The NCSC's guidance on generative AI, in plain English

Business owner reading a printed guidance document at an office desk
TL;DR

The National Cyber Security Centre's guidance on generative AI reduces to a handful of operational rules for an owner-managed business. The sharpest is to keep sensitive information out of public AI tools and treat anything typed into them as published, because prompts are stored and visible to the provider. Add human review of AI output, business-tier accounts for work data, and vendor questions about prompt injection, and you have adopted the guidance in a week.

Key takeaways

- The NCSC's sharpest rule for generative AI is that sensitive information should never go into public AI tools. Treat anything typed into them as published. - Prompts to public LLMs are stored, visible to the provider, and, in the NCSC's words, will almost certainly be used to develop the service or model at some point. - Prompt injection and data leakage reach an owner-managed business through the AI-enabled products it buys, so questions to vendors matter more than technical defences. - The NCSC distinguishes public, cloud-provided private and self-hosted AI. Consumer plans count as public even when you log in; business tiers with contracts sit in the private category. - The whole of the guidance can be adopted in a week with five staff rules, one acceptable-use paragraph, and a move onto company-managed accounts.

You hear the National Cyber Security Centre has published guidance on AI and go looking for it. Twenty minutes later you are deep in adversarial machine learning, secure development lifecycles and supply chain threat models, with no obvious answer to what a 20-person firm should actually do. The guidance is written for security teams. The advice inside it comes down to a handful of operational rules you can adopt in a week. This is the owner’s translation.

What is the NCSC, and why does its AI guidance apply to your firm?

The National Cyber Security Centre is the UK government’s technical authority on cyber security, part of GCHQ. Its remit runs from critical national infrastructure down to ten-person firms, and it has published a family of guidance on generative AI, including a non-specialist advisory on AI and cyber security and a sharper blog post on the risks of ChatGPT and large language models.

The advisory is refreshingly blunt about the technology. Generative AI tools, it says, “are not magic” and “contain some serious flaws”. It names the headline risks, hallucination, bias, prompt injection and data poisoning, and asks whether the people deciding on AI in your organisation know enough to weigh risks against benefits. In a firm of 20, that person is you.

By April 2026 the Office for National Statistics found around a third of UK businesses using some form of AI, up eight percentage points on late 2025. The ICO points to the NCSC as the technical authority on cyber threats, and adopting AI changes none of your obligations under UK GDPR. What the NCSC publishes is, increasingly, the standard your clients and insurers expect an owner-managed business to meet.

What is the headline rule in plain English?

Do not put sensitive information into public AI tools. The NCSC’s blog on ChatGPT and large language models recommends that organisations “do not include sensitive information in queries to public LLMs” and “do not submit queries to public LLMs that would lead to issues were they made public”. The working translation for your staff is simple. Treat anything typed into a public AI tool as published.

The reasoning survives every change in vendor policy. Current models do not learn from your prompts in real time, so typing a client’s name into ChatGPT does not instantly teach the model about them. But the provider can see your queries, and the NCSC notes they “are stored and will almost certainly be used for developing the LLM service or model at some point”. Stored prompts can be hacked, leaked or exposed, and a provider can be acquired by a company with a different attitude to your data. Queries also add up; months of prompts under one account paint a detailed picture of your clients, pricing and problems.

So what counts as sensitive for a firm your size? Anything that would cause harm, a regulatory breach or client distrust if it appeared on a public website. That covers client and employee personal data, contract terms, pricing and negotiation positions, non-public financials, and anything about your systems, passwords and access included. I have set out the full boundary in when confidential information should never go into AI. Drafting a generic proposal template or summarising a public article sits comfortably inside the rule. Pasting a live client contract does not.

What do prompt injection and data leakage mean for the tools you buy?

Prompt injection is an attacker hiding instructions inside content an AI system reads, an email, a web page, a document, so the model does something it should not, such as revealing data or triggering an action. Data leakage is your information leaving your environment through prompts, logs or connected tools. For an owner-managed business, both risks arrive through products you buy rather than systems you build.

The NCSC’s developer-facing blog on prompt injection explains why the problem is stubborn. A large language model has no security boundary between the instructions its developer gave it and the text it is processing, so it can be talked into misbehaving by content buried in a message it reads. The NCSC suggests the weakness may never be fully engineered away. Your defence as a buyer is to ask vendors how they limit what their AI can do, and whether anything consequential, sending money, changing records, granting access, needs a human to approve it. I have unpacked the mechanics in what is prompt injection.

Data poisoning, the other term you will meet, is an attacker tampering with the data a model was trained on. It is a supplier-side risk, and your response mirrors what the ICO expects around automated decisions. Keep generative AI on the assistant side of the line, drafting and summarising with human review, away from decisions about hiring, credit or anything else that materially affects a person.

How does the guidance treat consumer tools versus business plans?

The NCSC sorts generative AI into three tiers. Public LLMs are open to anyone over the internet, and the do-not-input rule applies to them in full. Cloud-provided private LLMs are bought under a business contract, with clearer terms on how your data is handled. Self-hosted models run on your own infrastructure and are realistic only for large organisations. The same product often spans two tiers.

ChatGPT’s free and Plus tiers behave like public LLMs even though you log in, and so do Claude’s free and Pro plans. ChatGPT Business, at around $25 per user per month, states there is no training on your business data by default, and Claude’s Team plan at similar money adds admin controls and keeps ownership of prompts with the firm rather than individual staff. Both sit in the cloud-provided private category. Copilot inside Microsoft 365 falls under your existing business contract, though its AI features still send document content to Microsoft’s models for processing.

The tier does not change the mindset. Even on a business plan, prompts and documents leave your environment. The sensible sequence is to experiment on public tools with nothing sensitive in play, then move any workflow that touches organisational data onto a contracted business plan, where you can check the data processing agreement, control access and revoke accounts when someone leaves.

How do you adopt the guidance in a week?

Write five rules on one page, brief the team, and add one paragraph to your acceptable use policy. Nothing in the NCSC’s guidance asks a firm your size to hire a security specialist or understand adversarial machine learning. It asks for clear boundaries on what goes into which tool, and a habit of human review, and you can set both this week.

Here are the five rules, written to be lifted straight into a staff briefing:

  1. Treat anything you type into a public AI tool as published. If you would not post it on the firm’s website, it does not go into ChatGPT, Claude, Copilot Chat or anything like them.
  2. Keep client and staff data out entirely. Names, contact details, contract terms, pricing, HR records and system credentials never go into a public AI tool, whatever the vendor promises.
  3. Use AI for drafting, summarising and brainstorming, never for decisions about people. Treat every output as a first draft that may be wrong.
  4. Anything AI-assisted that leaves the firm gets reviewed and signed off by a named person first.
  5. Work data goes through company-managed accounts on approved business plans, never personal logins.

For the acceptable use policy, one paragraph does it. Our firm uses AI tools as drafting and analysis aids, with a person responsible for every output that leaves the building. Staff may use approved AI tools on non-confidential material, anonymised examples and public information. They must not enter client or employee personal data, confidential or privileged information, system credentials or live contractual documents into public AI systems. AI-generated content that leaves the firm or will be relied on as fact is reviewed by a named person first. AI tools are accessed through company-managed accounts on approved plans, and new tools are cleared with the owner first.

Spend the rest of the week finding out where AI is already in use, including features switched on inside software you already pay for, and move anything serious onto accounts the firm controls. That is the guidance in full working order, a set of habits rather than a security programme.

Sources

- NCSC (2023). ChatGPT and large language models, what's the risk? The source of the recommendation not to include sensitive information in queries to public LLMs, and of the warning that queries are stored and will almost certainly be used to develop the service. https://www.ncsc.gov.uk/blog-post/chatgpt-and-large-language-models-whats-the-risk - NCSC (2023, updated). AI and cyber security, what you need to know. The non-specialist advisory naming hallucination, bias, prompt injection and data poisoning as the headline generative AI risks. https://www.ncsc.gov.uk/guidance/ai-and-cyber-security-what-you-need-to-know - NCSC (2025). Prompt injection is not SQL injection (it may be worse). Developer-facing analysis of why large language models enforce no security boundary between instructions and data. https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection - NCSC (2023). Thinking about the security of AI systems. Blog explaining prompt injection and data poisoning and why classic security principles still apply. https://www.ncsc.gov.uk/blog-post/thinking-about-security-ai-systems - NCSC, CISA and international partners (2023). Guidelines for secure AI system development. Multi-agency guidance placing secure-by-design responsibility on AI vendors, with customers still accountable for choosing and configuring products. https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development - ICO (2023). Guidance on AI and data protection. UK GDPR principles applied to AI, including data minimisation and when a Data Protection Impact Assessment is needed. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ - ONS (2026). Business insights and impact on the UK economy, 2 April 2026. Around a third of UK businesses reported using AI, an eight percentage point rise on late 2025. https://www.ons.gov.uk/businessindustryandtrade/business/businessservices/bulletins/businessinsightsandimpactontheukeconomy/2april2026 - OpenAI (2026). Business pricing. ChatGPT Business at around $25 per user per month, with no training on business data by default. https://openai.com/business/pricing/ - Anthropic (2026). What is the Team plan? Claude Team plan pricing, minimum seats and admin controls for organisational deployment. https://support.claude.com/en/articles/9266767-what-is-the-team-plan - Microsoft (2026). Microsoft 365 Copilot pricing. Copilot plans for business subscriptions, with Copilot Chat included in eligible Microsoft 365 plans. https://www.microsoft.com/en-us/microsoft-365-copilot/pricing

Frequently asked questions

Does the NCSC ban businesses from using generative AI?

No. The guidance treats generative AI as useful but flawed, and asks organisations to manage it rather than avoid it. The NCSC recommends keeping sensitive information out of public tools, treating outputs as untrusted drafts that need human review, and understanding how any AI-enabled product you buy handles your data. Used on non-confidential material with a person checking the output, the tools sit comfortably inside the guidance.

What does the NCSC say you should not put into ChatGPT?

Its blog on ChatGPT and large language models recommends that organisations "do not include sensitive information in queries to public LLMs" and do not submit queries that would cause problems if they became public. For an owner-managed business that covers client and employee personal data, contract terms, pricing, non-public financials and system credentials. Prompts are stored, visible to the provider, and may be used to develop future versions of the service.

Do the rules still apply if we pay for a business plan?

The strictest rule softens but the mindset stays. Business tiers such as ChatGPT Business come with contracts and a commitment not to train on your data by default, which the NCSC would class as cloud-provided private LLM use. Your data still leaves your environment, so check the data processing agreement, control who has access through company-managed accounts, and keep the highest-risk material out regardless of the tier.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation