You Can Use AI Without Exposing Your Company

I spent two days at the Elko Mining Expo last week talking to nearly everyone I could. Gold dropped nearly 4% on the week and is continuing to drop today 6/9/2026, but inside the convention center booths were packed, job postings were real, and vendors were filling orders. When the ground signal and the price signal diverge that sharply, someone is wrong and in my experience, it is usually not the miners. The psychology of the markets in simple terms can go from extreme fear to extreme greed.

But the conversation that came up more than any other was not about gold or silver. It was surprising about AI because when I said I worked in cybersecurity and information security that was the first thing that popped into people's heads.

The question I heard repeatedly, in different forms, from different roles, was essentially this: I can use AI at home. I use it for everything, but at work I am restricted to Copilot, and it is not giving me what I need. The conversation generally turned to I want to use Claude, or ChatGPT, or Gemini but my compliance team will not approve it.

What can I do? That question deserves a real answer, not a workaround and not a suggestion to use unapproved tools and hope nobody notices. A genuine, compliance-respectable answer that addresses the security concern and still gets the work done, that is my goal and this article attempts to provide that answer. I will use specific examples you can take to your compliance team, a framework for understanding what is and is not safe to put into an AI tool, and a set of prompts designed for mining and resource professionals that generate real business value without exposing a single piece of sensitive corporate data.

Important disclosure: every example, prompt, and recommendation in this article should be reviewed and approved by your internal compliance, legal, or information security team before implementation.

AI governance policies vary by company, jurisdiction, and regulatory environment. Nothing in this article overrides your organization’s approved toolset or data handling policies.

The purpose of this article is to equip you with examples that demonstrate how AI can be used safely in the hopes that you can have a productive conversation with the people who make those approval decisions.

Why Compliance Said No and Why They Were Not Entirely Wrong

Before you walk into your compliance team's office with a request, it helps to understand what they are concerned about. Their objection is not that AI is useless. It is that most AI tools particularly consumer-facing products process data on external servers, and the data handling policies of those servers may not meet the company's information security requirements.

The specific concerns are legitimate, and I have addressed a few here:

• Data residency: This is essentially where the data is processed and stored? If you paste an internal memo into a consumer AI tool, that text may be processed on servers in a jurisdiction your company has not approved.

• Training data: Some AI providers use conversation inputs to improve their models. If you paste proprietary geological data into a tool that trains on user inputs, that data could theoretically surface in responses to other users.

• Authentication: Consumer AI tools typically use personal accounts. There is no audit trail connecting usage to the corporate identity management system, and no way to enforce data loss prevention policies.

• Regulatory compliance: Not all but for some companies subject to SEC disclosure requirements, CMMC, or operating in classified-adjacent environments, the data handling question is not just a policy preference. It is a regulatory obligation.

These are real concerns. They are also solvable to some extent which is why your conversation with compliance should not be about whether to use AI, but about how to use it in a way that addresses each of these objections.

The Case You Can Take to Compliance

Here is an example of an argument, structured for a compliance or information security team that needs to see a clear risk-benefit analysis before approving an additional tool.

The principle: Is public data in, public insight out (Do consider inference)

The vast majority of high-value AI use cases in the mining and resource sector do not require inputting any proprietary data at all. They involve asking an AI to analyze, or interpret information that is already publicly available, this could include SEC filings, commodity prices, industry reports, regulatory guidance, news, published research.

If the input contains no proprietary information, the data handling risk is materially reduced though inference, retention, logging, and company policy still matter regardless of the tool's processing location, training policy, or authentication method. The question is not about the tool, but it is about the input.

Do keep in mind the impact of inference which is the logical process of drawing a conclusion or forming an opinion based on known facts, evidence, and reasoning. As an example: if you looked up home loans, houses on a real estate site and a phone number for a broker, all publicly available information than you can infer you are buying a house or at minimum interested in a home.

The compliance framework: three categories of AI use

Category 1 — Public data only. No proprietary input. Candidate for approval when the tool meets enterprise security requirements such as basic enterprise security standards (SSO, encryption in transit, no training on inputs). This is where in my experience, a large share of practical value lives here.

Category 2 — Internal data, anonymized. Keep in mind that data that is anonymized is very truly anonymized. It cold potentially be reversed engineered to determine the data set. Company data with all identifying information removed. Approved for enterprise-tier tools with contractual data handling guarantees (e.g. Microsoft 365 Copilot, Anthropic Claude for Business, OpenAI ChatGPT Enterprise).

Category 3 — Proprietary or classified data. Geological models, internal financial projections, M&A targets, personnel data, classified information. Not approved for any external AI tool. Internal deployment or air-gapped solutions only.

Most compliance teams are saying no to everything because they have not been given a framework that distinguishes between these categories. Your job is to give them one. As an example: category 1 use alone would equal public data in, public insight out and therefore, could potentially unlocks enormous value with minimal data risk.

Three Lessons from the Stryker Corporation Filing

Before we get to the practical examples, here is a real-world case that demonstrates why this matters and that you can discuss using your AI tool of choice with only publicly available information.

On April 9, 2026, Stryker Corporation (SYK) filed an 8-K/A under Item 1.05, confirming a material cybersecurity incident. The March 11 attack was attributed to Handala, an Iran-linked hacktivist persona. Attackers and several media reports claimed that the incident affected large numbers of devices globally, including employee devices enrolled through endpoint-management tools. Stryker’s own public filings confirmed operational disruption and later material impact, but the precise device count and full technical scope should be treated as reported claims unless confirmed by the company.

It appears to be one of the more visible publicly reported Iran-linked destructive cyber incidents affecting a major U.S. company during the current conflict cycle. Stryker is a $25 billion medical device manufacturer whose products serve defense and civilian healthcare globally.

Here is the prompt you can use from public information and the three lessons it surfaces:

Prompt example — Stryker incident analysis

Prompt: "Stryker Corporation filed an 8-K/A under Item 1.05 on April 9, 2026 disclosing a material cybersecurity incident attributed to an Iran-linked actor called Handala. The attack wiped approximately 200,000 devices across 79 countries including personal phones enrolled through BYOD. CISA launched an investigation. What are three lessons my company can learn from this incident to strengthen our own cybersecurity posture?"

Why it's safe: Every detail in this prompt comes from a public SEC filing and published reporting. No proprietary data is included. This is a Category 1 use case.

The three lessons that emerge are the following (and how they apply directly to mining and resource companies):

Lesson 1: BYOD is an attack surface you are already carrying. Stryker lost 200,000 devices including personal phones enrolled through bring-your-own-device policies. Mining companies routinely allow contractor and employee personal devices to connect to corporate networks particularly at remote sites where corporate-issued hardware is limited. If your BYOD policy does not include remote wipe capability, device enrollment management, and segmentation from operational systems, the Stryker scenario is replicable in your environment.

Lesson 2: Nation-state attribution changes the materiality calculus. Stryker's incident was attributed to an Iran-linked actor in the context of the current US-Iran conflict. For mining companies operating in geopolitically sensitive jurisdictions or producing critical minerals that feature in national security supply chains, the threshold for considering an incident potentially material should be lower when the threat actor has a state-aligned motivation. The governance framework needs to account for attribution as a materiality factor.

Lesson 3: The 8-K/A filing pattern tells you the scope evolved.

Stryker filed an amendment, an 8-K/A not an original 8-K. That means the initial assessment was updated as new information emerged. For your incident response plan, this means the materiality determination is not a single decision point. It is a process that may require updated disclosures as the investigation develops. Your governance framework should anticipate amendment scenarios, not treat the initial filing as final.

Competitive Intelligence with Public Data that adds Real Value

The second example addresses a different use case: using AI to process publicly available market intelligence without exposing any internal data.

A Prompt example: Competitive intelligence from public M&A and IPO data

Prompt: "This week in the mining sector: Applied Aerospace & Defense priced a $650M NYSE IPO for defence manufacturing hardware. Silver X Mining acquired a 42,000 oz gold resource from Barrick for $30,000 cash. Agnico Eagle purchased a royalty on its own Porcupine properties for C$5M, its third strategic move in a month. Western Copper and Gold disclosed that Mitsubishi Materials is maintaining its partnership on the Casino copper-gold project in Yukon. Based on these publicly announced transactions, what are three things a mid-tier mining company can do to stay competitive?"

Why it's safe: Every transaction referenced is from a public press release or SEC/SEDAR filing. No proprietary data. Category 1 use case.

This type of prompt generates actionable strategic insight from information your competitors have already published. Your compliance team should have few objections because the input is entirely public.

Ten AI Prompts for Mining and Resource Professionals

Examples are All Category 1

The following prompts are designed for people working in mining companies, resource sector vendors, and adjacent industries. Every prompt uses only publicly available information as input. No proprietary data is required. All are Category 1 under the framework above.

1. OT Security Awareness

Prompt: "What are three ways companies that use operational technology (OT) and SCADA systems in mining environments are making those environments safer in 2026? What are the current known threat vectors for SCADA systems in remote mining operations?"

Why it's safe: General industry knowledge. No company-specific data required.

2. SEC Disclosure Readiness

Prompt: "Under SEC Regulation S-K Item 106, what are the specific cybersecurity governance disclosures a mining company must include in its annual 10-K filing? How should a company with both IT and OT environments describe board oversight of cybersecurity risk?"

Why it's safe: Regulatory reference material. The SEC rule is public law.

3. Incident Response Planning

Prompt: "If a ransomware attack shut down the processing plant SCADA system at a remote mining operation, what steps should the incident response team take in the first 72 hours? How does the SEC's four-business-day disclosure clock interact with the investigation timeline?"

Why it's safe: Hypothetical scenario using general industry knowledge. No company systems referenced.

4. Third-Party Risk Assessment

Prompt: "What are the most common cybersecurity risks introduced by third-party contractors at mining sites — including drilling contractors, equipment OEMs like Caterpillar and Komatsu, and assay labs? What questions should a mining company ask in a vendor security assessment?"

Why it's safe: Industry-general vendor categories. No proprietary vendor relationships disclosed.

5. Commodity Market Analysis

Prompt: "Gold was recently trading above $4,700 per ounce, copper is at historic highs, and China has imposed export controls on silver, tungsten, antimony, and rare earths. What does this commodity environment mean for mid-tier mining companies considering a US listing in the next 12-24 months?"

Why it's safe: All commodity prices and policy actions are publicly reported market data.

6. CMMC Readiness for Defence-Adjacent Companies

Prompt: "My company is a mining or metals company that supplies materials under DoD contracts. CMMC Phase 1 implementation began in November 2025. What are the key differences between CMMC Level 1 and Level 2, and what should we be doing now to prepare for Phase 2 in November 2026?"

Why it's safe: CMMC is a public DoD programme. No contract details or company identity required.

7. Geopolitical Risk Assessment

Prompt: "The Strait of Hormuz has been effectively closed or experienced severe disruptions since February 2026. China accounted for about 91% of global rare earth separation and refining. What are the cybersecurity implications for mining companies operating in the critical minerals supply chain — particularly those producing copper, lithium, or rare earth elements?"

Why it's safe: Geopolitical facts from public reporting. No company operations disclosed.

8. Board Reporting Preparation

Prompt: "I need to prepare a cybersecurity risk briefing for a mining company's board audit committee. What topics should a quarterly board cybersecurity briefing cover, and how should OT risk at remote sites be presented differently from IT risk at corporate headquarters?"

Why it's safe: General governance best practice. No company-specific risk data required.

9. PEA and Feasibility Study Risk Integration

Prompt: "When a mining company publishes a Preliminary Economic Assessment or feasibility study, what cybersecurity and data integrity risks should be considered? How could compromise of geological modelling data or resource estimation systems affect the reliability of a PEA?"

Why it's safe: General industry methodology. No specific project data required.

10. Job Description and Hiring

Prompt: "Write a job description for a cybersecurity governance manager at a mid-tier gold mining company with operations in Nevada and Quebec. The role needs to cover SEC Item 106 disclosure, OT security at mine sites, and third-party contractor risk management. What qualifications and experience should we require?"

Why it's safe: General role description. No internal org chart, compensation, or personnel data required.

The Validation Test / Compare and Learn

Here is a practical exercise you can do right now to build the case for your compliance team.

Take one of the prompts above: the Stryker incident analysis or the competitive intelligence example and run it through your approved internal AI tool (likely Copilot). Note the response. Then run the same prompt through a consumer AI tool on your personal device Claude, ChatGPT, Gemini, whichever you prefer.

Compare the two responses. Bring both to your compliance team and say: here is what I asked, here is what our approved tool returned, here is what the alternative returned. The input was identical and contained only publicly available information. The prompt itself did not include proprietary data. Here is the gap in analytical quality. Can we have a conversation about approving an enterprise-tier alternative for Category 1 use cases?

That is a compliance conversation, not a policy violation. It is also the conversation that most compliance teams have not been given the opportunity to have because nobody has framed the request in terms they can evaluate.

What Enterprise AI Tiers Actually Offer

When you bring the comparison to your compliance team, they will ask what the enterprise versions of these tools offer that the consumer versions do not. Here is the short answer:

• No training on inputs: Your data is not used for model training. Enterprise agreements contractually guarantee that conversation inputs are not used to train or improve the model.

• SSO and access control: Single sign-on integration with your corporate identity provider (Okta, Azure AD, etc.), creating an audit trail and enabling access management.

• Data residency and retention: Data is processed within defined geographic regions and is not retained beyond the session unless the customer opts in.

• DLP integration: Many enterprise AI tiers may offer some combination of configurations to work alongside existing DLP infrastructure.

• Compliance certifications: SOC 2 Type 2, ISO 27001, and in some cases FedRAMP authorization are available for enterprise AI deployments.

The cost for enterprise AI access ranges roughly from $20 to $60 per user per month depending on the provider and tier but please contact your procurement teams or the AI provider directly for confirmation. For a team of five, that is roughly $100 to $300 per month. The analytical value of the ten prompts above applied consistently across competitive intelligence, regulatory readiness, incident response planning, and board reporting is probably worth multiples of that cost.

The Inference Dimension: What AI Can Do Without Your Data

One of the most underappreciated capabilities of modern AI is inference; the ability to draw conclusions from publicly available information that would take a human analyst hours or days to assemble.

Consider what you can ask an AI tool to do with no proprietary input at all:

• Identify patterns across SEC filings, which mining companies have updated their Item 106 disclosures this quarter, and what changed in the language?

• Analyze commodity price trends alongside geopolitical developments; what does the combination of Hormuz closure, Chinese export controls, and record gold prices suggest for the competitive positioning of Nevada gold producers?

• Summarize regulatory developments, what are the key differences between CMMC Phase 1 and Phase 2, and which requirements are most relevant to a metals company with DoD supply contracts?

• Draft board-ready language; write a quarterly cybersecurity risk summary suitable for a mining company's audit committee, covering the current OT threat landscape and the SEC's disclosure expectations.

• Evaluate M&A activity; based on publicly announced transactions this quarter, which sectors of the mining industry are consolidating and what does that signal about where capital is flowing?

None of these prompts require a single piece of proprietary data. All of them generate output that would take a junior analyst approximately a full day to produce manually. That is the value proposition your compliance team needs to hear not that AI is interesting, but that it is a competitive tool your peers are already using.

What Not to Put Into Any AI Tool

For completeness, and to demonstrate that this article takes the security concern seriously, here is what should never be entered into any external AI tool regardless of tier:

• Internal geological models, resource estimates, or drill results before public disclosure

• Internal financial projections, budget data, or M&A target lists

• Employee personal information, payroll data, or HR records

• Classified or export-controlled information of any kind

• Customer lists, contract terms, or pricing data

• Internal audit findings or compliance investigation details

• Credentials, API keys, or system architecture diagrams

• Board minutes, executive communications, or legal privilege material

If any of these items appear in a prompt, the use case is Category 3 and should not be processed on any external system. In most organizations, these should be treated as restricted use cases requiring internal approval and specialized controls. The value of AI is not in processing your secrets. It is processing the world's publicly available information faster and more effectively than you can do manually.

The Real Risk Is Not Using AI, It Is Falling Behind

The professionals I spoke to at Elko are not asking about AI because they are curious. They are asking because they can see that their competitors, the companies in adjacent sectors, the vendors who win the next contract, the analysts who publish the sharper report are already using these tools. The gap is widening every quarter.

The companies that figure out AI governance first are not the most aggressive adopters, but the ones that build a compliant, defensible framework for using AI on public data. They will have a structural advantage in competitive intelligence, regulatory readiness, and operational decision-making. The companies that default to a blanket no, may find themselves relying on manual analysis in a market that no longer waits.

The conversation with compliance is not about risk tolerance. It is about competitive positioning and it starts with a framework that distinguishes between what is genuinely dangerous and what is useful.

This article is designed to start that conversation so take these examples to your compliance team. Show them the three categories and show them the ten prompts. Then, ask them to tell you which ones they object to and why and have an open discussion.

In most cases, the answer will be more nuanced than a simple no and that is the beginning of a policy, not the end of a conversation.

Compliance disclosure: all examples, prompts, and recommendations in this article are for informational purposes only. They must be reviewed and approved by your internal compliance, legal, or information security team before implementation in your organization.

AI tool selection, data handling policies, and governance frameworks should be established in consultation with qualified professionals and in accordance with your organization’s specific regulatory obligations.

Sturnella does not endorse any specific AI tool or provider. The examples in this article are illustrative and provider-neutral.

Sturnella's Role

Sturnella advises mining, energy, infrastructure, and defense-adjacent companies on IPO cybersecurity readiness, SEC Regulation S-K Item 106 compliance, cyber diligence in M&A transactions, and board-level cybersecurity governance before and during capital markets events.

We operate at the deal table, not inside the IT department. Our work is focused on governance precision, disclosure defensibility, and transaction protection.

contact@sturnellahq.com | sturnellahq.com | news.sturnellahq.com

Disclaimer: This article appeared on the Sturnella website at sturnellahq.com and is provided for informational purposes only. It does not constitute investment advice, financial advice, legal advice, or a solicitation to buy or sell any security or financial instrument. The information contained herein is based on publicly available sources and is believed to be accurate at the time of publication but is not guaranteed. Sturnella LLC is a capital markets cybersecurity and governance advisory firm and is not a registered investment adviser, broker-dealer, or financial institution. Always consult a qualified financial, legal, or investment professional before making any investment decision.

Contact

Reach out for discreet advisory support

Email

contact@Sturnellahq.com

Sturnella LLC © 2026 All rights reserved.

• Independence

• Governance Precision

• Discretion

• Capital Markets Alignment

• Accountability

Our Values