[matrixgard]

The proxy approach in the other comment handles the technical control side well. The harder part is the auditor question you slipped in at the end — that one trips up almost every team I've talked to. Most companies cannot produce a log showing which employee sent what data to which model, when it was authorized, and what classification level it had. The governance infrastructure for AI just isn't there yet, and auditors are starting to catch up.

SOC 2 and ISO 27001 auditors are now explicitly asking for evidence of data flow controls around AI integrations. "Policy says don't paste customer data into ChatGPT" gets zero credit as a control. What they want to see is technical enforcement with logging — something you can point to and say "here is the record of every outbound prompt from the last 90 days, here is what was flagged." If you can't produce that, it's a finding.

The other gap that's easy to miss: most teams don't know what's sensitive until it's already in a prompt. The classification problem comes before the proxy. What are your teams actually pulling into their prompts right now — internal docs, support tickets, code with credentials, database outputs? That's usually where the real exposure surfaces.