Scored separately as your AI Readiness score — it does not change your cyber-insurance posture. This may not be on your carrier’s application this year, but it’s where the industry is heading, and getting ahead of it now is a real advantage. Weak areas route you to guidance, not penalties. Includes the fast-growing “photo-to-AI” leak — staff photographing a screen and dropping it into a public AI chat.
What this area covers
Does your acceptable-use policy explicitly prohibit photographing company information or screens and uploading it — or any company data — to unsanctioned AI tools (with named tools or a clear definition of "sanctioned")?
A fast-growing risk: a staff member photographs a screen — a document, a dashboard, a customer record — and drops that image into a public AI chat tool to get help, unintentionally handing sensitive company data to an outside system.
Your network security tools never see it, so a written policy that names this specific behavior is the main defense. This question is about whether your acceptable-use policy explicitly prohibits it.
Also covered in this area
- Do you have a written AI acceptable-use policy governing which AI tools staff may use and for what?
- Are employees prohibited from entering sensitive, regulated, or customer data into public/consumer AI tools, with an approved alternative provided?
- Do you maintain an inventory of AI tools in use across the company (to surface "shadow AI")?
- Are AI tools/vendors reviewed before adoption for data residency and whether your data trains their models?
- Have staff received AI-use awareness training in the last 12 months?
- In consequential workflows (financial, legal, customer-facing), is human review of AI output required before it is acted on?
- Is a named person or role accountable for AI governance?
- Do you provide a sanctioned enterprise AI tool with data protections (no training on your inputs, zero or limited retention) so employees have an approved route?
- Which technical controls reduce company data leaving to public AI tools?
- Do employees actually know that photographing screens or data and uploading to AI tools is prohibited (not just a policy that exists on paper)?
- Can you detect when company data is uploaded to an unsanctioned AI tool?
This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.