800 507 5770 
info@netrio.com 
By Kirk Samuels, Executive Director Cybersecurity
PE firms handle some of the most sensitive data in business. This blog explores why a written AI policy isn’t enough on its own and what establishing real protection actually looks like.
AI Policy Doesn’t Protect Deal Pipeline
Your limited partners (LPs) trusted you with their capital based on your track record, your discretion, and your judgment. If a deal were to leak because someone pasted a confidential memorandum into an AI tool, how would that conversation go?
Unfortunately, stories like that are no longer hypothetical. This is happening at firms that believe their AI usage policy has such situations covered.
But many AI policies fall short, here’s why:
The Three-Tier Problem
In assessing the AI governance of firms, a pattern has emerged: many firms think they’re farther along in AI governance maturity than they really are. Most firms are operating at Tier 1, and very few have advanced to Tier 3.
Tier 1: A Written Policy
Most firms have arrived at this stage. They’ve put something in writing: acceptable use guidelines, a prohibition on inputting confidential data into public AI tools, maybe a list of approved platforms. A document exists, it was sent to staff, and leadership feels better for having done it.
Unfortunately, a policy document doesn’t enforce itself. Without any technical or operational backing, policy is entirely dependent on people remembering it, understanding it, and choosing to follow it.
Tier 2: Technical Controls on AI Tool Access
This is where governance starts to have real teeth. Tier 2 means your organization has implemented technical controls, through Domain Name System (DNS) filtering, web proxy configurations, or endpoint security, that actually restrict which AI tools employees can reach. If a tool isn’t on the approved list, staff simply can’t access it from company devices or networks.
Two obstacles most governance discussions skip over are:
- Shadow AI: When you implement Tier 2 controls, you will discover how many people have been quietly using unapproved AI tools for months. They come out of the shadows not to confess but to ask why their workflow suddenly broke. This is not a sign that your controls are too aggressive. It’s confirmation that you needed them.
- The enterprise licensing problem: You may want to permit only the enterprise versions of tools like ChatGPT or Claude, versions with stronger data handling commitments and no training on your inputs, while blocking the consumer versions. Many existing security stacks cannot make that distinction without additional licensing. That gap may require a budget cycle to close.
Tier 2 is more meaningfully secure than Tier 1, but it only controls where your people go. It doesn’t control what they bring with them when they get there.
Tier 3: DLP Controls Tied to Data Classification
This is the tier where protection becomes real, and where very few firms are operating.
Tier 3 means an organization has implemented Data Loss Prevention (DLP) controls aligned with how they classify their data, and those controls apply specifically to AI tool interactions. In practice, an employee using an approved AI tool cannot paste or upload data that has been classified as confidential or restricted. The system enforces the policy so time isn’t wasted referring to documents.
For a PE firm, the most sensitive data is not primarily personally identifiable information (PII) or health records. It’s confidential investment data: deal pipeline information, target company financials, valuation models, due diligence findings, LP communications, and, critically, Material Non-Public Information (MNPI). MNPI exposure is not a traditional data breach. It is a securities law problem, a fiduciary problem, and a reputation problem simultaneously.
The challenge of Tier 3 is that it requires a functioning data classification program. Many firms have a policy to describe data categories, but few have tagged their data in a way that a DLP system can act on. And building a classification foundation, deciding what counts as confidential investment data, where it lives, and how it gets labeled, is often a multi-month project before a single DLP rule gets written. That work has to happen first.
What NIST Says, in Plain English
The National Institute of Standards and Technology (NIST) AI Risk Management Framework puts ‘Govern’ first among its four core functions, because governance is the prerequisite for everything else. Data privacy and information security are primary risk categories in AI deployment, and they require controls that address them at the operational level, not just the policy level.
This three-tier model is the practical translation of the NIST principle:
- A written policy addresses governance on paper
- Technical controls begin to operationalize policy
- DLP tied to data classification is how to satisfy the policy
Where Does Your Firm Stand?
If you are at Tier 1, stress-test your policy against a real scenario. Pick your three most sensitive active deals. Walk through exactly how your current policy would prevent a junior analyst from summarizing a confidential information memorandum in ChatGPT on a personal device at home. If the response is “it wouldn’t,” you have your answer.
If you are at Tier 2, the next conversation is about data classification. You cannot build Tier 3 protection without a clear, operational answer to the question: what data do we have, where does it live, and what happens if it leaves?
If you are at Tier 3, make sure your controls are being tested regularly and updated as your approved tool landscape evolves. The AI tool market is not standing still.
At Netrio, the data classification conversation is typically where we start with financial services clients, because every meaningful control downstream depends on it. That classification work becomes the foundation for any AI strategy or platform deployment, because you can’t make sound decisions about what to deploy until you know what you’re protecting.
Your team is already using AI. Is your governance keeping pace? Would your LPs agree?
If you walked through these scenarios and found your policy wouldn’t hold up, that’s where Netrio comes in to strengthen your environment and fortify your policy. Reach out to begin the conversation today.
