The Personal AI Subscription Problem: What Your Consultants, Lawyers, and Auditors Are Doing With Your Confidential Data
Your external consultants, lawyers, and auditors are using personal ChatGPT Plus, Claude Pro, and Microsoft Copilot subscriptions to work on your confidential files. Consumer AI subscriptions are not covered by your firm-level data processing agreements. OpenAI's consumer terms allow training on conversations unless users actively opt out — and most do not. Your NDA almost certainly prohibits disclosing confidential information to third parties without consent. Most professional services agreements were written before personal AI subscriptions existed at scale. This memo dissects the exposure, who bears the liability, and what every enterprise must demand in its next professional services MSA.
Key Numbers
of workers use AI tools their employers have not sanctioned (McKinsey, 2025)
ChatGPT Plus — the price point at which your confidential data enters a consumer AI model
professional services MSAs written before 2024 that address personal AI subscription use
US states with data breach notification laws triggered by unauthorized third-party data disclosure
Background
In a survey conducted by McKinsey in 2025, 73% of knowledge workers reported using AI tools that their employers had not sanctioned. The number is not surprising. What is surprising is that almost no enterprise has applied the same scrutiny to its external advisors — the consultants, lawyers, auditors, and contractors who work on its most sensitive strategic, financial, and legal matters.
The pattern is consistent across every major professional services category. A McKinsey associate uploads a client’s five-year financial model to ChatGPT and asks it to draft the executive summary. An outside counsel attorney pastes a draft merger agreement into Claude and asks for redline suggestions. An audit senior uses Copilot to summarize board minutes containing material non-public information. A Big 4 consultant inputs client HR data into a personal AI account to build an organizational restructuring model faster.
None of these individuals believe they are doing something wrong. Most believe they are being more efficient. Some have explicitly been told by their firm to “use AI where possible.” Almost none have stopped to ask whether the AI subscription they are using is the enterprise-licensed account their firm controls — or the personal account they signed up for with a personal email address.
The distinction matters enormously. Enterprise AI licenses at professional services firms — McKinsey’s Microsoft Copilot deployment, Deloitte’s PairD, KPMG’s custom Azure OpenAI environment — include data processing agreements, opt-out of model training, contractual confidentiality obligations, and access controls. Personal subscriptions do not. OpenAI’s consumer ChatGPT terms, as of mid-2025, allow conversation data to be used to improve models unless the user navigates to settings and toggles off training data use. Most users have not done this. The default is permissive.
The legal exposure sits at the intersection of three frameworks that were independently designed and have never been reconciled with each other in the context of personal AI use: standard NDA and confidentiality provisions in professional services agreements, data protection law (particularly GDPR’s data processor requirements), and the professional duty of confidentiality that governs licensed attorneys, CPAs, and registered auditors. All three are potentially violated by the same act: a consultant pasting client confidential information into a personal AI subscription.
The enterprise client is almost certainly not covered. The professional services firm may have enterprise AI policies — but those policies are internal governance documents, not contractual commitments to the client. The firm’s enterprise AI license does not bind the individual who chose to use their personal account instead. And the client’s MSA, written before personal AI subscriptions existed as a workflow tool, almost certainly contains no provision addressing the question at all.
Decision Required
The decision every enterprise with active professional services relationships must make: Do your existing agreements with external consultants, lawyers, and auditors prohibit or regulate the use of personal AI subscriptions on your confidential work — and if not, how do you close that gap before your next engagement commences?
More specifically: your NDA likely says that confidential information may not be disclosed to third parties without your consent. A personal AI subscription is a third-party service. The individual consultant, not the firm, agreed to that service’s terms. Whether that disclosure constitutes a breach of your confidentiality agreement depends on how “third party” and “disclosure” are defined in your specific agreement — language that was drafted long before this use case existed.
If you are waiting for a regulator or a litigation event to settle that question, you are waiting for the wrong trigger. The question of whether your confidential data is currently in a consumer AI training corpus does not wait for legal resolution.
Options
Rely on the firm’s internal AI use policy to govern individual consultant behavior, without adding contractual requirements to your MSA. This is the current default for most enterprise-firm relationships. It means your confidentiality protections depend entirely on whether the firm’s policy is well-designed, whether it is actively enforced, and whether individuals comply without audit. None of these assumptions are verifiable by you. If a breach occurs, your recourse is limited to the contractual terms that exist — which, for pre-2024 MSAs, were not written to address this scenario. This posture is only defensible for low-sensitivity, non-regulated engagements.
Amend your standard MSA and SOW template to require: (1) written disclosure of AI tools used on the engagement, with a distinction between firm enterprise-licensed accounts and personal subscriptions; (2) a representation that no personal AI subscriptions will be used on confidential work product without your prior written consent; and (3) an annual certification that the firm’s AI use policy covers the engagement and applies to all individuals with access to your confidential information. This approach is enforceable, verifiable at engagement start, and does not require you to monitor ongoing behavior. It shifts the compliance obligation explicitly to the firm. It is the minimum viable posture for any engagement involving sensitive financial, legal, personnel, or strategic information.
In addition to the disclosure and certification requirement, require a data processing addendum (DPA) that names all AI tools and subprocessors used on the engagement, confirms no model training occurs on your confidential data, and establishes audit rights for AI tool use. This is the appropriate posture for regulated industries (financial services, healthcare, legal, public sector) where the confidential data includes personal data subject to GDPR, CCPA, HIPAA, or other data protection frameworks. It is a higher administrative burden but it is the only posture that creates a documented, auditable record of how your data was processed — which regulators increasingly require. For enterprises in the EU, this is not optional: if the firm is a data processor under GDPR Article 28, the DPA is a legal requirement, not a best practice.
Recommendation
Implement the disclosure and certification requirement immediately for all new engagements, and schedule a renegotiation conversation with your top-ten external advisors — the firms that have access to your most sensitive work — within the next 90 days.
The language to add to your MSA template is not complicated. It should include: a definition of “AI tools” that covers LLM-based applications, copilots, and coding assistants whether accessed via API, enterprise license, or personal subscription; a prohibition on using personal AI subscriptions on confidential work without prior written consent; a requirement to disclose the specific enterprise AI systems and subprocessors used on the engagement upon request; and an explicit confirmation that the confidentiality clause applies to AI-processed outputs, not just raw inputs.
For ongoing engagements, the approach depends on leverage. If you are a significant client of the firm, a direct conversation with the engagement partner requesting a contract amendment is appropriate. If you are not in a position to renegotiate, the fallback is to implement a classification protocol for what you share externally — reserve the highest-sensitivity materials for formats that do not lend themselves to AI processing, and limit sharing of model-ready structured data where possible.
For EU-based enterprises or any enterprise whose external advisors process EU personal data: the GDPR Article 28 question is not optional. If the firm is using AI tools — enterprise or personal — to process data that includes EU personal data, the firm is a data subprocessor, and your agreement must include a DPA that names the tools. The fact that the tool is a personal subscription does not change the obligation; it makes the obligation harder to satisfy and more likely to be missed. Start with your legal and audit firms first, then expand to management consultants.
Enjoying this brief? The next one ships Tuesday.
One enterprise AI deployment, dissected weekly. Free during beta · No credit card · Unsubscribe anytime
Risks
If consultants have been using personal ChatGPT accounts on your engagement work, and those accounts were created before OpenAI introduced the training opt-out setting in April 2023 — or if the opt-out was never configured — then portions of your confidential work may have been used in model training. There is no mechanism to identify this after the fact, no retrieval process, and no notification obligation on OpenAI’s part. The exposure is not theoretical and it is not reversible. It argues for treating this as a remediation issue rather than a prevention issue: assume the exposure has already occurred for pre-2024 engagements and scope the forward-looking controls accordingly.
Even if your MSA contains language that arguably prohibits the disclosure, proving that a specific consultant used a personal AI subscription on your specific confidential data requires cooperation from the firm and access to individual account logs — neither of which you are entitled to under standard professional services agreements. The practical enforcement path is through contractual amendment and prospective controls, not retrospective litigation. The value of the new contract language is deterrence and clear obligation, not litigation readiness.
If the confidential work involved EU personal data — employee records, customer data, transaction records — and the firm used an AI tool not covered by an Article 28 DPA, both you (as data controller) and the firm (as data processor) may have violated GDPR. The data controller bears primary regulatory liability for ensuring that all processors comply. Supervisory authorities in Germany, France, and the Netherlands have explicitly stated that AI tools used by processors that lack DPAs are a GDPR compliance issue. If a breach notification is triggered, the absence of an Article 28 DPA will be the first question the regulator asks.
Attorneys, CPAs, and registered auditors all have professional duties of confidentiality enforced by their licensing bodies. In theory, unauthorized disclosure of client confidential information via a personal AI subscription could constitute a professional conduct violation. In practice, bar complaints and professional discipline proceedings are slow, uncertain, and create no direct financial recovery for the affected client. Regulatory censure of a consultant does not make the enterprise client whole. Do not rely on professional licensing consequences as the primary control.
Questions Your Team Should Be Answering
These are the questions that distinguish organizations that get this right from those that do not. If your team cannot answer them, that is your first deliverable.
- 1.
Does your current MSA template contain any language that explicitly addresses AI tools — personal, enterprise, or otherwise? If not, when was it last updated, and who owns the update decision?
- 2.
Have you asked your top-ten external advisors whether their firm-level AI policy explicitly prohibits personal subscription use on client engagements — and whether that prohibition is technically enforceable or purely a policy statement?
- 3.
Do you share structured, model-ready data formats (Excel models, clean CSV exports, structured JSON) with external advisors? If so, have you assessed how easily that data could be pasted into a consumer AI tool and what controls prevent it?
- 4.
If your external law firm uses a personal AI subscription on a privileged communication, does that use constitute a waiver of attorney-client privilege? Has your general counsel assessed this question?
- 5.
For any engagement involving EU personal data: does your DPA with the external firm cover AI subprocessors? Has the firm provided a list of AI tools used on your account and confirmed they are covered by an appropriate Article 28 agreement?
- 6.
Do you have an incident response protocol for discovering that confidential data was processed via an unsanctioned third-party AI tool? Who is notified, what is the investigation process, and what are the notification obligations to regulators or counterparties?
- 7.
Have you asked your external auditors — specifically — what AI tools are used during audit fieldwork, whether those tools are enterprise-licensed, and whether your audit agreement includes any representation about AI data processing?
If this memo belongs in your next executive meeting or board pack, send it along. One click opens a pre-drafted email — edit or send as-is.
The EY-Microsoft Alliance: When Your Auditor Becomes Your AI Vendor
EY and Microsoft announced a $1B+ joint initiative. EY is now both a Microsoft AI customer and a sales partner — creating a second structural conflict in four days.
Read memo →deckThe OpenAI Deployment Company: What Your Consulting Firm Didn't Disclose
OpenAI launched a $14B deployment company with Bain & Company and McKinsey as founding partners — the same firms your enterprise pays for independent AI strategy advice.
Read memo →deckThe Ad Machine: What Enterprise Marketing Teams Haven't Governed When AI Is Generating Brand Creative at Scale
Adobe Firefly has generated 9 billion+ images since launch. Meta Advantage+ AI autonomously generates creative for 4M+ advertisers. Google Performance Max gives AI simultaneous control over bidding, audience, and creative. The governance gaps most enterprise CMOs have not closed: AI-generated creative may lack copyright protection, platform agreements may allow vendors to train on your brand creative.
Read memo →deck