GenAI is transforming how enterprises operate — but without the right safeguards, it's also exposing sensitive data in ways many organizations aren’t prepared for. In the first edition of our Oversharing Perspective series, I sat down with Mike D’Arezzo, Executive Director of Information Security and GRC at Wellstar Health, to talk about one of the most pressing challenges in AI adoption: accidental data exposure.

‍

Why Oversharing in GenAI Tools Poses a Real Threat

For healthcare organizations like Wellstar, the stakes are especially high. HIPAA compliance and patient trust depend on protecting sensitive data — including PHI — from unintentional leaks. But as Mike emphasized, oversharing isn’t just a healthcare issue. Any organization using Microsoft Copilot, ChatGPT, or other GenAI platforms faces similar risks.

‍

From GenAI Use Cases to Enterprise Guardrails

The conversation made one thing clear: deploying GenAI without purpose creates unnecessary risk. To mitigate oversharing, Mike recommends:

• Starting with clear use cases and success metrics
• Involving legal, compliance, and risk teams early
• Forming an AI governance council to ensure alignment and accountability

This isn’t about blocking AI — it’s about enabling safe, scalable, and compliant adoption.

‍

Real-World Oversharing Risks with Microsoft Copilot

Mike shared specific examples of how oversharing happens:

• Employees accidentally uploading PHI into Copilot prompts
• SharePoint folders defaulting to org-wide visibility
• Users asking Copilot to surface files they shouldn’t access

Even when unintentional, these incidents can lead to severe consequences, from compliance violations to reputational damage.

‍

Security Isn’t Just IT’s Job

Mike’s philosophy is that GenAI security must be cross-functional. His framework includes:

• Education: Run lunch-and-learns, targeted training, and scenario-based awareness
• Engagement: Include skeptics and champions alike in your AI rollout
• Policy: Keep policies flexible to evolve with new AI capabilities and emerging threats

‍

What’s Next for GenAI in Regulated Industries?

Mike sees a shift toward agentic AI — systems that not only generate but act on behalf of users. That future demands tighter identity and access controls. According to Mike:

• AI will begin building workflows and systems autonomously
• Natural language interfaces will replace traditional UIs
• Role-based access control (RBAC) will be essential to prevent abuse

‍

Final Takeaway: Build the Guardrails Now

GenAI offers immense promise, but its potential will only be realized if it’s deployed securely. As Mike warned, “We need to build the firewalls now — not after we’ve already burned the house down.”

‍