Toggle Side Panel
GHRC LLPGHRC LLP
Site Icon
  • Home
    • About GHRC
      • Help
      • GHRC Videos
      • GHRC Songs
    • News Feed
  • Discover
    • Unbox Me
  • Connect
    • Members
    • Groups
      • Forums
    • Directory
    • Events
    • Store
  • Learn
    • Academy
    • Skill Up
    • Library
  • Grow
    • Career Next
    • Mentora
    • Career Mate  
    • My PayBuddy
    • Gamification
    • R & R
  • Contribute
    • Contribute
    • Hackathon
  • Login
Toggle Side Panel
GHRC LLPGHRC LLP
  • Home
    • About GHRC
      • Help
      • GHRC Videos
      • GHRC Songs
    • News Feed
  • Discover
    • Unbox Me
  • Connect
    • Members
    • Groups
      • Forums
    • Directory
    • Events
    • Store
  • Learn
    • Academy
    • Skill Up
    • Library
  • Grow
    • Career Next
    • Mentora
    • Career Mate  
    • My PayBuddy
    • Gamification
    • R & R
  • Contribute
    • Contribute
    • Hackathon
  • Login
More options
    Sign in Sign up
    • Home
      • About GHRC
        • Help
        • GHRC Videos
        • GHRC Songs
      • News Feed
    • Discover
      • Unbox Me
    • Connect
      • Members
      • Groups
        • Forums
      • Directory
      • Events
      • Store
    • Learn
      • Academy
      • Skill Up
      • Library
    • Grow
      • Career Next
      • Mentora
      • Career Mate  
      • My PayBuddy
      • Gamification
      • R & R
    • Contribute
      • Contribute
      • Hackathon
    • Login
    Close search
      • Profile photo of Sinchana Adiga

        Sinchana Adiga posted an update

        an hour ago

        Newsletter

        Summary: Claude Has Three Powers #169b – The dangerous setup every leader must understand before connecting work data

        By Joerg Storm | DIGITAL STORM Weekly #169b (July 2, 2026)

        Executive Summary

        Joerg Storm argues that AI security is no longer primarily about whether an AI model is “safe.” Instead, it’s about how the AI assistant is configured and what permissions it has. Organizations should focus on AI architecture rather than employee behavior to reduce security risks.

        The newsletter highlights three major shifts that every business leader should understand.

        1. Your AI subscription plan now determines your privacy

        One of the biggest changes concerns Claude’s consumer plans.

        Beginning in August 2025, conversations on Claude Free, Pro, and Max may be used to improve future AI models unless users explicitly opt out. Conversation retention can extend for up to five years.

        Business plans, however, continue to offer contractual privacy protections.

        Key message:

        Privacy is no longer determined by how carefully someone uses AI.

        It is determined by which account they use.

        This means employees using personal AI accounts for work may unknowingly expose confidential company information under consumer terms rather than enterprise agreements.

        2. Prompt injection has become the biggest AI security threat

        Storm explains that the most dangerous attack today is Indirect Prompt Injection.

        Unlike traditional cyberattacks, malicious instructions can be hidden inside:

        • PDFs

        • Emails

        • Websites

        • Shared documents

        • Knowledge bases

        When an AI assistant reads these sources, it may unknowingly execute hidden instructions.

        Current AI systems cannot reliably detect every prompt injection attack.

        Therefore:

        Detection alone is no longer enough.

        Instead, organizations must redesign how AI assistants are allowed to operate.

        3. The “Rule of Two”

        The newsletter introduces a practical security framework called the Rule of Two.

        Every AI assistant can possess three powerful capabilities:

        1. Read internal company data

        2. Access external information

        3. Communicate or take actions externally

        Examples include:

        • sending emails

        • posting messages

        • updating systems

        • triggering workflows

        Storm recommends that no AI assistant should ever have all three capabilities simultaneously.

        Instead, limit every assistant to only two powers.

        Example:

        ✔ Read company files + Search the web

        or

        ✔ Read company files + Draft emails

        But never:

        ✔ Read company files + Search the web + Send communications

        This architectural limitation dramatically reduces the impact of prompt injection attacks.

        4. AI governance is now an organizational issue

        Many employees already use AI independently.

        Often they:

        • paste confidential documents into personal AI accounts

        • summarize contracts

        • analyze spreadsheets

        • generate presentations

        Most organizations have little visibility into these activities.

        The risk is no longer technical—it becomes a governance problem.

        Leaders need policies covering:

        • approved AI tools

        • enterprise accounts

        • access permissions

        • acceptable data usage

        • security reviews

        5. Architecture beats awareness training

        Storm argues companies have spent years focusing on employee education.

        However, no amount of security awareness can compensate for poor AI system design.

        Instead of relying on employees to always make perfect decisions:

        • design systems with limited permissions

        • separate responsibilities between AI agents

        • isolate sensitive workflows

        • use enterprise AI environments

        Good architecture reduces the consequences of human mistakes.

        Recommended actions for leaders

        Storm recommends organizations immediately:

        • Disable AI training wherever possible on consumer accounts.

        • Provide employees with enterprise AI subscriptions for work-related tasks.

        • Audit every AI assistant and identify which of the three powers it possesses.

        • Ensure no assistant has all three capabilities simultaneously.

        • Create governance policies for AI usage across departments.

        • Separate high-risk workflows into controlled enterprise environments.

        Key Takeaways

        • AI privacy now depends largely on the subscription plan, not just user behavior.

        • Indirect Prompt Injection has become one of the most significant AI security risks.

        • The Rule of Two recommends limiting AI assistants to only two of three core capabilities: reading internal data, accessing external content, and communicating externally.

        • Personal AI accounts introduce hidden compliance and data governance risks for organizations.

        • Effective AI security relies more on system architecture and governance than on employee awareness alone.

        Overall, the newsletter reframes AI security as an organizational design challenge. Rather than asking whether an AI model is trustworthy, leaders should ask: What permissions have we given it, and under what terms is it handling our data?

        https://drstorm.substack.com/p/claude-has-three-powers-169b?utm_campaign=email-half-post&r=5xcpdm&utm_source=substack&utm_medium=email

        drstorm.substack.com

        Claude Has Three Powers #169b

        The dangerous setup every leader must understand before connecting work data.

        0 Comments
    • Public
    • All Members
    • My Connections
    • Only Me
    • Public
    • All Members
    • My Connections
    • Only Me
    • Public
    • All Members
    • My Connections
    • Only Me
    Copyright © 2026 - GHRC LLP. All Rights Reserved.

    Report

    There was a problem reporting this post.

    Harassment or bullying behavior
    Contains mature or sensitive content
    Contains misleading or false information
    Contains abusive or derogatory content
    Contains spam, fake content or potential malware

    Block Member?

    Please confirm you want to block this member.

    You will no longer be able to:

    • See blocked member's posts
    • Mention this member in posts
    • Invite this member to groups
    • Message this member
    • Add this member as a connection

    Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

    Report

    You have already reported this .

    Create a post

    Share link