Data Classification Guide for AI Systems
Purpose
Rules for classifying data before submission to AI tools, including AI-specific classification levels and decision matrices.
Related Controls
1. Classification Levels
Define the data classification tiers and what qualifies for each level.
Overview
All data processed by or submitted to AI systems must be classified before use. [ORGANIZATION NAME] uses a four-tier classification system aligned with the enterprise data governance framework, with AI-specific sub-classifications that account for the unique risks of AI processing.
Classification Tiers
Tier 1 — Public
- Definition: Information intended for public disclosure or already publicly available
- AI Risk Level: Minimal
- Examples: Published marketing materials, open-source code, public documentation, publicly available datasets, press releases
- AI Usage: May be submitted to any approved AI system without restriction
Tier 2 — Internal
- Definition: Information intended for use within [ORGANIZATION NAME] that would not cause significant harm if disclosed
- AI Risk Level: Low to Moderate
- Examples: Internal process documentation, non-sensitive meeting notes, organizational charts, internal training materials, anonymized metrics
- AI Usage: May be submitted to enterprise-approved AI systems only. Public AI tools are prohibited. Audit logging is required.
Tier 3 — Confidential
- Definition: Sensitive information whose disclosure could cause material harm to [ORGANIZATION NAME], its customers, or its partners
- AI Risk Level: High
- Examples: Source code, proprietary algorithms, customer lists, financial forecasts, strategic plans, employee performance data, pre-release product information
- AI Usage: Enterprise-approved AI systems with a signed Data Processing Agreement (DPA) that prohibits vendor data retention. Requires manager approval and full audit trail.
Tier 4 — Restricted
- Definition: Highly sensitive information subject to regulatory, legal, or contractual protections
- AI Risk Level: Critical
- Examples: PII subject to GDPR/CCPA, PHI under HIPAA, PCI cardholder data, authentication credentials, encryption keys, attorney-client privileged material, M&A information
- AI Usage: Generally prohibited. Case-by-case approval from CISO and Legal required. On-premises AI systems only. Full audit trail mandatory.
2. AI-Specific Rules
Document rules that are unique to AI processing and go beyond standard data classification.
AI Amplification Risk
AI systems introduce data risks that do not exist in traditional data processing. These AI-specific rules supplement — and in some cases override — standard data classification controls.
Rule 1: Aggregation Escalation
When multiple data elements at Tier 2 (Internal) are combined in a single AI prompt, the aggregate classification escalates to Tier 3 (Confidential) if the combination could reveal sensitive patterns. Example: individual employee names (Tier 2) combined with salary ranges (Tier 2) and department restructuring plans (Tier 2) collectively constitute Tier 3 data.
Rule 2: Inference Risk
Data that is individually low-sensitivity but could enable an AI system to infer high-sensitivity information must be classified at the level of the potential inference. Example: anonymized patient records that include enough demographic detail to enable re-identification must be treated as Tier 4 regardless of the stated anonymization.
Rule 3: Output Classification
AI-generated outputs inherit the classification of the highest-tier input data used to produce them. If Tier 3 data is included in a prompt, all outputs from that interaction are Tier 3 until explicitly declassified by an authorized data owner.
Rule 4: Training Data Prohibition
No AI system — internal or third-party — may use [ORGANIZATION NAME] data for model training or fine-tuning unless:
- The data owner has provided written consent
- A Data Processing Agreement explicitly covers training use
- A privacy impact assessment has been completed
- Legal has confirmed compliance with all applicable regulations
Rule 5: Context Window Persistence
Data submitted within an AI conversation context must be assumed to persist for the duration of the session. Subsequent prompts in the same session must not lower the classification level below the highest-tier data previously submitted in that session.
3. Decision Matrix
Provide a step-by-step decision tree for classifying data before AI submission.
Pre-Submission Decision Matrix
Before submitting any data to an AI system, personnel must walk through the following decision matrix:
Step 1: Identify the Data
| Question | If Yes | If No |
|---|---|---|
| Does the data contain PII, PHI, PCI, or credentials? | → Tier 4, STOP | → Continue |
| Is the data subject to regulatory requirements (GDPR, HIPAA, SOX, etc.)? | → Tier 4, STOP | → Continue |
| Does the data contain proprietary source code or trade secrets? | → Tier 3 | → Continue |
| Does the data contain confidential business information? | → Tier 3 | → Continue |
| Is the data intended for internal use only? | → Tier 2 | → Continue |
| Is the data publicly available or intended for publication? | → Tier 1 | → Consult data owner |
Step 2: Check Aggregation
| Question | If Yes | If No |
|---|---|---|
| Are you combining multiple Tier 2 data elements in one prompt? | → Re-evaluate as Tier 3 | → Maintain current tier |
| Could the combined data reveal patterns not visible in individual elements? | → Escalate one tier | → Maintain current tier |
Step 3: Select the AI System
| Data Tier | Permitted AI Systems | Required Controls |
|---|---|---|
| Tier 1 | Any approved AI system | None |
| Tier 2 | Enterprise-approved AI only | Audit logging |
| Tier 3 | Enterprise AI with DPA, no retention | Manager approval + audit logging |
| Tier 4 | On-premises AI only (case-by-case) | CISO + Legal approval + full audit |
Step 4: Minimize and Sanitize
Before submitting, apply these sanitization steps:
- Remove all PII that is not essential to the task
- Replace real names with placeholders (Person A, Person B)
- Redact account numbers, IP addresses, and credentials
- Use synthetic or sample data when testing or experimenting
- Verify no sensitive data remains in code comments, file paths, or metadata
4. Exceptions
Describe the process for requesting exceptions to classification rules.
Exception Process
Exceptions to the standard classification rules may be granted in circumstances where the business need is compelling and alternative approaches have been exhausted.
Eligibility for Exception
An exception request may be submitted when:
- The standard classification rules prevent a legitimate business activity with significant value
- Compensating controls can reduce the residual risk to an acceptable level
- The exception is time-bound and subject to periodic review
- No regulatory or legal prohibition prevents the requested exception
Exception Request Requirements
| Field | Description |
|---|---|
| Requestor | Name, role, and department of the requesting individual |
| Business Justification | Clear explanation of why the exception is needed and the business impact of denial |
| Data Description | Detailed description of the data involved, including classification and volume |
| AI System | Specific AI system, model, and deployment method |
| Duration | Requested exception period (maximum 12 months) |
| Compensating Controls | Specific additional controls to mitigate risk (e.g., enhanced logging, restricted access, manual review) |
| Risk Acceptance | Explicit acknowledgment of residual risk by the data owner |
Approval Authority
| Exception Type | Approver | Maximum Duration |
|---|---|---|
| Tier 2 → Public AI | IT Security Manager | 6 months |
| Tier 3 → Enterprise AI without DPA | CISO | 3 months |
| Tier 4 → Any AI system | CISO + General Counsel + Data Owner | 1 month, non-renewable |
Exception Register
All approved exceptions are recorded in the AI Exception Register maintained by [DEPARTMENT]. Each exception is assigned a unique identifier, reviewed at the midpoint of its duration, and expires automatically unless formally renewed through the same approval process.
5. Review Process
Define how the classification guide is maintained and how compliance is audited.
Periodic Review Schedule
| Review Activity | Frequency | Responsible Party | Output |
|---|---|---|---|
| Classification guide review | Annually | AI Governance Committee | Updated guide |
| Active exception review | Quarterly | [ROLE TITLE] | Exception status report |
| AI system inventory validation | Semi-annually | IT Security | Updated approved tools list |
| Random prompt audit | Monthly | [ROLE TITLE] | Audit findings report |
| Compliance spot-check | Quarterly | Internal Audit | Compliance assessment |
Audit Procedures
The [DEPARTMENT] conducts regular audits of AI data classification compliance:
- Automated Monitoring: AI interaction logs are analyzed for potential misclassification — specifically, patterns indicating sensitive data submission to unapproved systems
- Random Sampling: A random sample of AI interactions is reviewed monthly to verify correct classification and data handling
- Department Reviews: Each department conducts a quarterly self-assessment of AI data handling practices and submits findings to the AI Governance Committee
- Incident-Triggered Audits: Any AI-related data incident triggers a comprehensive audit of the affected department's classification practices
Feedback and Updates
Personnel may submit classification questions or improvement suggestions to [DEPARTMENT] via the AI Governance mailbox. Common questions are compiled into an FAQ and distributed quarterly.
When new AI systems are introduced, new data types are identified, or regulatory requirements change, the AI Governance Committee will update this guide and notify all personnel within 15 business days.
Training Integration
This classification guide is incorporated into the mandatory AI awareness training. Updates to this guide trigger a notification to all personnel with a 30-day window to review the changes. Material changes require re-acknowledgment.