Artificial Intelligence is transforming the workplace, with organizations racing to deploy AI tools driven by the promise of unprecedented productivity, efficiency, and strategic advantage. A key part of this transformation is AI Communications, or “aiComms” — the new layer of interaction between humans and intelligent systems.
But as AI moves from experimentation to large-scale deployment, a complex challenge has emerged: the governance of aiComms. While IT security teams have spent years hardening network perimeters and securing digital workplaces, there are new risks coming from inside these walls. AIComms risks are being generated within Microsoft Copilot, Zoom AI Companion, Anthropic’s Claude, and ChatGPT. Organizations are having difficulty situating AIComms risks in the context of both the glut of existing communications data and increasingly diverse security and telemetry information. This is the “last-mile” of AI security—the point where human decisionmaking meets machine-driven intelligence—and it is where most modern governance strategies are currently failing. The ability to discern the specific business uses of GenAI within an organization is critical to appropriately assessing AIComms risk.
What are aiComms
When employees use AI tools like Microsoft Copilot and Zoom AI Companion alongside large language models (LLMs) such as Anthropic, OpenAI, and Gemini, they create a new category of AI-generated communications or “aiComms”. They also introduce a new workplace participant: the generative and agentic AI that interacts directly with employees.
These AI-driven interactions are not limited to “internal only” or “temporary” communications—AI is drafting emails for clients, surfacing data in response to prompts, and summarizing client meetings. Each of these interactions produces communications that may be subject to oversight, compliance, and ethical considerations.
What Are the Risks
Recent research across 500 financial service firms shows that while nearly all (99%) are deploying AI, 88% report challenges with AI governance and data security. This new class of aiComms is exponentially increasing both the volume of communications generated, and the complexity of regulatory compliance oversight. It also introduces new and evolving risks that extend across data security, regulatory compliance and conduct, ranging from prompt manipulation and hallucinations to sensitive data exposure.
The speed of AI adoption is outpacing the maturity of governance frameworks.
- Security and Privacy Risks
- 45% of firms struggle to detect whether confidential or sensitive data has been exposed in generative AI outputs.
- Sensitive data — such as PII, credit card details, or confidential client information — can appear in prompts or responses without detection.
- AI systems may inadvertently surface or summarize restricted data, creating exposure risks that traditional DLP tools may miss.
- Compliance and Recordkeeping
- 47% of organizations report difficulty ensuring that AI-generated content meets regulatory requirements.
- AI interactions related to regulated business activity must be captured, supervised, and archived — just like human communications.
- Regulatory bodies have reinforced that existing rules apply equally to AI-generated content. FINRA’s 2026 Annual Regulatory Oversight Report reminds firms that remain responsible for communications regardless of whether they are generated by humans or AI. In the UK, the FCA has similarly reiterated that existing regulatory frameworks apply to AI-enabled activities.
- Behavioral and Ethical Risks
- 41% of firms are identifying new, risky user behaviors as employees interact with AI tools.
- Techniques like “Jailbreaking” are being used to bypass guardrails, access restricted data, or manipulate outputs.
- Even without malicious intent, employees may engage in more subtle misuse like prompt steering — using AI to access information above their authorization level or to test system boundaries.
- These behaviors create governance and ethical blind spots that traditional IT controls cannot detect.
Who is Managing the Risks?
As organizations define how AI responsibility and governance should be shared, many are actively building and refining controls and guardrails to ensure that AI is adopted safely and responsibly.
- IT Security teams concentrate on attacks, vulnerabilities, and data protection but often lack visibility into user behavior and context.
- Compliance teams focus on retention and supervision of regulated interactions but may not have the remit or tools to detect unethical AI use—such as an employee prompting AI systems to view confidential files “without leaving a trace,” or probing for colleagues’ compensation data through iterative prompts.
Why AI Communications Are the “Last Mile” in AI Security
Traditional security frameworks protect systems, networks, and data. But the last mile — where humans and AI interact — is where intent, context, and compliance converge. This is the point where:
- Sensitive data can be exposed through prompts or summaries.
- AI can be manipulated to reveal information it shouldn’t.
- Employees can unintentionally breach policy through natural conversation with AI tools.
Security guardrails alone are not enough. Even when guardrails are in place, AI systems can inadvertently expose PII, client data, MNPI, or confidential internal documents through user behavior. Organizations need behavioral visibility — the ability to see how users and AI systems interact, detect anomalies, and understand context across multiple records and tools.
The “last mile” is the attempt to thread these often disparate data sources, formats, and risks together as a unified whole. Understanding the content and context of AIComms and how they intersect with both organizational risks and the existing set of communications data is key.
Enabling Safe AI Adoption
Blocking access to AI tools is not a viable strategy. Overblocking drives users to unmonitored “shadow IT” and undermines innovation. Instead, organizations must focus on visibility, oversight, and accountability, to ensure they can:
- Capture and supervise AI interactions in full conversational context, not just isolated prompt-response pairs.
- Detect behavioral patterns such as jailbreaking or unethical prompt steering.
- Inspect content for sensitive data exposure, prompt injection, or potential misconduct.
- Reconstruct conversations, including within related communication strands of chat, audio, and email, to ensure accuracy, completeness, and traceability.
- Remediate off-policy content and demonstrate to regulators that oversight mechanisms are effective in practice.
Organizations that establish comprehensive oversight — combining content inspection, behavioral analytics, and contextual supervision — will be best positioned to unlock the full value of AI safely. By securing the last mile of AI communications, firms can enable innovation with confidence, protect sensitive data, and meet evolving regulatory expectations.
