CSM Redefined
Subscribe
AI in CS·Framework·8 min read

AI Safety for Customer-Facing Work: Eight Rules That Keep You Out of Trouble

This piece argues that almost every published AI safety conversation is happening at the wrong altitude for CS work. The CSM doesn't care about AGI alignment — they care about whether pasting a customer's renewal email into ChatGPT just leaked their contract terms to a third-party model. Eight operational rules that produce defensible decisions in under thirty seconds, plus a printable reference card to keep next to your monitor.

The forty-second decision

The first CSM I knew who got fired for an AI-related incident didn't do anything dramatic. She didn't leak intellectual property. She didn't send a bot-written breakup email. What she did was paste a customer's full QBR transcript — which contained the customer's roadmap, internal team frustrations, and a complaint about an unreleased product — into a free-tier chatbot to summarize it for her internal notes.

The chatbot's terms of service, in the part nobody reads, allowed the provider to use submitted data to "improve the model." Six weeks later, a researcher demonstrated they could prompt the same model to recite passages from various enterprise documents. One of those passages was, recognizably, from her customer's QBR.

She didn't get fired for being malicious. She got fired because the customer's General Counsel called her company's General Counsel and asked who else had access to that transcript. By the time the lawyers had finished, the company decided an internal post-mortem wasn't enough — somebody had to wear it publicly.

This is the kind of story that doesn't make it into AI safety articles, because AI safety articles are mostly written about superintelligence, deepfakes, or election misinformation. The reality for an enterprise CSM is much more boring and much more career-ending: a forty-second decision to paste something into a chatbot, made on a Tuesday morning, that nobody told you was a data-handling decision.

Below are eight rules to keep that from happening. They're operational, not philosophical. Each one produces a clear decision in under thirty seconds. Print the reference card, stick it next to your monitor, and you'll never end up in the GC's inbox.

The eight rules

Rule 1: Never paste identifiable customer data into a consumer AI tool.

The most-violated rule in CS today. Customer names, account IDs, contract details, dollar amounts tied to specific accounts, named employees — none of it goes into ChatGPT, Claude.ai, Gemini, or any other consumer-tier interface. Use either an enterprise tier with an explicit no-training data-processing addendum, an internal tool, or de-identified content.

The risk isn't theoretical. Multiple frontier model providers have had data exposure incidents where users could prompt models into reciting content from training data. Once your customer's name is in there, you can't get it out.

The thirty-second decision: Before pasting, ask: if a researcher published a list of things this tool's data contains, would my customer's name be in it? If yes, don't paste.

Exception: Enterprise-tier accounts with explicit no-training contracts. Free, Plus, Team, and Enterprise tiers all have different data policies. Verify your contract before assuming the tier you're using is the no-training one.

Rule 2: De-identify before you summarize.

The work of de-identifying takes two minutes and protects you against every Rule 1 failure. Replace customer names with "Customer A." Replace dollar amounts with relative bands ("mid-six-figure ARR"). Replace employee names with their roles ("the CFO"). Replace dates with relative timing ("Q3 of current FY").

The model produces equally good summaries from de-identified input. Sometimes better — without specific names to anchor on, the model focuses on the structure of what's actually happening in the account.

The thirty-second decision: Find-and-replace before pasting. If you can't be bothered to spend two minutes on de-identification, the work isn't important enough to summarize.

Rule 3: Never let AI send a customer-facing message without a human read.

The shortest path from CSM to terminated CSM is an automated workflow that sends AI-generated content directly to a customer. Set up your tools so AI drafts but a human ships. Every message. No exceptions for "low-stakes" interactions; there are no low-stakes interactions with paying customers.

The two-minute review is not friction in the workflow. The two-minute review is the workflow. The AI's job is to compress the writing time. The human's job is to take ownership of what gets sent.

The thirty-second decision: If a vendor pitches you on "AI that responds to customer emails automatically," ask: who reviews each one before send? If the answer is "the AI" or "a confidence threshold," walk away.

Rule 4: Treat AI output like a junior employee's first draft.

Useful but unreliable. Reviewed before going anywhere consequential. Not authoritative. The mental model of AI as junior employee is the single most useful frame for understanding what to delegate to it and what not to.

A junior employee can draft a status report. A junior employee should not write the renewal proposal. A junior employee can pull data into a one-pager. A junior employee should not tell a customer their pricing is going up.

This frame survives whatever the next model generation does. Better junior employees are still junior employees.

The thirty-second decision: Would I let a brand-new CSM hire send this exact output to a customer without review? If no, don't let AI send it either.

Rule 5: Verify any factual claim AI makes about your own product.

Models hallucinate features that don't exist. They confuse your product with competitors'. They invent integration capabilities. They state version numbers and limits and pricing tiers that aren't real. None of this is malicious — it's how models work, particularly when they have partial training data about your product.

If AI tells you "Acme integrates with Salesforce via a native two-way sync," do not write that in a customer email until you have verified it in your actual product documentation.

This is the rule with the highest career-cost-per-violation. Telling a customer your product does something it doesn't is an instant credibility loss that follows you through the entire renewal cycle.

The thirty-second decision: Anything the AI says about your own product gets verified before it leaves your screen.

Exception: None. This is the rule with no exceptions.

Rule 6: Customer data has a chain of custody. Don't break it.

Where the data came from, who has seen it, and what happened to it — those are facts your security team will eventually need to reconstruct. Don't put customer data into tools whose chain of custody you can't articulate. Don't put it into personal accounts. Don't put it into browser extensions you installed yourself. Don't put it into tools your company hasn't approved.

The breaking point for most CSMs is convenience. "It's just a Chrome extension that summarizes meetings." That extension is now in the chain of custody. The data goes to its servers. The contract terms govern what happens next. If you don't know the answer, you've broken the chain.

The thirty-second decision: If the security team subpoenaed your AI tool usage, could you tell them exactly which customer data went where? If you can't, that's the gap to close — today, not after the incident.

Rule 7: AI-generated text needs to read like you wrote it.

This is about trust preservation, not legal liability. Customers can tell when an email is AI-written. They form a judgment about you the moment they recognize it. The judgment is not flattering.

AI is an input to your writing, not a replacement for it. The reason the Prompt Library emphasizes editing every AI draft is not authorial vanity — it's that the unedited AI draft sounds like every other unedited AI draft, and customers are getting better at spotting them every month.

The marker phrases are well-known: "I hope this finds you well." "I wanted to circle back." "Excited to discuss." "Let me know if you have any questions." If your draft is full of them, your customer's noticing.

The thirty-second decision: Read your AI-drafted email out loud before sending. If it doesn't sound like you talking, rewrite it.

Rule 8: The trust withdrawal is not recoverable.

When a customer concludes they have been managed by a bot, you cannot undo that conclusion. They will scrutinize every future interaction looking for further evidence. They will discount what you say, both literally (in negotiation) and figuratively (in trust).

This is the only rule on the page about a long-tail consequence — every other rule is about an immediate decision. But Rule 8 is the most important. Every AI-touched customer interaction either deposits to the customer's trust account or withdraws from it. Small deposits compound. A single large withdrawal can be permanent.

The rule is restraint. When in doubt, do it manually. The hour you save by AI-drafting is not worth the relationship you lose by being caught.

The thirty-second decision: Before any AI-touched customer interaction, ask: if the customer found out later that AI was involved in this, would they be relieved or angry? If angry, do it manually.

The decision tree

For any AI-touched task in CS:

  1. Does it involve identifiable customer data? → Apply Rules 1 and 2.
  2. Will the output go to a customer? → Apply Rules 3, 4, and 7.
  3. Does it make claims about your own product? → Apply Rule 5.
  4. Are you using a tool your security team doesn't know about? → Apply Rule 6.
  5. Could the customer feel managed by a bot? → Apply Rule 8.

If you pass all five, proceed. If any one fails, stop or escalate.

The conversation with your CRO

CSMs are sometimes nervous about AI safety because they think their CRO wants them to be AI-aggressive. In reality, most CROs want their CS team to be AI-aggressive in specific, defensible ways and AI-conservative in everything else. The eight rules give you the language to draw that line in a way your CRO will respect.

A three-sentence script:

"We're using AI aggressively where the trust risk is low — internal note-taking, draft generation, research. We're holding the line where the trust risk is real — anything customer-facing without human review, anything involving identifiable customer data outside our enterprise tier. The risk we're managing is trust preservation. The benefit we're capturing is time on the high-leverage work."

That's a strategic answer. Most CROs nod.

What the rules will look like in 2027

These rules will evolve as the industry matures. The version of this piece you read in 2027 will have different specifics — different model providers, different contract structures, different categories of incident. But the underlying principle won't change: AI safety in CS is about decisions that take thirty seconds and have career-defining consequences.

The CSMs who get fired in this category are not the ones who thought hard about the trade-offs and made bad calls. They're the ones who never thought of the decisions as decisions in the first place. The forty seconds to paste, the two minutes of de-identification skipped, the Chrome extension installed without asking. The rules are the discipline that turns those moments back into decisions.

What's next

The Decision Matrix told you what role AI should play in each task. The Prompt Library gave you working prompts for the safe quadrants. These eight rules are the safety floor underneath both — the discipline that keeps Automate from drifting into Augment, keeps Augment from drifting into Inform-without-review, and keeps Leave Alone genuinely off-limits.

The next piece, Four CS Copilots, Tested Against a Real Renewal Quarter, applies all three to a real evaluation. The scorecard's dimensions include this framework's data-hygiene rules directly. The verdict on each tool turns on whether it respects them.


Print the AI Safety Reference Card — print it, keep it next to your monitor.