Every week, a lawyer pastes a privileged memo into a chatbot to tighten the language. A developer drops proprietary source into an assistant to chase a bug. A clinician summarizes a patient note. Each is a small, reasonable act. Together they are the largest uncontrolled outflow of sensitive data most organizations have ever had — and almost nobody is measuring it.
The cloud isn't insecure. It just isn't yours.
The reflexive objection to AI privacy concerns is "isn't the cloud secure?" Yes. The major providers run security operations most enterprises could never staff or fund. But that's the wrong question. For sensitive work, the question isn't whether a vendor is competent — it's who holds the data, under whose jurisdiction, under what contract, and whether you can prove to a regulator, a court, or a client exactly where it went and that it was never retained or used to train anything. Secure and yours are different properties, and confusing them is how careful organizations end up exposed.
There's also an asymmetry that changes the whole risk calculation. Most security failures are recoverable: you rotate the key, patch the hole, force a password reset. The disclosure of privileged or regulated information is not like that. It is one-way. Once a confidential document has been processed somewhere you don't control, you cannot reach in and make it un-happen.
You can rotate a leaked API key in seconds. You cannot un-leak a privileged memo.
Where the data actually leaks: the prompt
When people picture a data breach, they picture an attacker. The modern leak is quieter and entirely self-inflicted. Shadow AI is the new shadow IT — except the exfiltration path isn't an unsanctioned app, it's a text box, and the data walks out the door one helpful prompt at a time. Your best people are doing it because the tools genuinely make them faster, and because no one ever told them where the line was.
Enterprise agreements help, but read them carefully. A no-training clause is good; it is not the same as the data never leaving your premises. You have still moved the crown jewels onto infrastructure you don't own, governed by terms you didn't write, reachable by a subpoena served on someone else. For routine work that's a fine trade. For the work that defines the firm, it often isn't.
Four places "in-house" stops being optional
- Legal. Privilege and work-product protection are fragile. The moment privileged material is handed to a third party, you may find yourself arguing about waiver instead of arguing your case.
- Healthcare. PHI, HIPAA, and minimum-necessary aren't suggestions. A business-associate agreement that doesn't squarely cover model processing is a gap with patients' records in it.
- Finance. Material non-public information, fiduciary duty, and market-abuse surveillance don't coexist with pasting deal data into a consumer tool. The control environment has to extend to the model, not stop at the firewall.
- Code & IP. Your source is your moat. A model that ingests it is a model that can, under the wrong conditions, echo it. The crown jewels shouldn't be training someone else's system.
The capability gap quietly closed
For years, on-prem meant a sacrifice: local models were toys, so keeping data home meant giving up most of the value. That era is over. Open-weight models you can run on your own hardware now handle the bread-and-butter of enterprise AI — drafting, summarizing, retrieval-augmented Q&A over your own documents, code assistance — at a quality that, by widely-cited 2025–26 evaluations, rivals last year's frontier on exactly these tasks. You are no longer trading away the work to protect the data.
On-prem used to mean choosing privacy over capability. In 2026 you mostly stop having to choose.
What a practitioner actually does (it's tiered)
The mistake at the other extreme is to air-gap everything — that's its own kind of failure, expensive and slow, and it pushes frustrated employees right back into the consumer tools you were trying to avoid. The real skill is classification. Draw the line deliberately, once, instead of letting every employee draw it accidentally in a chat box.
Crown-jewel data — privileged, regulated, IP-defining — runs locally or air-gapped and never leaves the building. Routine, non-sensitive work can use the cloud where it's cheapest and fastest. A private deployment also buys you things the public cloud rarely gives cleanly: a deterministic audit trail, data residency you actually control, and a system that keeps working when the internet — or the vendor — doesn't. And at steady volume, inference on hardware you own can undercut per-token cloud pricing, so privacy and unit economics end up pointing the same direction.
This is the same instinct behind getting the rest of your AI strategy right: knowing which problems to solve where. It's why we treat secure, private deployment as one discipline inside a broader AI transformation, not a bolt-on.
The question to ask before your next rollout
Not "which model is best." Ask this instead: if this exact data appeared on the front page tomorrow, or in opposing counsel's hands, what happens? For a growing class of work, the only acceptable answer is "it can't, because it never left the building." That's the standard we design to — and it's exactly what our Local AI work is built to deliver.
Keep your most sensitive AI in the building.
A short, candid call. We'll map which of your AI work belongs on-prem or air-gapped, which is fine in the cloud, and how to draw the line without slowing your people down.
Book a strategy call See Local AI in detailKeep reading: Why most corporate AI initiatives stall · Agentic search has already changed the rules