Are You Protecting Personally Identifiable Information When Using Open-Source AI?

By Zeph Martinez, Project Manager at Kenton Brothers

Artificial intelligence is quickly becoming a part of everyday life, especially when it comes to how we work. Tools like ChatGPT and other open-source platforms make it easy to brainstorm, edit papers, write code, and even revise complex policies. They’re convenient, accessible, and honestly, kind of fun to use. But here’s the thing: while we’re getting used to relying on AI for help, a lot of us might be overlooking something important… privacy. Specifically, the protection of Personally Identifiable Information, or PII.

This all hit me during a conversation with my wife one evening.

She mentioned she was using ChatGPT to help her rewrite a policy at work. I casually asked if she was being careful about what kind of info she was putting into the tool. She laughed and said, “Of course, I always double-check the documents and remove all personal and sensitive information before I paste anything in.”

That made sense. She’s experienced and understands the risks. But it got me thinking, what about the rest of us? What about people who don’t deal with privacy laws or sensitive data on a daily basis? How many people paste private information into AI tools without realizing the risks? All it takes is one mistake for something serious to happen.

The Hidden Risk of Sharing Too Much

So, what exactly is PII? Basically, it’s any kind of data that can be used to identify someone. This includes names, addresses, phone numbers, emails, Social Security numbers, financial info, and even things like medical records. And here’s the problem, when this kind of information is shared with AI tools, especially free and public ones, there’s no real way to know what happens to it afterward.

Some platforms store your inputs to “train” the model. Others may transmit the data through external servers. Most people don’t read the fine print, and that means they don’t realize they might be giving away more than they intended.

The consequences of mishandling PII are serious. Companies could face:

• Violations of data privacy laws (like GDPR, HIPAA, or CCPA)
• Data leaks or breaches
• Loss of customer trust
• Legal and financial penalties

What’s even more dangerous is that PII isn’t always obvious. It might be tucked away in meeting notes, emails, HR records, or something as simple as a spreadsheet. AI tools are designed to pick up on patterns, so even vague or partial information can be pieced together. And if that data is exposed or stored improperly, it could be a serious problem.

We Love AI. But Can We Trust It?

AI tools are incredibly useful. As students, professionals, or just curious people, we’ve all leaned on them at some point. They help us write faster, solve problems, and even explain complicated topics in plain English. The point isn’t that we should stop using them. But we should definitely be more thoughtful about how we’re using them.

If you’re part of a team or an organization, these are some questions worth asking:

• Do we have clear policies around what can or can’t be entered into AI tools?
• Have we trained people to recognize what counts as PII?
• Are the platforms we’re using secure and compliant with privacy regulations?
• Have we reviewed our current AI use to make sure it’s safe?
• Are there safer alternatives available for sensitive work?

The bottom line is this: just because a tool is helpful doesn’t mean it’s harmless.

Why Policies and People Matter

The best way to protect PII in the age of AI is by building a culture that cares about privacy. That starts with clear policies. It doesn’t have to be a 100-page manual, but people should know what’s okay to share and what isn’t. They should know what PII looks like, and they should have someone to talk to if they’re not sure.

Training is just as important. You can’t expect people to follow rules they’ve never heard of. Regular check-ins, clear examples, and open conversations help build habits that stick.

Another big piece of the puzzle is the tools themselves. A lot of people default to free AI platforms because they’re easy to access. But there are safer, enterprise-level options that offer more control over data. Some companies are even building their own internal AI tools to avoid third-party risks completely.

It Starts with Awareness

What struck me about that quick conversation with my wife was how easy it was to overlook something big. She had the experience of recognizing the risk, but not everyone does. And the more we rely on AI, the easier it becomes to forget what kind of information we’re handing over to it.

This isn’t about fear, it’s about awareness. We all want to work faster and smarter. AI helps us do that. But if we don’t take a step back to ask, “Is this safe to share?” we might end up trading convenience for risk without even realizing it.

So maybe the real question isn’t “Should we use AI?” but rather, “Are we using it responsibly?”