# Safety and governance before connecting anything
<!--pills: Useful but fallible | Three questions | Read-only first | The setup checklist | Dangerous defaults | Decide once -->

<!--cover
time: 7 min read, about 15 to set up
- Sort everything you handle into safe, sensitive and never.
- Set the draft, confirm, execute rule so nothing fires without you.
- Connect at the least access that still does the job.
-->

Spend twenty minutes setting a few rules before you hook AI up to your inbox, your files or your work systems. Not to slow you down. So you can move fast later without lying awake wondering what just got sent on your behalf.

This chapter is practical safety guidance, not legal, compliance, medical, financial or workplace-policy advice. If your job touches student, patient, client-confidential, HR, legal, finance or identity data, use only approved tools and approved data. If that approval does not exist, stay copy-paste-only with names and identifiers removed, or do not use AI for that task.

## The problem

**AI agents are genuinely useful and genuinely fallible at the same time, and once they touch live systems a mistake becomes a real action.**

They sound confident even when they're wrong, and they can read more than you expect. Three things actually go wrong:

<figure class="fig illo">
<img src="playbook/illustrations/ch04-a-loose-handful-of.png" alt="A loose handful of papers about to slip through open fingers" loading="lazy">
</figure>

- **Data leaks.** You paste a client contract, a salary list or a password, and now it lives somewhere you don't control. On some plans your inputs can train future models. That's hard to take back.
- **Wrong actions.** It emails the wrong person, books the wrong meeting, overwrites the wrong file, or sends a half-finished draft because it misread you.
- **Confident mistakes.** It invents a fact, figure or quote and presents it as gospel. If you didn't check, it goes out under your name.

None of this means avoid AI. It means the worst case should be "I had to redo a draft", not "I emailed our pricing to a competitor". The fix is one short setup session. Getting it wrong can cost your reputation or your job.

## The shift

**Safety and governance is the groundwork you do once, and it comes down to three questions you answer ahead of time.**

- **What you let AI see.** Some information is fine to share, some really isn't.
- **What you let AI do.** A draft email is very different from a sent one. Suggesting you delete fifty files is very different from deleting them.
- **How you stay in control.** You stay in the loop, check the work before it goes out, and can undo things when the agent gets it wrong. Because it will, sometimes confidently.

This is the backbone of everything else here. Most later sections have a "Keep it safe" note, and they all point back to these habits.

One quick bit of jargon. "Connect" means giving an agent access to an account or system, like your email, calendar or a folder, so it works on real data instead of text you paste in. "Permissions" are the specific things you've allowed once connected. "Least access" is the smallest set of permissions that still gets the job done.

## Watch me do it

**Start every connection read-only and never let an agent send on the first thing it touches, because the dangerous moment is the one you stopped watching.**

I learned to bake that in rather than trust myself to catch it later. Here's the routine that keeps me out of trouble:

- **Run one gut-check before I paste or connect anything.** Would I be comfortable if this showed up on a screen in a meeting I wasn't in? If no, it doesn't go in, and I don't connect that account loosely.
- **Keep the genuinely sensitive stuff out entirely.** Customer personal data, anything under contract, financials, passwords. Those only go near a tool my employer has actually approved for it.
- **If you are locked out or regulated, use the safe path.** Do the guide manually with redacted examples, public information and fake records until your workplace approves a proper account. Ask IT or your manager for the approved AI tool, retention rules and whether a workplace-controlled setup exists. No approval means no sensitive data and no live connections.
- **Connect read-only first.** I'd rather an agent see my calendar than change it, at least until I trust how it behaves. I add the ability to act later, one capability at a time.
- **Treat it like a brilliant but green junior.** It drafts, I read every word, I check any number, name or claim that matters, then I press send.

I use your approved AI tool as my daily driver, but the rules hold whichever you pick. The field's wide now, so choose whatever connects to your own stack. I'll also reach for a second agent to sanity-check a tricky technical problem. That's really just one more check before anything ships.

<aside class="tip">
<p class="tip-label">Try this</p>
<p>Give your agent a short "never" list and put it in its memory: never send without me, never touch these folders, never share anything outside the company. Then make it flag its own uncertainty by asking it to "tell me what you're not sure about and what I should double-check". A confident wrong answer is the dangerous one.</p>
</aside>

This matters more the further you go. The less you watch each step, the harder you lean on three things: least access, a human gate on anything that sends or deletes, and a way to undo. They travel with you whether it's a single chat or a long, hands-off job.

## Your turn

**Work through these once, before you connect AI to anything real. About twenty minutes.**

1. **Sort your data into three buckets.** Green is fine to share (public info, rough drafts, general questions). Amber is "be careful" (internal but not secret). Red is never paste, never connect loosely (personal data, passwords, contracts, financials, health, anything legally protected). Write them down.
2. **Check your employer's rules.** Find the AI or IT policy, or just ask: "Which AI tools am I allowed to use, and with what data?" One short message now saves an awkward conversation later. No policy? Assume the strictest reading.
3. **Connect with least access.** Read what a tool's asking for. Choose read-only if it's offered. Grant the narrowest scope that does the job. You can always add more.

**If you own the business, you are the policy.** Use this plain rule until you have a better one. Public material and rough drafts can go into a normal AI tool. Customer names, staff issues, invoices, donor records, student details, health, legal or financial material stay out unless you're using an approved private or workplace-controlled setup. If you need the AI to help, replace names and numbers first.

**De-identification example.**

Before: "Sarah Nguyen at 42 King Street owes $842 for invoice 1047 and her child missed Tuesday's lesson."

After: "Customer A owes [amount removed] for an overdue invoice. A dependent missed a scheduled session. Draft a polite reminder without names, addresses or health/student details."

**Ask IT or your manager this exact message.**

```
I want to use AI for drafting and summarising only. Which approved AI tool can I use, what data is allowed, are inputs used for training, how long is data retained, can it connect read-only to email/calendar/files, and who approves access? Until I have that answer I will use redacted copy-paste examples only.
```

**Leader or regulated-work stop panel.** If you handle health, legal, financial, HR, student or client-confidential data, do not connect a consumer account to live records. Use redacted examples, an approved workplace-controlled setup, and a human approval point. For a team, write one allowed tool, one banned data type, one draft-only rule and one person who approves exceptions.

4. **Set the draft, confirm, execute rule.** AI drafts, you confirm, then it executes. For anything that sends, deletes, pays or publishes, you're the gate. No exceptions while you're still learning a tool.
5. **Check the output every time.** Read it properly. Verify any fact, figure, name or date that matters. If you can't check a claim, don't ship it.
6. **Know your undo.** Before you let a tool act, find out how to see what it did and reverse it. Test the undo on something harmless first.

Use this prompt at the start of any session where AI will touch real data or systems.

```
You are helping me with real work, so we are operating under strict safety rules. Follow them for this entire session.

1. DRAFT, CONFIRM, EXECUTE. You may draft, plan and suggest anything. You may NOT send, delete, publish, pay, schedule or change anything until I reply with the single word CONFIRM for that specific action. If an action is not reversible, warn me clearly before we proceed.

2. LEAST ACCESS. Only use the data and tools strictly needed for the task I give you. Do not read or pull in anything I did not ask for. If you need access to something I have not provided, ask, do not assume.

3. FLAG SENSITIVE DATA. If you notice I have shared something sensitive (personal data about real people, passwords, financial details, contracts, health information), pause and point it out before using it.

4. NO CONFIDENT GUESSING. If you are not sure of a fact, figure, name or date, say so plainly and tell me what to verify. Never present a guess as a fact.

5. SHOW YOUR WORK. Before any action that changes something, tell me exactly what you are about to do and how I could undo it.

Confirm you understand these five rules, then ask me what I would like to work on.
```

**Keep a starter skill handy.** Save a short "AI ground rules" note somewhere you can paste from in seconds. Copy mine, adjust the buckets to your world, and save it.

```
MY AI GROUND RULES

Data buckets:
- GREEN (fine to share): public info, rough drafts, general questions
- AMBER (careful): internal docs, non-secret plans
- RED (never paste, never connect loosely): customer personal data,
  passwords, contracts, financials, health, anything legally protected

Tools I'm allowed to use (per my employer): __________
Default connection setting: read-only first, add access one step at a time
Default action rule: AI drafts, I confirm, then it executes
Before any action: can I see what it did and undo it? If no, don't do it.
Monthly: review and disconnect anything I no longer use.
```

**Do this now.** Open a blank note and write your three buckets: green, amber, red. List two or three real examples in each from your own work. That single list is the rule you'll lean on every time you're about to paste or connect.

## Keep it safe

**Every risk here shares one shape: the easy default is usually the dangerous one.** Slow down at each.

- **Oversharing sensitive data.** Never paste red-bucket info into a general consumer tool. Check whether your inputs train models, and turn that off where you can. When in doubt, leave it out.
- **Over-broad permissions.** "Allow full access" is the easy button and the dangerous one. Choose the narrowest scope. Review what you've connected monthly and disconnect what you don't use.
- **Skipping the human.** Let an agent send or delete without you looking and you've removed the one net that catches confident mistakes. Stay in the loop for anything that leaves your screen.
- **Trusting fluent answers.** A confident tone isn't evidence. Treat every fact, number and quote as unverified until you've checked it against a real source.
- **No way back.** If a tool can't log what it did or let you undo it, keep it to low-stakes, reversible work only.

## The payoff

**Twenty minutes up front, and the whole rest of this playbook gets easier.**

You stop weighing risk in the moment, because you already decided where the lines are. You connect a tool, hand it real work and let it move, knowing the worst case is a redo, not a disaster.


That's what good groundwork buys you: not caution that slows you down, but confidence that lets you speed up. Set the rules once, then use everything else in here without lying awake about it.