Would Your Boss Read Your Prompts? Private AI, Explained
Find Threat Talks on
Would you still use ChatGPT if your boss could read every prompt you typed?
Every day, employees paste source code, contracts, and customer records into AI tools you do not control, on the assumption that the provider will not look. That assumption is now a compliance exposure, not a convenience. If you cannot say what data left your organization through AI this week, you cannot defend it to an auditor, a regulator, or your board.
Rob Maas, Field CTO at ON2IT, sits down with Derk Bell, Senior Developer at ON2IT, to map the real exposure: why a single prompt leaks more than a search ever did, why agents turn that leak into an automated pipeline out of your CRM and codebase, and how Confer, built on the protocol family behind Signal, lets you replace “trust us” with privacy you can verify and prove.
What you’ll learn
- One prompt leaks more than a search ever did. And agents automate it, straight out of your CRM and codebase.
- “Trust us” is not a compliance defense. Feed regulated data into a public model and it can become a reportable leak.
- Privacy you can prove, not promise. How Confer finally makes “never trust, always verify” apply to AI.
Your cybersecurity experts
Episode details
Most security leaders cannot quantify how much data leaves the organization through AI, and that is the problem. A search is a handful of keywords. A prompt is the opposite: it carries the memory of earlier conversations, the contents of files the model judges relevant, and increasingly whatever an agent fetches on a user’s behalf. Derk’s distinction matters at scale. When a person pastes into a chat, they at least control what they share. When an agent runs, it decides, and an MCP connection lets it lift a client list from your CRM or read a calendar straight into a prompt bound for a remote provider. Multiply that across a workforce and you have an exfiltration channel no one approved and no one is watching.
That is the gap Confer is built to close, and Derk explains it with an analogy every employee knows: the annual HR survey. You are told answers are processed anonymously. You cannot verify it. You simply trust it. Now picture the survey running inside a sealed, transparent box: you can see the wiring, confirm it only ever computes an average, watch it refuse to run on a single entry, and see it destroy everything inside once the deadline passes. Swap the survey for an AI conversation and you have the model for verifiable, auditable privacy.
Under the hood, Confer runs inside a trusted execution environment, an isolated program the hardware vendor guarantees cannot be read or modified while running, with encrypted memory. It hands you a fingerprint of exactly what is running, so you or your security team can inspect the open source and confirm it answers the prompt and stores nothing. A Noise channel, the same protocol family that powers Signal, sets up the encrypted link, and the keys, bound to that specific chip, are destroyed when the session ends. Even a Confer employee with a full memory snapshot would hold nothing but ciphertext. The point for a security leader: the privacy guarantee is one you can demonstrate, not one you take on faith.
Who should care first? CISOs and teams under GDPR or similar regimes, where customer data in a public model is a breach waiting to be reported; CTOs protecting intellectual property and unreleased strategy; and anyone accountable for agentic AI reaching into production systems. Derk’s argument is that AI is becoming critical infrastructure, and more sensitive data flows into it every day. The optimistic close: this does not have to be a trade-off, and if the industry adopts verifiable privacy the way it adopted Signal, the whole ecosystem gets safer.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.





