Skip to main content
Back to all posts
6 minAI GovernanceMay 16, 2026

Map AI Data Boundaries Before You Write Another AI Policy

AI governance starts getting useful when teams map what data can enter each AI workflow, what stays out, and where humans approve the result.

RM

Ryan Macomber

Founder, VibeSec Advisory

Most AI policy fails because nobody mapped the data first.

A policy can tell employees not to paste sensitive information into AI tools. That helps. It does not answer the daily workflow questions that actually decide whether people follow the rule.

Can support summarize a customer ticket with AI?

Can sales ask AI to draft a renewal email using CRM notes?

Can finance use AI to classify invoices?

Can an internal agent search a shared drive?

Those are not abstract governance questions. They are data boundary questions.

Short answer

An AI data boundary map is a simple workflow-level artifact that defines what data can enter an AI tool, what data must stay out, which tools are approved, where human review is required, and who owns exceptions. It turns AI governance from broad policy language into usable guardrails for real work.

The policy is not the boundary

A lot of companies start with acceptable use language.

Do not paste customer data.

Do not paste credentials.

Do not paste confidential documents.

That is a reasonable first move. It is not enough.

People do not work from policy language during a busy Tuesday. They work from the tool in front of them, the deadline in front of them, and the workflow their team already uses.

If the workflow is unclear, the policy gets interpreted differently by every person.

One employee treats all customer names as blocked. Another thinks customer names are fine if no account numbers are included. Someone else pastes a full support thread because the customer already sent it by email.

The problem is not always recklessness. Often it is ambiguity.

The risk shows up in the data

IBM's 2025 Cost of a Data Breach research frames this as an AI oversight gap. In IBM's studied breached organizations, 63 percent lacked AI governance policies. Among organizations that reported an AI-related security incident, 97 percent lacked proper AI access controls.

IBM also reported that 20 percent of studied organizations experienced breaches linked to shadow AI, and those incidents added as much as USD 670K to average breach cost. The IBM Think analysis says shadow AI disproportionately exposed customer PII and intellectual property.

Those numbers should not be treated as a prediction for every small business. They are still a useful signal.

Ungoverned AI does not stay theoretical once employees start using it with real customer records, contracts, tickets, credentials, internal notes, and proprietary work.

OWASP makes the same point from the application security side. Its LLM02 guidance on sensitive information disclosure lists PII, financial details, health records, confidential business data, security credentials, and legal documents as sensitive categories that can be exposed by LLM systems or their application context.

OWASP also warns that system prompt restrictions can help, but may not always be honored and can be bypassed through prompt injection or other methods.

That means a prompt rule is not a complete control.

Ready to apply the FORGE framework?

VibeSec Advisory helps knowledge worker teams redesign real processes using the six FORGE pillars: Baseline, Skills, Agents, Guardrails, Schedule, and Capture. The next step is advisory intake, not checkout.

Get the Starter Kit Common Questions

You still need a boundary around the workflow.

What an AI data boundary map should answer

A data boundary map does not need to be complicated.

Start with one workflow and answer these questions:

  1. What business process is this?
  2. Who owns the workflow?
  3. What AI tool or model is approved for this workflow?
  4. What data is allowed to enter the AI tool?
  5. What data is blocked?
  6. What systems can the AI tool read from?
  7. What systems can the AI tool write to?
  8. What output requires human review?
  9. What action requires explicit approval?
  10. Where is the activity logged?
  11. Who approves exceptions?
  12. When will this boundary be reviewed again?

That list is boring on purpose.

Boring is useful here.

A support workflow might allow product documentation, public help articles, and sanitized ticket summaries. It might block payment data, authentication details, full customer records, and internal security notes.

A sales workflow might allow public company information and approved account notes. It might block contracts, discount approvals, private procurement details, and personal contact data that is not needed for the task.

A finance workflow might allow vendor names and invoice categories. It might block bank details, tax identifiers, payroll data, and any document that has not been approved for AI processing.

The point is not to create perfect rules for every possible case.

The point is to remove the guesswork from the work people already do.

Where this fits in FORGE

This starts in Baseline.

Baseline asks what the workflow is today, who touches it, what systems are involved, what data moves through it, and where the bottleneck lives.

Then Guardrails turns that map into controls.

Guardrails define the data boundary, approved tools, review points, action limits, logging, escalation path, and exception owner.

Security belongs inside that guardrail work. It is not a separate add-on after the AI workflow is already live.

This is why a data boundary map is often more useful than another policy draft. It connects the written rule to the operational reality.

A practical first pass

Pick one workflow where AI is already being used or requested.

Do not start with every team. Do not start with a 40-page governance program. Start with one real process where the business value is obvious and the data risk is knowable.

Use three labels for data:

  • Allowed: safe for the approved AI tool in this workflow.
  • Restricted: only allowed after sanitization or human approval.
  • Blocked: never allowed in this AI workflow.

Then add a review gate.

For low-risk work, the review gate might be a human checking the final draft before it leaves the company. For higher-risk work, it might be manager approval before any customer-specific, financial, legal, health, or credential-related data enters the tool.

The CISA, NSA, FBI, and international AI Data Security guidance stresses data classification, access controls, encryption, provenance, monitoring, and ongoing risk assessment across the AI lifecycle. Small businesses do not need to copy federal agency complexity, but they should copy the principle.

Know the data. Limit access. Review risky use. Keep evidence.

Evidence, assumptions, and opinion

Measured evidence: IBM and Ponemon reported specific breach statistics from studied breached organizations, including the governance gap, AI access control gap, and cost impact of shadow AI incidents.

Standards and guidance: OWASP highlights sensitive information disclosure risks in LLM systems. CISA and partners emphasize securing AI data across the lifecycle. NIST AI RMF gives organizations a govern, map, measure, and manage pattern for AI risk.

Opinion: For most small and mid-sized teams, the fastest useful governance artifact is not a broad AI policy. It is a one-workflow AI data boundary map.

The close

AI governance gets real when someone can answer a simple question:

What data can this workflow safely give to AI, and what has to stay out?

If the answer is unclear, do not expand the workflow yet.

Map the boundary first.

If you want a lightweight starting point, download the free FORGE AI Workflow Starter Kit. Use it to identify AI touchpoints, data boundaries, review gates, and guardrails before automation spreads.

Sources

  • IBM, Cost of a Data Breach Report 2025: https://www.ibm.com/reports/data-breach
  • IBM Think, Cost of Data Breach analysis for data leaders: https://www.ibm.com/think/insights/data-matters/cost-of-a-data-breach
  • OWASP LLM02 Sensitive Information Disclosure: https://genai.owasp.org/llmrisk/llm02-insecure-output-handling/
  • CISA AI resources: https://www.cisa.gov/ai
  • Joint AI Data Security information sheet: https://media.defense.gov/2025/May/22/2003720601/-1/-1/0/CSI_AI_DATA_SECURITY.PDF
  • NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
  • NIST AI 600-1 Generative AI Profile: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
Previous

Your AI Agent Needs a Tool Inventory Before It Needs More Policy

Related Posts

AI Governance6 min

Your AI Agent Needs a Tool Inventory Before It Needs More Policy

Before an AI agent touches files, APIs, databases, or customer systems, map the tools it can call and the decisions humans must approve.

Read post
AI Strategy7 min

AI Rewards People Who Learn by Doing

AI does not replace learning. It tightens the feedback loop for people who believe they can figure things out and stay engaged with the work.

Read post
FORGE Methodology8 min

Secure Your AI Coding Assistant in 5 Minutes

Claude Code, Cursor, Copilot — whatever you use, it probably has no security guardrails configured. This prompt generates a role-specific CLAUDE.md with secret detection, file access boundaries, and approval gates in under five minutes.

Read post

AI Workflows Weekly

Practical notes on governed AI workflows, guardrails, and safer automation. No spam, unsubscribe anytime.

By subscribing, you agree to receive marketing emails from VibeSec Advisory. You can unsubscribe at any time. Privacy Policy

Ready to apply the FORGE framework to your team?

Map your first process in 10 minutes and get deliverables within 48 hours. No call required.

Map Your ProcessCommon Questions

Cookieless analytics only. No ad tracking. Privacy