You hear the National Cyber Security Centre has published guidance on AI and go looking for it. Twenty minutes later you are deep in adversarial machine learning, secure development lifecycles and supply chain threat models, with no obvious answer to what a 20-person firm should actually do. The guidance is written for security teams. The advice inside it comes down to a handful of operational rules you can adopt in a week. This is the owner’s translation.
What is the NCSC, and why does its AI guidance apply to your firm?
The National Cyber Security Centre is the UK government’s technical authority on cyber security, part of GCHQ. Its remit runs from critical national infrastructure down to ten-person firms, and it has published a family of guidance on generative AI, including a non-specialist advisory on AI and cyber security and a sharper blog post on the risks of ChatGPT and large language models.
The advisory is refreshingly blunt about the technology. Generative AI tools, it says, “are not magic” and “contain some serious flaws”. It names the headline risks, hallucination, bias, prompt injection and data poisoning, and asks whether the people deciding on AI in your organisation know enough to weigh risks against benefits. In a firm of 20, that person is you.
By April 2026 the Office for National Statistics found around a third of UK businesses using some form of AI, up eight percentage points on late 2025. The ICO points to the NCSC as the technical authority on cyber threats, and adopting AI changes none of your obligations under UK GDPR. What the NCSC publishes is, increasingly, the standard your clients and insurers expect an owner-managed business to meet.
What is the headline rule in plain English?
Do not put sensitive information into public AI tools. The NCSC’s blog on ChatGPT and large language models recommends that organisations “do not include sensitive information in queries to public LLMs” and “do not submit queries to public LLMs that would lead to issues were they made public”. The working translation for your staff is simple. Treat anything typed into a public AI tool as published.
The reasoning survives every change in vendor policy. Current models do not learn from your prompts in real time, so typing a client’s name into ChatGPT does not instantly teach the model about them. But the provider can see your queries, and the NCSC notes they “are stored and will almost certainly be used for developing the LLM service or model at some point”. Stored prompts can be hacked, leaked or exposed, and a provider can be acquired by a company with a different attitude to your data. Queries also add up; months of prompts under one account paint a detailed picture of your clients, pricing and problems.
So what counts as sensitive for a firm your size? Anything that would cause harm, a regulatory breach or client distrust if it appeared on a public website. That covers client and employee personal data, contract terms, pricing and negotiation positions, non-public financials, and anything about your systems, passwords and access included. I have set out the full boundary in when confidential information should never go into AI. Drafting a generic proposal template or summarising a public article sits comfortably inside the rule. Pasting a live client contract does not.
What do prompt injection and data leakage mean for the tools you buy?
Prompt injection is an attacker hiding instructions inside content an AI system reads, an email, a web page, a document, so the model does something it should not, such as revealing data or triggering an action. Data leakage is your information leaving your environment through prompts, logs or connected tools. For an owner-managed business, both risks arrive through products you buy rather than systems you build.
The NCSC’s developer-facing blog on prompt injection explains why the problem is stubborn. A large language model has no security boundary between the instructions its developer gave it and the text it is processing, so it can be talked into misbehaving by content buried in a message it reads. The NCSC suggests the weakness may never be fully engineered away. Your defence as a buyer is to ask vendors how they limit what their AI can do, and whether anything consequential, sending money, changing records, granting access, needs a human to approve it. I have unpacked the mechanics in what is prompt injection.
Data poisoning, the other term you will meet, is an attacker tampering with the data a model was trained on. It is a supplier-side risk, and your response mirrors what the ICO expects around automated decisions. Keep generative AI on the assistant side of the line, drafting and summarising with human review, away from decisions about hiring, credit or anything else that materially affects a person.
How does the guidance treat consumer tools versus business plans?
The NCSC sorts generative AI into three tiers. Public LLMs are open to anyone over the internet, and the do-not-input rule applies to them in full. Cloud-provided private LLMs are bought under a business contract, with clearer terms on how your data is handled. Self-hosted models run on your own infrastructure and are realistic only for large organisations. The same product often spans two tiers.
ChatGPT’s free and Plus tiers behave like public LLMs even though you log in, and so do Claude’s free and Pro plans. ChatGPT Business, at around $25 per user per month, states there is no training on your business data by default, and Claude’s Team plan at similar money adds admin controls and keeps ownership of prompts with the firm rather than individual staff. Both sit in the cloud-provided private category. Copilot inside Microsoft 365 falls under your existing business contract, though its AI features still send document content to Microsoft’s models for processing.
The tier does not change the mindset. Even on a business plan, prompts and documents leave your environment. The sensible sequence is to experiment on public tools with nothing sensitive in play, then move any workflow that touches organisational data onto a contracted business plan, where you can check the data processing agreement, control access and revoke accounts when someone leaves.
How do you adopt the guidance in a week?
Write five rules on one page, brief the team, and add one paragraph to your acceptable use policy. Nothing in the NCSC’s guidance asks a firm your size to hire a security specialist or understand adversarial machine learning. It asks for clear boundaries on what goes into which tool, and a habit of human review, and you can set both this week.
Here are the five rules, written to be lifted straight into a staff briefing:
- Treat anything you type into a public AI tool as published. If you would not post it on the firm’s website, it does not go into ChatGPT, Claude, Copilot Chat or anything like them.
- Keep client and staff data out entirely. Names, contact details, contract terms, pricing, HR records and system credentials never go into a public AI tool, whatever the vendor promises.
- Use AI for drafting, summarising and brainstorming, never for decisions about people. Treat every output as a first draft that may be wrong.
- Anything AI-assisted that leaves the firm gets reviewed and signed off by a named person first.
- Work data goes through company-managed accounts on approved business plans, never personal logins.
For the acceptable use policy, one paragraph does it. Our firm uses AI tools as drafting and analysis aids, with a person responsible for every output that leaves the building. Staff may use approved AI tools on non-confidential material, anonymised examples and public information. They must not enter client or employee personal data, confidential or privileged information, system credentials or live contractual documents into public AI systems. AI-generated content that leaves the firm or will be relied on as fact is reviewed by a named person first. AI tools are accessed through company-managed accounts on approved plans, and new tools are cleared with the owner first.
Spend the rest of the week finding out where AI is already in use, including features switched on inside software you already pay for, and move anything serious onto accounts the firm controls. That is the guidance in full working order, a set of habits rather than a security programme.



