Contents

In April 2023, Samsung Electronics leaked confidential data through ChatGPT three times in 20 days — semiconductor source code, fix code for faulty equipment, and a full internal meeting transcript — all sent to OpenAI's servers the moment employees pasted them in, impossible to pull back. Samsung immediately banned ChatGPT, Bing, and Bard company-wide. JPMorgan, Goldman Sachs, Citi, Bank of America, and Wells Fargo rolled out similar bans in the same window.

Three years on, "ban it" no longer works in 2026. Employees use ChatGPT on their phones, engineers write with Claude Code, marketing builds decks in Gemini — ban it and you just breed shadow AI (unauthorized use). On top of that, the EU AI Act's high-risk system rules go fully into force on August 2, 2026, and violations carry penalties of up to €35M or 7% of global revenue. You can't ban, and you can't ignore. The only path left is "set a frame with guidelines and actively enable safe usage."

My stance up front. "Nobody reads a thick PDF guideline" sounds right but is wrong as a conclusion. The point of guidelines isn't to be read — it's to make accountability explicit when an incident happens, and burn the minimum non-negotiables into employees' heads. This article covers the seven required items, the five categories of prohibited input data, the EU AI Act deadline, the five-phase implementation roadmap, and the pitfalls — all with the practical detail you'll need as of May 2026.

CORPORATE AI GOVERNANCE

Ban or Ignore — Both Lose. Guidelines Are the Third Way

— Prevent leaks × boost productivity × stay compliant

① LEAK RISK
Samsung: 3 in 20 days
Employees treat it as a helpful tool, paste in secrets — and there's no recall. Bans just widen the loopholes
② COMPLIANCE
EU AI Act, Aug 2 2026
High-risk AI rules in full effect. Penalties up to €35M or 7% of global revenue
③ PRODUCTIVITY
Bans cost 30–50%
Clear gains in engineering, sales, marketing. The cost of a ban as a management call is too high
④ ANSWER
7-item guideline
Approved list, prohibited data, responsibility, training, audit. Two weeks to roll out from a template

2023 model: "company-wide ban" to dodge risk → 2026 model: "safe operation inside a frame" for leak prevention + productivity + compliance, all three.
You don't need a thick PDF. Two A4 pages plus an approved list works.

1. April 2023 — Samsung Banned AI in 20 Days

The sequence is simple. In March, Samsung's semiconductor division approved internal ChatGPT use. Over the next 20 days in April, three confidential leaks happened in a row. ① Employee A pasted the full source code of a faulty semiconductor database into ChatGPT and asked for a fix. ② Employee B did the same with fix code for malfunctioning manufacturing equipment. ③ Employee C pasted an entire internal-meeting transcript and asked for minutes. All three, at that instant, reached OpenAI's servers and may have been used as training data.

Samsung immediately blocked ChatGPT, Bing, and Bard across all company-owned devices, and on personal devices when connected to the corporate network. Around the same time, major financial firms — JPMorgan, Goldman Sachs, Citi, Bank of America, Wells Fargo, Deutsche Bank — issued similar bans. This was the moment the "companies are banning AI" trend kicked off.

As of 2026, Samsung still bans ChatGPT and has built its own internal LLM called "Samsung Gauss". That's one legitimate route, but the investment scale is too big to copy for mid-market companies and below. For everyone else, the only path is "safely use commercial AI services inside a guideline."

2. Why You Need Guidelines Now — Three Pressures

Pressure ① Regulation
EU AI Act high-risk rules fully in force August 2, 2026. Japan's AI Business Operator Guidelines (METI) revision is also in rollout
Pressure ② Shadow AI
Ban it and employees use it on their phones. "Unauthorized use is far more dangerous" situations — invisible to the company
Pressure ③ Competition
Companies using AI are 30–50% more productive. A ban loses you the hiring race and the business race

Of the three, shadow AI is actually the most serious, in my view. Samsung was almost lucky in that "the leak happened on a company-approved channel, so they could see it." In most companies, an employee pasting client-named meeting notes into ChatGPT on their phone never registers. "Not being able to see it" is the worst kind of risk, and the only way to fix it is to build an official channel that the company can observe — which means guidelines.

3. The Seven-Item Template — Fill These and You're Covered

Not a thick PDF — a seven-item template that fits on two A4 pages. The goal is a level of detail you can start today and distribute by the weekend.

① Approved AI
List specific allowed tools
Name them: "ChatGPT Team," "Claude Enterprise," "Microsoft Copilot." Personal plans are not allowed by default (used for training). Business plans or API only
② Prohibited data
Five categories with examples (next section)
PII, confidential info, NDA-bound data, IP, regulated data. The heart of preventing Samsung-style leaks
③ Use cases
Three tiers: allowed / review-required / prohibited
Allowed: summarizing public info, coding assist, English translation. Review: customer-facing drafts, contract drafts. Prohibited: hiring decisions, HR evaluations, legal rulings
④ Output responsibility
"AI wrote it" is not a defense
Fact-checking, copyright clearance, and publish approval for AI output rest with the user. The lesson from the Air Canada AI chatbot refund case (Canadian tribunal, 2024)
⑤ Incident reporting
Don't punish "accidental inputs"
An immediate-reporting form for when confidential data goes in by accident. Cover-ups are vastly more expensive. State in writing: "reporting does not trigger discipline"
⑥ Training & updates
At onboarding plus once a year, minimum
30-minute e-learning module plus a comprehension test. The AI landscape shifts every six months, so plan for guideline revisions every 6 to 12 months
⑦ Audit logs
Retain usage logs for six months minimum
Business plans expose usage logs via admin consoles. Make "who entered what, and when" traceable. Satisfies EU AI Act Article 12 (event logging)

Of these, "② prohibited data" and "⑤ incident reporting" are the two items that decide whether the guideline actually works. ①③④⑥⑦ are things any reasonable drafter can fill in. But writing "what you cannot enter" with concrete examples, and stating in writing "we will not punish accidental inputs" — those take resolve. Choose a punishment culture and employees cover things up, and then you can no longer see leaks at all.

4. Five Categories of Prohibited Input Data — With Examples

"Don't enter confidential info" is too vague to land. Write five categories, each with examples.

Category Examples (do not enter) Alternative
① PII Names, addresses, phones, emails, employee IDs, national IDs Replace with "Customer A," "User B" before entering
② Confidential info Unannounced financials, strategy, M&A, HR data Abstract the numbers ("revenue up XX% YoY," etc.)
③ NDA-bound Client data under NDA, API keys, SSO credentials Don't enter at all. Use internal LLM or business API with no-train contract
④ Intellectual property Unreleased source code, pre-filing patent designs, proprietary algorithms Samsung's lesson: abstract the relevant parts, or limit to internal LLM
⑤ Regulated Identifiable medical data, financial transaction details, unreleased research data Use industry-specific on-prem AI (HIPAA/GxP-compliant)

The critical detail is that you always pair "alternatives" with the prohibitions. Write "do not enter" only, and employees decide "I can't get work done with AI," then start using it in the shadows. Provide an alternative like "replace personal names with 'Customer A' and you can enter it" and they use the sanctioned path. This is the practical lever for suppressing shadow AI.

5. EU AI Act — The August 2, 2026 Deadline

The EU AI Act regulates AI systems across four risk tiers. The "high-risk system" rules go fully into force on August 2, 2026, after which operations come with strict obligations.

Risk tier Examples Obligations Penalty
Prohibited Social scoring, subliminal manipulation, workplace emotion recognition Use is prohibited Up to €35M or 7% of revenue
High-risk Hiring decisions, credit scoring, education evaluation, medical diagnosis, judicial rulings Technical documentation, risk management, human oversight, log retention (Art. 9/11/12) Up to €15M or 3% of revenue
Limited risk Chatbots, deepfakes Transparency obligation (disclose AI generation) Up to €15M or 3% of revenue
Minimal risk Spam filters, AI game NPCs None (recommended best practices)

Common misunderstanding: even without an EU operation, if you process EU citizens' data, you're in scope. Japanese companies with European customers must comply with the EU AI Act. On the other hand, "an employee using ChatGPT for translation" is clearly minimal risk and has no particular obligations. "Automated hiring decisions on application materials" or "auto-deciding loan approvals with AI" is unambiguously high-risk; after August 2, 2026, technical documentation, human oversight, and log retention become legal obligations. If you have such work, add to the internal guideline: "any high-risk use requires legal approval before deployment."

6. Five-Phase Implementation Roadmap

Drafting the guideline is not the end. A roadmap that takes 2–3 months for a mid-sized company (up to 200 staff) and around 6 months for a large enterprise.

PHASE 1 · 2 weeks
Get the lay of the land
Employee survey to understand "what people actually use today." Surface the shadow-AI reality
PHASE 2 · 4 weeks
Form a committee; draft
One person each from legal, infosec, HR, and the operating units. Use the seven-item template as a starting draft
PHASE 3 · 2 weeks
Sign business contracts
Bulk-purchase approved-list products on Team/Enterprise plans. Make personal-plan use physically less common
PHASE 4 · 4 weeks
Announce and train
All-hands briefing, e-learning, comprehension test. Aim for 90%+ completion
PHASE 5 · ongoing
Operate and revise every six months
Audit-log reviews plus incident analysis. Revise the guideline every six months to keep pace with the AI landscape
In parallel
Special handling for high-risk work
For hiring, credit scoring, medical diagnosis, and other EU AI Act high-risk areas, build separate technical documentation and oversight systems

Within this, PHASE 1 (the survey) absolutely comes first. Build a guideline on the assumption "ban it and nobody uses it" and you end up with something disconnected from reality. Run an anonymous survey asking "which AI services have you used in the past month? what types of data have you entered for work?" and shadow AI will turn out to be roughly three times what you expected. Knowing the reality before writing rules is the correct order of operations.

7. Three Pitfalls You Must Avoid

Pitfall ①: Going company-wide ban

For any company that isn't Samsung, this almost always causes an explosion in shadow AI. Employees use ChatGPT Personal on their phones, the company has no visibility, and when a leak happens nobody reports it. The real cost of a ban is "losing visibility." Samsung could build Samsung Gauss internally because they had the bench strength of a top-tier semiconductor company. For mid-market and below, "provide a sanctioned channel through guidelines" is the practical answer.

Pitfall ②: Designing around punishment

"Any employee who enters confidential data faces discipline" means any employee who accidentally enters confidential data covers it up. The leak happens, the company doesn't know, customer data ends up out there, the customer reports it, and your reputation collapses — the worst-case path. Put in writing: "guideline violations are not punished if reported." Then make "only failing to report is grounds for discipline," and incident reporting starts to work, oddly enough.

Pitfall ③: Writing it once and walking away

The AI industry changes its assumptions every six months. A 2024 guideline saying "ChatGPT use is prohibited" has engineers running Claude Code who reason their way to "this isn't ChatGPT, so it's fine." Named products and models must be reviewed every 6 to 12 months. Whether a new service (Cursor / Perplexity / Notion AI) is approved or banned needs to be explicit so employees aren't guessing. Including the Wayfair case from the previous article (077), treat "the guideline as a living document."

Summary

Principle
"Ban or ignore — both lose." Set a frame with a guideline and operate safely. That's the 2026 answer
Seven required items
Approved AI / prohibited data / use cases / responsibility / reporting / training / logs. Two A4 pages is enough
Deadline
EU AI Act, Aug 2, 2026 — high-risk in full force. Penalties up to 7% of global revenue
Avoid pitfalls
No company-wide ban, no punishment-based design, no one-and-done. Revise every six months

Three years on from the Samsung leaks of 2023, corporate AI use has moved from the binary "ban or permit" into the implementation phase of "how to set a frame and operate inside it." Boxed in on three sides by legal risk (EU AI Act), leak risk (Samsung's lesson), and competitive risk (30–50% productivity gap), there's no time to write a thick PDF, and "no guideline at all" doesn't work either. The seven-item template plus the five-phase roadmap in this article will let a mid-sized company deploy in 2–3 months. "Maximum safe operation with the minimum frame" — that's the practical AI governance answer for 2026.

FAQ

Should we ban AI inside the company?

As a default, no, you should not ban it. Unless you're a Samsung-class company that can build its own internal LLM, banning just grows the volume of shadow AI (employees using it on their own), and the leak risk goes up as a result. Setting a frame with a guideline and providing business plans (Team/Enterprise) on a company contract is the practical answer.

Does the EU AI Act apply to Japanese companies?

Yes, if you process EU citizens' data or provide AI services inside the EU. Work entirely contained inside Japan (such as translation for internal staff only) is minimal risk and carries almost no obligations, but if you run loan approvals, hiring decisions, or medical diagnoses on European customers via AI, technical documentation, human oversight, and log retention become legal obligations after August 2, 2026. Penalties up to €35M or 7% of global revenue.

How many pages should the guideline be?

Two A4 pages for the body plus a few pages of appendices (approved list, prohibited-data examples) works well. "Nobody reads a thick PDF" is true, so keep the body to a summary and push detail into appendices to reduce the reader's load. The thing that matters isn't the page count — it's that "② prohibited data" and "⑤ incident reporting" are concrete and psychologically safe.

What's the difference between personal and business plans?

Business plans (ChatGPT Team / Claude Enterprise / Microsoft Copilot Business and so on) contract by default to not use your input data for model training (no-train). Personal plans (ChatGPT Plus and similar) can be used for training. Specify in the guideline "business use is limited to business plans only" and you sharply reduce Samsung-style leak risk. Pricing is roughly $20–60 per user per month.

Really — not punishing accidental inputs is okay?

Yes, this is the heart of it. Punish and employees cover it up, the company loses visibility, and that invisible leak triggers the worst outcomes (customer reports, social-media leaks, regulator involvement). Design it as "report and you're not punished; cover-ups get disciplined" and, oddly enough, incident reporting goes up and you can intervene early. It's the same logic as the safety culture in aviation.

Does a small startup need one too?

Yes. Small companies should actually do it earlier — built into the culture from the start, it sticks better than something bolted on later. At 10–30 staff you can take the seven-item template in this article as-is and draft the body in a day, finish rollout in a week. "AI usage guideline in place" is also becoming a basic checklist item in due diligence when you sign with investors or major customers (especially EU customers).