-
Summary: Claude Has Three Powers #169b – The dangerous setup every leader must understand before connecting work data
By Joerg Storm | DIGITAL STORM Weekly #169b (July 2, 2026)
Executive Summary
Joerg Storm argues that AI security is no longer primarily about whether an AI model is “safe.” Instead, it’s about how the AI assistant is configured and what permissions it has. Organizations should focus on AI architecture rather than employee behavior to reduce security risks.
The newsletter highlights three major shifts that every business leader should understand.
1. Your AI subscription plan now determines your privacy
One of the biggest changes concerns Claude’s consumer plans.
Beginning in August 2025, conversations on Claude Free, Pro, and Max may be used to improve future AI models unless users explicitly opt out. Conversation retention can extend for up to five years.
Business plans, however, continue to offer contractual privacy protections.
Key message:
Privacy is no longer determined by how carefully someone uses AI.
It is determined by which account they use.
This means employees using personal AI accounts for work may unknowingly expose confidential company information under consumer terms rather than enterprise agreements.
2. Prompt injection has become the biggest AI security threat
Storm explains that the most dangerous attack today is Indirect Prompt Injection.
Unlike traditional cyberattacks, malicious instructions can be hidden inside:
-
PDFs
-
Emails
-
Websites
-
Shared documents
-
Knowledge bases
When an AI assistant reads these sources, it may unknowingly execute hidden instructions.
Current AI systems cannot reliably detect every prompt injection attack.
Therefore:
Detection alone is no longer enough.
Instead, organizations must redesign how AI assistants are allowed to operate.
3. The “Rule of Two”
The newsletter introduces a practical security framework called the Rule of Two.
Every AI assistant can possess three powerful capabilities:
-
Read internal company data
-
Access external information
-
Communicate or take actions externally
Examples include:
-
sending emails
-
posting messages
-
updating systems
-
triggering workflows
Storm recommends that no AI assistant should ever have all three capabilities simultaneously.
Instead, limit every assistant to only two powers.
Example:
✔ Read company files + Search the web
or
✔ Read company files + Draft emails
But never:
✔ Read company files + Search the web + Send communications
This architectural limitation dramatically reduces the impact of prompt injection attacks.
4. AI governance is now an organizational issue
Many employees already use AI independently.
Often they:
-
paste confidential documents into personal AI accounts
-
summarize contracts
-
analyze spreadsheets
-
generate presentations
Most organizations have little visibility into these activities.
The risk is no longer technical—it becomes a governance problem.
Leaders need policies covering:
-
approved AI tools
-
enterprise accounts
-
access permissions
-
acceptable data usage
-
security reviews
5. Architecture beats awareness training
Storm argues companies have spent years focusing on employee education.
However, no amount of security awareness can compensate for poor AI system design.
Instead of relying on employees to always make perfect decisions:
-
design systems with limited permissions
-
separate responsibilities between AI agents
-
isolate sensitive workflows
-
use enterprise AI environments
Good architecture reduces the consequences of human mistakes.
Recommended actions for leaders
Storm recommends organizations immediately:
-
Disable AI training wherever possible on consumer accounts.
-
Provide employees with enterprise AI subscriptions for work-related tasks.
-
Audit every AI assistant and identify which of the three powers it possesses.
-
Ensure no assistant has all three capabilities simultaneously.
-
Create governance policies for AI usage across departments.
-
Separate high-risk workflows into controlled enterprise environments.
Key Takeaways
-
AI privacy now depends largely on the subscription plan, not just user behavior.
-
Indirect Prompt Injection has become one of the most significant AI security risks.
-
The Rule of Two recommends limiting AI assistants to only two of three core capabilities: reading internal data, accessing external content, and communicating externally.
-
Personal AI accounts introduce hidden compliance and data governance risks for organizations.
-
Effective AI security relies more on system architecture and governance than on employee awareness alone.
Overall, the newsletter reframes AI security as an organizational design challenge. Rather than asking whether an AI model is trustworthy, leaders should ask: What permissions have we given it, and under what terms is it handling our data?
drstorm.substack.com
The dangerous setup every leader must understand before connecting work data.
-

