When Companies Should Let AI Vendors Train on Their Data 

Law firm Greenberg Traurig is pushing back against the conventional wisdom that companies should never allow AI providers to access their data. Attorneys Andrew Tibbetts and Kieran Dwyer argue that the issue requires more careful thinking than a simple yes or no.

“While companies are right to be careful with their data, it is important to understand that allowing a vendor access to data does not have to be an all-or-nothing decision,” the attorneys wrote in a new analysis. They suggest companies should weigh factors like what they’re using the AI for, what types of data are involved, and how sensitive that information really is.

The security industry offers a compelling example. Companies have used AI to detect cyber threats for years, long before ChatGPT made headlines. These systems work by analyzing network traffic to spot suspicious patterns that humans or traditional software might miss.

The catch? Security AI works best when it can learn from as much threat data as possible. That means vendors often need to train their systems on data from multiple customers to stay effective. Some security products are built this way from the ground up, making it technically impossible to wall off one company’s data from the learning process.

“These AI technologies perform best when they have access to as much threat information as possible because access to more data improves the accuracy of the model,” the attorneys explain.

Related: AI Developers Avoid Details in Initial Training Data Disclosures Under California Statute

Companies should still protect confidential and personal information, even with security vendors. But the lawyers point out that many security companies already spell out clearly how they use threat data. They also warn that newer AI features, like chatbots added to security dashboards, should get separate scrutiny since they’re not essential to core security functions.

Beyond security, there are other situations where data sharing makes sense. When AI systems make mistakes, letting vendors learn from those errors can improve results for everyone. This mirrors how software companies have long used customer feedback to fix bugs and add features.

Data that is not sensitive or proprietary presents another opportunity. Take an AI system that routes invoices and handles payments. The routing process itself probably isn’t a trade secret. Letting the AI learn from that workflow could make the system more accurate. But the actual invoice amounts or customer names? Those might need to stay off limits.

The same logic applies to AI that creates public-facing content like marketing materials. There’s little risk in letting systems train on information that was meant to be shared anyway.

The attorneys stress that protecting data remains critical for meeting privacy laws and keeping competitive information under wraps. Most companies will still need broad restrictions on how AI vendors use their data. But smart contracts can include exceptions for specific cases where training actually benefits the customer.

As AI tools become more common and more sophisticated, companies will need to revisit these decisions regularly. The key is finding the middle ground: locking down what truly matters while leaving room for improvements that make the technology work better. Getting that balance right could mean the difference between AI that barely helps and AI that transforms how work gets done.