An AI audit is a structured analysis of your business workflows, tools, and operations to identify where artificial intelligence can create the most value. It includes a discovery call, review of current processes, a written report with prioritized AI opportunities, and an AI readiness score.

How long does AI implementation take?

Implementation timelines vary by scope. A quick win implementation takes 1-4 weeks for a single workflow. Full multi-workflow implementations typically take 4-12 weeks. Most clients see measurable results within the first month.

Do I need technical knowledge to use AI in my business?

No. Dragonfly AI handles all the technical setup. We work with business owners who know their operations but don't have technical teams. You don't need to understand AI to use it — you just need the right setup, and that's what we provide.

What types of businesses does Dragonfly AI work with?

We primarily work with service businesses with 2-50 employees, including real estate, legal, financial services, healthcare, marketing agencies, home services, insurance, staffing, and consulting firms.

How much does AI consulting cost?

Pricing depends on scope. Strategy calls start at $350. AI audits range from $750-$1,500. Quick win implementations are $1,000-$3,500. Full implementations range from $3,500-$15,000+. Advisory retainers start at $1,000/month.

← Back to Blog

April 14, 2026·8 min read·Jake Lee

What Anthropic's AI Leak Should Teach Every Business Owner About Data Privacy

AI SecurityData PrivacyAI ToolsSmall BusinessAI Strategy

Last week, Anthropic accidentally published 512,000 lines of internal instructions for Claude Code — their AI coding assistant — on a public website. They called it human error. They pulled it down quickly. And then the internet spent 72 hours debating what it meant.

Most of that coverage asked the wrong question. The question being asked was: "Is Claude's AI compromised? Is the technology unsafe? Did hackers get something dangerous?" Those aren't the questions that matter if you run a 5 to 50 person business using AI tools every day.

The question that matters is: what should this actually teach you about what's at risk when your team uses AI?

The answer is more practical and less dramatic than the headlines suggest. But it's genuinely worth understanding — because most business owners haven't thought through this, and the real risk isn't where people are looking.

What Was Actually in the Leak

Let's start with what was actually published, because the reporting got fuzzy here.

It wasn't user data. It wasn't conversation history. It wasn't your business's information or anyone else's. What got published was something called system-level instructions — the internal rules, behavioral guidelines, and tool definitions that tell Claude Code how to behave. Think of it as the employee handbook the AI follows internally. Rules like: when a user asks you to do X, handle it this way. When you encounter situation Y, apply these constraints. Plus definitions for what tools and capabilities the model has access to.

This matters to Anthropic as a company. It reveals competitive information about how their product works — the kind of detail that took significant engineering effort to develop. But it's not a security incident that exposes end users. No conversations were published. No client information, financial data, or proprietary business content was in that file. The people affected are Anthropic's competitors, not Anthropic's customers.

So when you hear "Anthropic had a security incident," that's accurate. When you hear "AI tools are unsafe and your data is at risk," that conclusion doesn't follow from what actually happened here.

That said — this event opens a conversation that every business using AI should have. Not about what Anthropic leaked, but about what your team might be sending into AI tools every day without thinking about it.

The Real Exposure for Your Business

Here's the thing most business owners don't know: the data risk from AI tools doesn't come from vendors accidentally publishing internal documents. It comes from what your team types into these tools every single day.

Every time someone on your team opens ChatGPT, Claude, Gemini, or any other AI tool and types a prompt, they're sending information to that vendor's servers. That information gets processed, logged, potentially reviewed by quality teams, and in some cases used to improve future models. Exactly how that data is handled depends on which plan you're using and what the vendor's privacy policy actually says.

I've seen business owners type things like this into free AI accounts:

Client names, contact information, and project specifics
Employee performance notes and HR concerns
Financial projections and internal revenue data
Proprietary service methods they've spent years developing
Confidential information shared under NDA

All of that went to a vendor's servers. On a free account, much of it may have been eligible for use in model training. None of these business owners had thought about that when they sat down to "just get some help with a draft."

That's the real risk. Not a company accidentally publishing its own internal documentation. Your team sending client information through a free-tier AI tool every Tuesday afternoon — and nobody having thought through what happens to it next.

Free vs. Paid: The Privacy Difference That Actually Matters

This is one of the most important distinctions in AI tool usage, and it gets glossed over constantly.

On free tiers of most major AI tools, your inputs may be used to improve the model. OpenAI's free tier has historically permitted conversations to be used for training. On paid business plans — ChatGPT Business, Claude team plans, enterprise agreements — your data is explicitly excluded from training. The vendor commits in writing not to use your inputs to train future models.

That's not a minor policy footnote. It's a material privacy difference. If you're running any information through AI tools that you'd consider sensitive — client details, financial records, internal processes, anything shared under confidentiality — you should be on a paid business tier. Not because the free version is bad technology. Because the data handling terms are categorically different.

OpenAI recently dropped ChatGPT Business to $20 per seat per month. Claude's team plans are in a similar range. For a five-person team, that's $100 per month. If your team regularly uses AI with business-sensitive information, that $100 is cheap compared to the alternative — which is your client's details potentially being eligible for use in a model training dataset. That's not a hypothetical risk. It's the default behavior on free accounts unless you've taken steps to opt out.

A Plain-English Breakdown of Each Major Vendor

Not all AI vendors handle data the same way. Here's where the main ones actually stand:

OpenAI (ChatGPT): Free tier conversations have historically been used for model training. Business and Enterprise plans opt out of training by default. Conversations are retained for 30 days on most plans. You can request deletion through account settings.

Anthropic (Claude): The free claude.ai tier allows Anthropic to use conversations for training. Claude Pro and team plans have stronger privacy protections. Anthropic has generally taken a more conservative stance on data use than most competitors — but the plan tier still matters significantly.

Google (Gemini): This one varies significantly depending on where you're accessing it. Consumer Gemini has permissive data use terms. Gemini inside Google Workspace with a paid business plan falls under Google's enterprise privacy terms, which are substantially more restrictive. If your team is using Gemini through the Google app without a Workspace subscription, you're on consumer terms.

The consistent pattern across all of them: consumer free tiers allow more permissive data use. Business paid tiers are more restrictive. Enterprise agreements provide contractual protections with legal teeth. For a small business, the business paid tier is the right minimum bar. Enterprise agreements are designed for organizations with legal teams reviewing vendor contracts.

The Five-Step Audit to Run This Week

Most business owners assume that because they haven't thought about AI data privacy, it isn't a problem. That's rarely how exposure works. Here's a fast audit that takes about an hour.

Step 1: Find out who on your team is actually using AI tools. Don't assume you know. Ask directly. You may find that your office manager, your salespeople, your project lead, and your bookkeeper are all using different tools — some free, some paid, some you've never heard of. This is more common than most owners expect.

Step 2: Find out what they're putting into these tools. Not whether they're using them correctly — just what content they're inputting. Ask a few team members to walk you through two or three recent prompts. You'll quickly get a sense of whether they're generating generic content or typing business-sensitive information into a free account.

Step 3: Check which accounts are free and which are paid. For any team member using AI with client information or internal business data, they should be on a paid account. If they're on a free account, either upgrade it or establish a clear rule: free accounts are for personal use only, not for business content.

Step 4: Read the privacy policy for any tool your team uses regularly. You're looking for two specific things: whether your data is used for training (and how to opt out if you want to), and how long the vendor retains your conversation history. Most AI vendors now have a plain-language privacy summary. It takes ten minutes to read. Do it for your top two or three tools.

Step 5: Write a two-sentence AI data policy. Something like: "Team members may use AI tools for business tasks only on paid business accounts. Do not input client names, financial information, or any information shared in confidence into free-tier AI tools." That's enough. Put it in your team handbook or shared wiki. Most data incidents happen because nobody told people the rule — not because people were trying to do something wrong.

What the Anthropic Incident Actually Reveals

Strip away the headlines and here's what this incident actually shows: AI companies are complex organizations building complex systems, and they make operational mistakes. Sometimes a file gets published that wasn't supposed to. Sometimes a policy doesn't say what a team thought it said. This is true of every technology company, and it's especially true of companies moving fast at the frontier of what's technically possible.

That's not an indictment of AI as a category. It's a reminder that "trusting the AI company" is not a data security strategy. The discipline of managing what goes into AI tools — which data, on which accounts, with what policies in place — is the actual security work. And it lives on your side of the equation, not theirs.

The Anthropic incident didn't expose user data. But it's a useful reminder that these systems are built by humans, run by humans, and subject to all the operational risks that implies. Assuming everything is handled for you — that the vendor has thought of everything, that the defaults are configured for your situation, that nothing you type goes anywhere sensitive — is a comfortable assumption that usually holds until it doesn't.

The businesses I've seen handle this well have one thing in common: they treat AI tools like any other software that touches sensitive information. They've thought through what goes in, where it goes, and what happens to it. It's not a complicated exercise. It just requires doing it deliberately, which most small businesses haven't gotten around to yet.

Priority Order If You Find Gaps

If you run the audit and find something concerning, here's where to focus first:

First: Upgrade any accounts that have been processing sensitive data on free tiers to paid business plans. This is the fastest fix with the most direct impact. Do it before anything else.

Second: Write and distribute a simple AI data policy. One paragraph. No legal review needed at this stage. It just needs to exist and be communicated to your team this week.

Third: Review your vendor list. If you're using an AI tool you've never looked up a privacy policy for, look it up now. If you can't find one, don't use that tool for business content until you can.

Fourth: Set a six-month review reminder. AI vendor policies change. New tools get introduced. Teams grow. A one-time audit that never gets revisited stops being useful fast. Fifteen minutes every six months keeps you current without it becoming a project.

None of this requires a security consultant or a legal team. It requires an hour of your time and a decision to treat AI tools as seriously as you'd treat any other software your business depends on.

The Anthropic leak was a reminder that AI companies aren't infallible. The right response isn't anxiety about AI — it's a clear-eyed look at your own setup. That's a 90-minute exercise, not a $50,000 engagement.

If you want help auditing your team's current AI tool usage or putting a practical data policy in place that actually gets followed — book a free call here. We'll cover the essentials in 30 minutes and you'll walk away knowing exactly where you stand.

Share this article:

X / Twitter LinkedIn

← All Posts