Compile policy: block DeepSeek Chat at the gateway
HIGH93%
DeepSeek Chat took source code, 47 employee SSNs, and new-hire home addresses in the last 24 hours, all on personal accounts with no DPA. I compiled a deterministic block rule that stops any paste to deepseek.com on browser and desktop, redirects users to GitHub Copilot, and notifies the 24 affected people. Approve to enforce. Nothing blocks until you do.
PROPOSED ACTION
Draft evidence: EU AI Act Article 50 transparency notice
HIGH88%
Three tools that touch customer-facing content (Notion AI, Grammarly, Gamma) need an Article 50 transparency notice before they meet the EU AI Act. I drafted the notice from your tool inventory and the deployment context. It is ready for your compliance reviewer to read, edit, and sign into the Evidence Pack. Approve to file it as reviewed evidence.
PROPOSED ACTION
Classify Unknown: Grammarly
HIGH86%
132 users, the widest reach of any unsanctioned tool here. No DPA on file. It reads drafts as people type, including emails and documents that may carry customer data. Not high-risk on its own, but it needs a decision and a transparency notice. Suggest classifying Unknown pending a DPA review.
PROPOSED ACTION
Classify Unknown: Notion AI
HIGH84%
64 users across Product and Operations. Summarizes pages that often contain roadmap notes and customer names. No signed DPA, but it is a known vendor with a standard enterprise agreement available. Suggest Unknown, then move to Sanctioned once the workspace is on a business plan.
PROPOSED ACTION
Mark high risk: Otter.ai
HIGH90%
41 users. Otter.ai joins live calls and uploads full meeting audio to a third party with no DPA. Sales and HR are both using it, so call recordings likely include customer and personnel data. This is a recording tool with regulated content and no contract. Suggest High risk and notify the affected users.
PROPOSED ACTION
Classify Unknown: Gamma
HIGH82%
22 users, new this week. Generates decks from pasted content, which has included pricing and customer logos. No DPA. Low volume so far, but it processes customer-facing material and needs an Article 50 transparency notice. Suggest Unknown and revisit if usage grows.
PROPOSED ACTION
Mark high risk: tl;dv
HIGH88%
9 users, new this week. tl;dv records and transcribes meetings to a third party with no DPA, the same pattern as Otter. Small footprint today, but every recording is regulated content leaving the workspace uncontrolled. Suggest High risk before it spreads.
PROPOSED ACTION
Classify Unknown: Loom AI
HIGH80%
33 users, new this week. Loom AI summarizes screen recordings, which can capture whatever is on screen, including dashboards and customer records. Loom is an established vendor with an enterprise DPA available. Suggest Unknown, then Sanctioned once the DPA is signed.