Here’s a question that keeps CISOs up at night: if OpenAI and Anthropic both promise not to train on your company’s data, why does sensitive corporate information keep ending up in AI models anyway?
The answer, it turns out, has less to do with the AI companies and more to do with Karen from accounting using her personal ChatGPT account to summarize confidential financial reports.
Both OpenAI and Anthropic have now made their enterprise privacy positions explicitly clear. OpenAI does not train models on data from ChatGPT Enterprise, Team, or EDU tiers by default. Anthropic offers the same guarantee for Claude Enterprise, Team, and Edu customers. Your corporate data stays your corporate data. On paper, problem solved.
The consumer account loophole
The critical distinction both companies draw is between enterprise and consumer tiers. And that distinction is where things get uncomfortable for businesses.
As of September 2025, Anthropic updated its consumer-tier policy to allow training on user chats unless individuals specifically opt out. OpenAI has maintained a similar approach with its free and Plus consumer tiers for some time.
Studies conducted between 2025 and 2026 have found that a notable share of AI prompts generated by employees on unapproved consumer accounts contain confidential information. Think proprietary code, internal strategy documents, customer data, financial projections. All of it potentially feeding into training pipelines that the company’s IT department never sanctioned.
Data retention adds another layer
Even within properly configured enterprise accounts, data doesn’t simply vanish after a conversation ends. Default retention periods for enterprise data monitoring typically sit at around 30 days. In some cases, Anthropic allows retention windows as short as 7 days.
This retention exists for legitimate reasons: abuse monitoring, safety reviews, and compliance obligations. But it also means that sensitive prompts, even on enterprise-grade accounts, persist on third-party servers for a meaningful window of time.
For industries operating under strict regulatory frameworks, whether that’s healthcare, finance, or legal services, even a 7-day retention window requires careful evaluation. The question isn’t just “will they train on my data?” It’s “who can access my data during the retention period, and under what circumstances?”
The irony is thick: OpenAI and Anthropic have largely done their part by building clear walls between enterprise and consumer data. The breach point isn’t the technology. It’s the humans using it.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

4 hours ago
4
















English (US) ·