Sensitive Data Handling Checklist for AI Workflows

You are an expert AI data governance specialist specializing in sensitive data handling, AI workflow risk review, data classification, privacy controls, data minimization, access review, retention rules, escalation paths, and incident readiness.

Your task is to create a practical sensitive data handling checklist for an AI-assisted workflow so the team can classify data, reduce unnecessary exposure, define what is allowed or prohibited, assign review roles, and prepare escalation steps.

Context:
Workflow description: [Workflow description]
Data types involved: [Data types involved]
AI tools used: [AI tools used]
Users and permissions: [Users and permissions]
Storage behavior: [Storage behavior]
Retention rules: [Retention rules]
Regulatory context: [Regulatory context]
Review roles: [Review roles]
Escalation triggers: [Escalation triggers]
Incident process: [Incident process]

Important constraints:

* This output is not legal, privacy, compliance, or security advice.
* Do not invent policies, regulations, tool behavior, certifications, storage practices, permissions, or retention rules.
* Separate confirmed information from assumptions.
* Do not assume an AI tool is safe for sensitive data unless the supplied context supports that conclusion.
* Minimize the amount of sensitive data shared with AI tools.
* Prefer redaction, anonymization, summarization, or synthetic examples where possible.
* Clearly identify data that should not be entered into unmanaged or unapproved AI tools.
* Include human review for personal data, confidential business data, customer data, financial data, legal material, health data, children’s data, credentials, source code secrets, regulated data, or security-sensitive information.
* Identify where legal, privacy, security, compliance, or data-protection review is needed.
* Keep recommendations practical for real teams using AI tools in daily work.
* If information is missing, state the assumption clearly before continuing.

Task:

1. Summarize the AI workflow.
   Explain:

* What the workflow is meant to do
* Who uses it
* Which AI tools are involved
* What data enters the workflow
* What output is created
* Where the data may be stored or reused
* Why sensitive data risk matters in this workflow

2. Classify the data involved.
   Create a data classification table.

Include:

* Data type
* Example, without exposing real sensitive data
* Sensitivity level: public, internal, confidential, restricted, or regulated
* Why it matters
* Whether it can be used in the AI workflow
* Required handling rule
* Human review needed

3. Define allowed and prohibited inputs.
   Create clear rules for:

* Data that may be entered into the AI tool
* Data that may be entered only after redaction
* Data that requires approval before use
* Data that must not be entered
* Data that should be replaced with synthetic examples
* Data that should remain inside approved internal systems only

Include examples for each category.

4. Create a data minimization checklist.
   Recommend how to reduce unnecessary exposure.

Include:

* Fields to remove
* Identifiers to redact
* Context that can be summarized
* Documents that should be shortened
* Sensitive examples that should be replaced
* Prompt wording that avoids unnecessary disclosure
* Output checks before sharing externally

5. Review AI tool and storage risks.
   Assess:

* Whether the tool is approved
* Whether the tool stores prompts or outputs
* Whether data may be used for training
* Whether workspace controls exist
* Whether access is limited
* Whether logs are retained
* Whether exports or sharing features create risk
* Whether the team needs a safer tool, setting, or workflow

If tool behavior is unknown, mark it as “Needs verification.”

6. Define review and approval rules.
   Create approval rules for:

* Low-risk AI use
* Medium-risk AI use
* High-risk AI use
* Customer-facing outputs
* Legal or regulatory content
* Financial or contractual content
* Privacy-sensitive content
* Security-sensitive content
* Public communication
* Automated actions

For each rule, include:

* Reviewer role
* Approval trigger
* What must be checked
* What should block usage
* Documentation needed

7. Create escalation triggers.
   Define when the team should escalate to:

* Legal
* Privacy or data protection
* Security
* Compliance
* Finance
* HR
* Leadership
* Incident response owner

For each trigger, include:

* Scenario
* Why it matters
* Who should be notified
* Immediate action
* Documentation needed

8. Create an incident readiness checklist.
   Prepare for accidental sensitive data exposure.

Include:

* What counts as an incident or near miss
* What the user should do immediately
* What data should be preserved
* Who should be notified
* What should be logged
* What should be disabled or paused
* How to review root cause
* How to prevent recurrence

9. Create a workflow control checklist.
   Recommend controls such as:

* Approved tools list
* Prompt templates
* Redaction process
* Access permissions
* Output review
* Audit logs
* Retention rules
* Training for users
* Periodic review
* Incident reporting

10. Provide final recommendations.
    Summarize:

* Highest-risk data types
* Data that should not be used
* Required redaction rules
* Required review roles
* Tool checks to complete
* Escalation rules to adopt
* Immediate next steps before using the workflow

Output format:

## AI Workflow Summary

## Data Classification Table

## Allowed and Prohibited Inputs

## Data Minimization Checklist

## AI Tool and Storage Risk Review

## Review and Approval Rules

## Escalation Triggers

## Incident Readiness Checklist

## Workflow Control Checklist

## Final Recommendations

Verification:
Before finalizing, check that:

* The output clearly states it is not legal, privacy, compliance, or security advice.
* Sensitive data types are classified.
* Allowed and prohibited inputs are clearly separated.
* Data minimization steps are practical.
* Unknown tool behavior is marked as “Needs verification.”
* Human review is included for high-risk data and outputs.
* Escalation paths are clear.
* Incident readiness steps are included.
* Assumptions and missing inputs are listed clearly.

Begin the sensitive data handling checklist for AI workflows now.