The Four AI Security Risks Every Private Capital Firm Needs to Manage
· Last updated 4 June 2026
There are four distinct AI security risk categories that matter for a private capital firm. Most firms have addressed one of them.
The question firms usually ask is whether their AI tools train on their data. That question has a reasonably clear answer. It is also only one of four categories, and not the one where most firms carry their greatest exposure.
Key takeaways
- Most enterprise and API tiers do not train on customer data, but training protection and data retention are two separate commitments.
- Zero data retention is not the default at any major provider. It requires an enterprise-level agreement and explicit technical configuration.
- Shadow AI accounted for 20% of AI-related security incidents in financial services in 2025. Employees using personal AI accounts bypass all enterprise data protections, with no audit trail.
- AI agents take autonomous actions and are vulnerable to prompt injection, a documented attack vector as of 2025.
Does the AI train on your data?
At the enterprise tier, this is largely resolved.
OpenAI, Anthropic, and Microsoft Azure do not train on customer data under enterprise and API-level agreements. This commitment is contractually documented and auditable. If your firm uses an enterprise subscription or an API-backed product, the guarantee typically holds.
The place to check is consumer accounts. As of late 2025, Anthropic required consumer account holders to actively opt out before a September 2025 deadline to prevent their conversations being used for training. Claude Pro and ChatGPT Plus apply different data policies than enterprise tiers. If an employee uses a personal account for work, the enterprise guarantee does not extend to that session.
What happens to your data after you send it?
This is where the most important distinction lies. Training on your data and retaining your data are separate commitments. Providers market the first clearly. The second is less visible.
Under standard API terms, inputs and outputs are held in provider systems for a defined period. Anthropic's API default is seven days, reduced from thirty days in September 2025. OpenAI's default is thirty days. The stated purpose is abuse monitoring. The data is not used for training, but it exists in logs accessible to support teams.
Zero data retention (ZDR) is a different posture. Under ZDR, prompts and outputs are processed in memory and immediately discarded. Nothing is written to storage. This is not the default at any major provider. It requires an enterprise-level agreement and must be activated at the configuration level. A contract that mentions ZDR without configuring it technically does not deliver ZDR.
A second layer matters for firms running AI-connected workflows. ZDR at the model level covers what the AI model retains. The connectivity infrastructure between your systems and the model, the layer that fetches documents, queries databases, or accesses fund data, has its own caching and logging behaviour. Both layers must be governed separately.
Which AI tools is your team actually using?
This is where most of the actual exposure sits.
When an employee uses a personal ChatGPT or Claude account for work, the firm has no visibility, no audit trail, and no ability to enforce data handling policies on that session. The same model, entirely different contractual terms.
Shadow AI accounted for approximately 20% of AI-related security incidents in the financial sector in 2025, according to Help Net Security's April 2026 analysis of financial sector breach data. Among the organisations that experienced those incidents, 97% lacked adequate AI access controls.
The question to ask is not whether your team exclusively uses approved tools. It is whether those tools are functional and accessible enough that employees have no practical reason to go elsewhere.
What can AI agents do without explicit authorisation?
AI agents are already embedded in products most firms are paying for. An agent is not a tool that answers a question. It is a system that takes actions: reading documents, querying connected systems, drafting communications, submitting forms.
Two risks follow directly. The first is misconfiguration: an agent with write access to your systems or communications can take actions you did not authorise. According to Proofpoint's 2025 Data Security Landscape report, 32% of organisations identify unsupervised AI agent data access as a critical threat.
The second is prompt injection. A malicious instruction embedded in a document being processed by an agent can redirect that agent's behaviour. A single hidden line in a deal memo can, in principle, instruct an agent to forward data externally. This is a documented attack pattern as of 2025 and requires no user interaction to trigger.
When evaluating any agentic tool, three questions matter: what actions can it take without human approval, can those permissions be scoped, and is there a human checkpoint before any action involving sensitive data or external communication.
The four AI security risks at a glance
| Risk | What it means | Default at major providers | How to address it |
|---|---|---|---|
| Model training | Provider trains on your prompts and outputs | Off at enterprise/API tier | Confirm in your contract; verify account tier |
| Data retention | Inputs and outputs held in provider logs after processing | 7–30 days by default | Negotiate ZDR; configure it at both model and connector layer |
| Shadow AI | Employees using personal or unapproved accounts for work | No controls in place | Standardise approved tools; make them accessible enough to use |
| Agentic AI | Agents taking autonomous actions across your systems | Broad permissions by default | Scope permissions explicitly; require human checkpoints on sensitive actions |
What this means in practice
Training protection covers one of these four categories. Zero data retention covers a second, but only if it has been negotiated and configured. Shadow AI and agentic governance require operational decisions your IT team cannot make alone: which tools are formally approved, how accessible they are to the team, and how much autonomy AI systems are allowed over your firm's data and processes.
Work through each category separately. Most of the exposure sits in the categories firms are not already watching.