Mechanism
Information that should have stayed inside the function reaches a model provider, vendor infrastructure, or another customer via AI data pathways. Three variants: deliberate-by-design (vendor terms permit prompt-to-training), inadvertent (privileged content captured in vendor logging), operational (vendor support staff access prompt history without per-incident customer authorisation).
Evidence (what the Evidence Register holds)
Vendor DPA confirming data isolation from training; residency confirmation; vendor employee access control documentation; prompt-log retention bounds; per-incident vendor access logs.
Mitigation
Tenant-bound deployments for sensitive matters; prompt-data minimisation; vendor DPA enforcement (Chapter 6); residency configuration; vendor employee access controls.
Editorial Framing
Data leakage is Class 2 because it is the upstream mechanism for several downstream classes — most notably Client confidentiality breach (RC-7) and Regulatory non-compliance (RC-5). A clean vendor DPA + tenant-bound deployment + residency configuration is the structural mitigation.
Indicative Examples
- Vendor permitted prompt-to-training under default terms
- Privileged content captured in vendor logging
- Vendor support staff accessing prompt history without authorisation