Playbook

AI Security Fundamentals: What Every Leader Needs to Know Before Their Team Starts

Your team is already using AI. The question is whether they're doing it with guardrails or without. This guide gives you the vocabulary, the framework, and a 30-day plan to close the gap.

The AI Governance Gap

45% of your employees are already using AI tools you haven't approved. That's not a future risk. That's a regular Tuesday.

AI adoption has moved faster than most companies' ability to govern it. 88% of employees use AI at work to some degree, with usage at 94% of knowledge workers.

That gap between usage and oversight is where risk lives.

Nearly 80% of teams have no meaningful AI governance. ClickUp's survey of 30,000+ professionals found that:

49.8%

describe their AI policy as "The Wild West"

29.8%

operate under "Don't Ask, Don't Tell" approach

The risks worth understanding

Data leakage: An employee pastes a customer list, a contract, or source code into a public chatbot to "summarize it" and loses control of where that information goes

Quiet inaccuracy: A team ships a report, a forecast, or a policy memo containing AI-generated facts that nobody verified

Shadow tooling: Different teams adopt different AI tools, each with its own access scope, its own data retention policy, and its own security posture

Prompt injection: An AI assistant reads a malicious email or webpage and follows hidden instructions inside it, exfiltrating data or taking unintended actions

Compliance drift: Regulated data ends up processed by a tool that wasn't cleared for it. The audit trail doesn't exist

Sources: The risks of shadow AI in the workplace (Rochester Business Journal, March 2026), EY Work Reimagined Survey (2025), ClickUp AI Usage Gap Report, ClickUp AI Governance Risk Survey (July 2025)

The 7 Concepts That Govern AI Security

The following concepts will help you build enough vocabulary to push back on hand-waving from vendors, from enthusiastic employees, and from your own assumptions.

1. Training data vs. input data: Your sales team types deal terms into a chatbot every day. If the vendor uses those inputs to improve their model, your competitive information has entered a pipeline you don't control, where it may be reviewed by annotators or retained in training logs.

Training data is what built the model before you arrived; input data is what your people type into it now. These should stay separate, and the vendor should confirm that in writing.

2. Data retention: Legal drafts a sensitive M&A memo using an AI tool, and the deal falls through. The memo may still be sitting on the vendor's servers, subject to subpoena, breach, or insider access long after you've stopped thinking about it.

Ask how long prompts and outputs are stored, where, and what the deletion process actually looks like when you request it.

3. Hallucination: Your finance team ships a board deck with three market-size figures the AI generated, and nobody catches them because the numbers feel reasonable. Language models generate text by predicting plausible next words, not by retrieving verified facts, so confident-sounding output isn't the same as accurate output.

4-19%

is where the AI hallucination rates sit in 2026, depending on model, task family, and reasoning configuration

12.4%

is the average hallucination rate of AI citations—the worst-performing task family

Any workflow where AI output reaches a decision-maker without someone checking the specific claims will eventually produce a confidently wrong answer at an inconvenient moment.

4. Prompt injection: Your AI assistant summarizes incoming emails, and one email contains instructions telling the AI to take an action it shouldn't. The AI follows them because it reads everything in its context as one stream, with no reliable way to separate content from commands.

Exposure grows with what the AI is connected to: a text summarizer is contained, an assistant with email and calendar access is not.

5. Agentic AI: You give an AI permission to schedule meetings, update CRM records, and send follow-ups. A misread cue that would have produced an awkward sentence in a chatbot can now send the wrong proposal to the wrong account before anyone sees it.

84%

security and IT leaders admit AI agents can access sensitive data

67%

suspect those agents have already accessed data beyond their intended scope

Before granting any agent permission, ask what the worst plausible outcome of a single misfire would be, and whether you'd catch it in time.

6. Grounding (RAG): A customer asks your AI chatbot about your refund policy. Without grounding, the model answers from training plus whatever sounds reasonable, sometimes inventing policies you don't have. With grounding, it retrieves your actual policy document and answers from that source.

75-90%

reduction in citation hallucination comes from retrieval grounding

5-15%

reduction comes from prompting alone

The tradeoff: whatever the retrieval system can reach, the chatbot can surface, and most organizations find their document access controls are looser than they thought.

7. Model context: An employee pastes a thread containing a client NDA into a chatbot for a quick summary. That NDA now sits in the model's context window alongside the prompt, attached files, conversation history, and any tools the AI can call.

Anything in context can influence the response and, where tools are available, potentially be acted on through them. Train people to treat what they share with an AI the way they'd treat what they send in an email.

Here's what this looks like when security is handled at the platform level:

chris bender

Chris BenderVP of Security, ClickUp

The ideal solution hides the complexity of all the backend LLMs into a single agreement with one vendor. The vendor handles, through their contracts and app, all the complexity of setting a single AI standard. We don't have to worry about all the specifics of what LLMs or models. It's just so nice.

Source: AI hallucination rate benchmarks 2026 (Digital Applied), 2026 State of AI Agent Identity Security (Akeyless)

A Framework for AI Guardrails: The SAFER Model

Use SAFER as a checklist before any team rolls out an AI workflow. Each letter is a question you should be able to answer.

SAFER model


A useful test: Pick one workflow your team wants to use AI for. Walk through SAFER and if you can't answer any pillar with a concrete sentence, that's where the work is.

Questions to Ask Any AI Vendor

What to ask your AI vendor:

• Is our input data used to train your models or anyone else's? Can we opt out by default?

• How long are prompts and outputs retained? Is retention configurable?

• Who are your sub-processors, and where is data processed geographically?

• Do you support SSO, role-based access control, and audit logs we can export?

• How do you handle prompt injection and other model-layer attacks?

• Do you publish a security and trust page with current certifications (SOC 2, ISO 27001)?

• If your model takes actions on connected systems, what scopes are required, and can we restrict them?

• What is your incident notification policy and timeline?

A 30-Day Plan to Put Guardrails in Place

You can be meaningfully better in a month. Let’s see how:

Week 1: See what's actually happening

• Send a short, no-blame survey asking which AI tools people are using, what tasks they're using them for, and what data they're feeding in

• Check what your existing security tools already show. Most network and endpoint platforms can surface AI service usage

• Identify the top 3 workflows by volume. These are where guardrails will pay off most

Week 2: Decide what's allowed

• Write a 1-page acceptable-use policy that names approved tools, defines 3 data classes (public, internal, sensitive), and specifies which classes are allowed in which tools

• Set a default rule: "Don't paste anything you'd be uncomfortable seeing in a screenshot." It's a fine starting line

• Name an owner for AI usage whose job is to keep this list current

Week 3: Tighten the stack

• Confirm, for each approved tool, that data isn't used for training, retention is configured appropriately, SSO is on, and admin roles are minimal

• Disable or block clearly risky tools that lack business accounts, clear data terms, or admin controls

• Scope permissions for any agentic AI to the minimum it needs. "Read a calendar" is different from "send emails on my behalf."

Week 4: Train, document, monitor

• Run a 30-minute team session covering the policy and three real examples of what to do and what not to do

• Set a quarterly review on the calendar: tools, usage, incidents, and what's changed in the market

• Define a simple incident path: one channel, one owner, one runbook

ClickUp

Want AI built for how your team already works?

ClickUp Brain operates inside your workspace with SSO-enabled, role-based permissions, audit logs, configurable data residency, and a default that excludes your data from model training. It's backed by SOC 2 Type 2, ISO 27001, and ISO 42001, with zero data retention agreements across all LLM providers.

See how these guardrails map to your setup.

AccentAccent
AccentAccentclickup-brain-1
Trusted by the best
SOC 2
CERTIFIED
ISO 27001
CERTIFIED
GDPR
COMPLIANT
HIPAA
COMPLIANT