risk is lower, but employees should still follow company policy. Even prompts that seem harmless can reveal business context, internal strategy, customer information, or other sensitive details.

What should employers do first?

Employers should identify how employees are currently using AI, review existing confidentiality agreements and policies, approve appropriate tools, and train employees on what information must not be entered into external AI systems.

Do enterprise AI tools eliminate the risk?

No. Enterprise tools may offer stronger controls, but employers should still review the provider’s terms, settings, security commitments, retention practices, and data-use restrictions before allowing confidential information to be processed.

This article is general information from Accord & Shield Legal, PLLC and is not legal advice. Reading it does not create an attorney-client relationship. For guidance on your specific situation, please consult a qualified attorney.