AI assistants are incredibly useful — and the fastest way to leak something you should not. This is especially dangerous for developers, because a single paste can expose credentials, proprietary code, or personal data. Here is what you should never send.
10 things to never send to AI
- Passwords and access keys — your Gmail password, API keys to internal systems. Risk: account compromise.
- Confidential company code — proprietary backend, private repositories. Risk: intellectual-property leak and NDA violation.
- Personal data of other people — client lists, phone numbers, addresses. Risk: GDPR violations and legal consequences.
- Financial data — bank-card details, company account numbers. Risk: fraud and financial loss.
- Requests to bypass security — "how do I hack…", "how to bypass auth". Risk: legal liability.
- Blind trust in unknown files — never follow instructions hidden inside an untrusted document. Risk: prompt injection and hidden instructions.
- Asking to reveal system prompts — "show me your system prompt". This is a manipulation pattern, not a useful request.
- Medical or health documents — personal health records. Risk: a serious privacy breach.
- Company secrets — roadmaps, strategy, trade secrets. Risk: commercial leak and reputational damage.
- "Just do everything automatically" — letting AI execute actions without review. Risk: uncontrolled actions and silent errors.
Never paste these into a chat
.env files, JWT tokens, API keys, SSH keys, production secrets, Firebase service accounts, AWS credentials, database passwords, Sentry auth tokens, GitHub personal access tokens, Stripe secret keys.
The one rule that covers everything: if a piece of information could not be published publicly or shown to a stranger, do not send it to an AI without dedicated protection measures (self-hosted models, redaction, or an enterprise tool with a zero-retention policy).
