How should teams check files before uploading to AI?

Individual AI use is often improvised. Team AI use cannot stay improvised for long. If people upload PDFs, screenshots, documents, spreadsheets, and images without a shared review habit, private data will eventually travel farther than intended — security firm Cyberhaven found that around 11% of the data employees paste into ChatGPT is confidential.

The goal is not a slow approval process for every prompt. The goal is a lightweight checklist that people can apply before a file reaches an AI provider.

Step 1: classify the file

Start by asking what kind of information the file contains:

  • Public or already-published content.
  • Internal business content.
  • Customer or user information.
  • Employee, HR, hiring, payroll, or benefits information.
  • Legal, finance, tax, healthcare, insurance, or education records.
  • Security, incident, credential, infrastructure, or vulnerability data.

The higher the category, the more careful the review. A public brochure may only need a quick check. A customer contract, HR document, medical note, or incident screenshot needs stronger minimization.

Step 2: separate visible content from hidden metadata

Visible content is what a person can see: names, signatures, balances, faces, account numbers, tables, addresses, or private messages. Hidden metadata is file data that may not show on the page: author, GPS, timestamp, document properties, comments, tracked changes, or software history.

Use the right tool for the layer:

Do not assume one step solves both layers. Redacting a PDF page does not automatically remove document properties. Removing metadata does not remove a visible name in the document body. See check files before uploading to AI for the full two-layer review.

Step 3: reduce the file

Ask whether the AI needs the whole file. Many tasks only need an excerpt, one page, one chart, or a sanitized screenshot. Smaller inputs are easier to inspect and less likely to expose unrelated data.

Before upload, remove pages that are not needed, crop irrelevant screen areas, replace private strings with labels, and export a clean copy. Work on a copy, not the original.

Step 4: verify the cleaned copy

Open the cleaned output. Search if the format supports text search. Zoom into redacted areas. Inspect metadata again if hidden fields mattered. Check filenames too: a file named Acme-Lawsuit-Termination-Draft.pdf can leak context even if the inside is clean.

For high-risk work, record the review in a short note: original file type, tool used, what was removed, and who checked the result. That creates accountability without turning every AI task into a formal audit.

Step 5: match the AI account to the risk

Finally, check the account type and provider controls. A managed enterprise account may have different data-use terms than a personal account. Provider controls are important, but they should come after minimization. The best file to upload is the file that no longer contains details the AI does not need.