Every Deal Team Has a ChatGPT Tab Open. Nobody Wants to Talk About What's In It.

The SEC withdrew its proposed AI disclosure rule earlier this year. Read that as a relief and you missed the actual story. The accuracy of AI-related claims remains a 2026 examination focus under existing antifraud and marketing provisions. The agency did not lose interest. It just stopped needing a new rule to ask the question.

Here is the question nobody on a deal team wants asked directly: what did you paste into ChatGPT last week.

Picture the standard workflow. An associate gets a 180-page CIM at 11pm with a 9am deadline to flag the key risks. The firm's approved AI tool is slow, behind on features, or requires three login screens. The personal ChatGPT account is one tab away and already logged in. The CIM goes in. The summary comes out. Nobody thinks twice.

That single paste can breach the NDA governing the data room, expose material nonpublic information, and contradict the data controls the firm attested to on its cyber insurance application. Three problems created by one habit that happens dozens of times a day, across nearly every mid-size deal team in the industry.

This is not a hypothetical. VDR terms and NDAs increasingly prohibit uploading confidential material into AI tools that may retain or train on it. Most PE firms above a certain size are SEC-registered investment advisers, which adds fiduciary duties around MNPI handling on top of the contractual exposure. A personal AI login sits entirely outside the firm's identity and data controls. There is no audit trail, no retention policy, no way to prove after the fact what went in and what came out.

The irony is that the underlying instinct is correct. Reading a 180-page document under time pressure is exactly the kind of task AI should compress. The problem was never the impulse to use AI on the document. The problem is that the only AI available to most analysts at 11pm is the consumer-grade tool sitting in their personal browser, with none of the controls a regulated entity is supposed to have around confidential information.

Firms have responded the way firms usually respond: policy memos banning personal AI tools, reminders at the start of each deal, training modules nobody reads twice. Policy without infrastructure does not change behavior under deadline pressure. The associate at 11pm is not weighing regulatory exposure. They are weighing whether the deck is done by 9am.

The actual fix has to be structural. Deal teams need a tool that is faster than the workaround, not just more compliant than it. If the firm-sanctioned option takes longer than pasting into ChatGPT, the firm-sanctioned option loses every time.

This is most of why I am building Lens the way I am. Document intelligence for European finance teams, but built so that confidential material never leaves a controlled, GDPR-native environment hosted in the EU. The Matrix interface lets a team load an entire data room and extract structured answers in minutes, with citations to the exact page and sentence, inside infrastructure that satisfies the same data residency and audit requirements as the rest of the firm's stack. The goal is not to ban the shortcut. It is to make the compliant option faster than the risky one.

The MNPI exposure sitting in personal ChatGPT histories across the industry right now is not a future risk. It already happened, on thousands of deals, and nobody has gone looking yet.

If you run diligence on a deal team and want to see how this works on your actual documents, I am opening early access.