AI file‑upload risks for vendors

Forbes reported (techcrunch.com) that more than 370,000 Grok chat transcripts were indexed by search engines in August 2025, and the indexed pages included user‑uploaded photos, spreadsheets and other documents. The UK Information Commissioner’s Office announced a formal investigation on February 3, 2026 into X Internet Unlimited Company (XIUC) and X.AI over Grok’s data handling and harmful content risks. (ico.org.uk) Menlo Security’s DLP research found an 80% rise in attempted file uploads to GenAI sites between July and December 2023 and reported that 55% of GenAI DLP events involved PII, with a 26% uptick in policies restricting GenAI access. (scworld.com) Netskope published a vendor‑specific control walkthrough showing how customers can block Grok file uploads via SWG/CASB rules, while Microsoft’s Purview documentation and recent updates describe DLP policies that block Copilot from processing sensitivity‑labeled files and add inline file‑upload protections in Edge for Business. (community.netskope.com) NIST’s AI Risk Management Framework (AI RMF 1.0) and its Generative AI Profile are now cited by vendors and consultancies as the baseline for third‑party AI risk questionnaires, with practitioners recommending vendor attestations mapped to the AI RMF during procurement. (nist.gov) Vendor‑due‑diligence templates from Vanta and Venminder list concrete questions on model training, retention, human access to uploads, and incident notification that procurement teams are adding to SOC‑2/ISO evidence requests; vendors are increasingly asked to produce model cards and deletion timelines. (vanta.com) Law firm guidance from Debevoise notes immediate containment steps after an accidental upload — identify data types, confirm whether the provider trains on user data (Anthropic generally does not by default), and follow the provider’s deletion procedures — and recommends contractual clauses requiring deletion and breach notification SLAs. (debevoisedatablog.com)