Artificial intelligence can save a board secretary hours on the minutes and help a deal team find a needle in a data room. It can also, if the plumbing is wrong, quietly send your most confidential documents somewhere you never intended. For governance and M&A, that trade-off is unacceptable, so Admincontrol built its AI to remove it.
Admincontrol's AI features are optional and consent-based. When you switch them on, they run in a dedicated, physically isolated environment in Microsoft Azure's EU regions. Under an approved exemption from the cloud provider's abuse-monitoring programme, your content is not retained or reviewed by the provider, and neither the underlying models nor your data are accessible to third parties. Your data does not leave the EU, and every AI action is designed to be labelled, auditable and under human control. This is the same architecture across the Admincontrol suite, from Admincontrol Board Portal to Admincontrol Data Room.
- Admincontrol AI is optional and consent-based, and runs in a physically isolated environment in the EU, separated from the public internet.
- Under an approved exemption from the provider's abuse-monitoring programme, your content is not retained or reviewed, and your data is never used to train third-party models.
- AI is designed in line with the ISO/IEC 42001 AI management standard and EU AI Act principles: consent-based activation, human oversight, clear labelling and full auditability.
- A two-database design keeps sensitive content and AI processing on separate infrastructure, with no public IP address, connected only over Microsoft's private network.
Does AI train on your confidential data?
With many consumer AI tools, the uncomfortable answer is that it might. The content you type or upload can be eligible to improve the provider's models, retained on the provider's systems, and in some cases reviewed by people. For a private board discussion or a live acquisition, that is a serious problem hiding behind a helpful interface.
Admincontrol's answer is unambiguous. Your content is never used to train third-party models. When an AI feature runs, only the specific content required for that action is processed, inside an isolated environment, and the result is returned to you. Nothing about that flow is designed to enrich someone else's model or to sit on someone else's servers.
What can go wrong with mainstream AI tools?
The risk is not hypothetical. A few widely reported examples make it concrete.
In 2023, engineers at Samsung's semiconductor division pasted confidential source code and an internal meeting recording into ChatGPT in three separate incidents within about three weeks. Because the tool's default settings at the time allowed conversations to be used for training, the data was effectively unrecoverable. Samsung restricted the tool and soon banned external generative AI on company devices.
In 2024, the US National Archives blocked ChatGPT on agency computers, warning staff that AI services often retain input data for further training, and that proprietary and personal information was increasingly turning up as a result.
And in 2025, a US court ordered OpenAI to preserve and segregate output data that would otherwise have been deleted, including deleted and temporary chats, as part of litigation. Business and enterprise tiers with zero-data-retention terms were carved out, but the episode showed something important: with mainstream tools, even content you thought you had deleted can be compelled into retention by forces outside your control.
Each of these stories points to the same lesson. The safety of AI depends less on the model and more on the architecture around it: what is retained, who can see it, and whether your data ever leaves your control. It is the same principle that governs any use of AI in a corporate setting.
How Admincontrol isolates AI: a two-database architecture
Admincontrol's design starts from a single principle: sensitive content should never sit on the public internet, and should never share an environment with AI processing.
To achieve this, the platform uses two separate databases on separate infrastructure, connected only by a private Microsoft link. A source content database holds the sensitive material: board content, deal documents, transaction records and user permissions. A separate AI processing database handles the AI work: the processing queue, tokenised data, model outputs and a temporary cache. Neither database has a public IP address, and neither can be reached from the internet.
When you trigger an AI action, the flow is tightly controlled. The required content is retrieved from the source database over a private connection. It is tokenised and encrypted before it leaves the source environment. It travels to the isolated AI environment through a private endpoint over Microsoft's private backbone, never the public internet. The AI environment processes the request in isolation, and the response returns along the same private path. Data in transit is protected with TLS 1.3, data at rest with AES-256, and the whole path is monitored with Azure Monitor and Microsoft Defender.
Why the provider cannot see your data
Running AI in a cloud environment usually raises an obvious question: can the cloud provider itself see the content? For Admincontrol, the answer is no, for several compounding reasons.
The data is encrypted, and the provider has no access to the customer keys. The environment is isolated, with no public access. And, crucially, Admincontrol operates under an approved exemption from the provider's abuse-monitoring programme. In a standard configuration, a provider may retain and review prompts and outputs to police misuse. Under the exemption, that retention and human review do not apply to Admincontrol's traffic, so your content is neither stored nor read by the provider, and neither the models nor your data are accessible to third parties.
This is the difference between trusting a policy and trusting an architecture. The exemption, combined with encryption and isolation, means confidentiality does not rely on a promise that data will be ignored. It is built so that the data is not exposed in the first place. The same protections apply whether you are drafting minutes in the Board Portal or running due diligence in the Virtual Data Room.
AI you can actually govern
For regulated organisations, capability is not enough. You have to be able to prove how the technology behaves. Admincontrol's AI is designed in line with the ISO/IEC 42001 AI management system standard and with the principles of the EU AI Act. In practice, that means four commitments: AI is activated only with consent, a human stays in the loop, AI outputs are clearly labelled, and actions are fully auditable.
We are deliberately precise about this wording. Admincontrol's AI is designed in line with these frameworks, which is a meaningful commitment to responsible design, and we do not claim a certification we do not hold. The EU AI Act itself is arriving in phases, with transparency obligations that require people to be told when they are interacting with AI, which is exactly the labelling Admincontrol builds in. For a board or a deal team, this is what lets you adopt AI, including on live M&A transactions, without creating a new compliance headache.
Frequently asked questions
No. Your content is never used to train third-party models. AI features process only the content required for a specific action, inside an isolated EU environment.
No. Data is encrypted with no provider access to your keys, and Admincontrol operates under an approved exemption from the provider's abuse-monitoring programme, so content is neither retained nor reviewed.
No. AI processing takes place in Azure's EU regions, with private network connectivity kept within the EU.
Admincontrol's AI is designed in line with EU AI Act principles and the ISO/IEC 42001 standard, including consent-based activation, human oversight, clear labelling and full auditability.
The same secure AI architecture applies across the Admincontrol suite, including the Board Portal and the Virtual Data Room.
AI is only an asset if you can trust it with your most sensitive information. Admincontrol's approach, which combines consent-based activation, physical isolation, an approved provider exemption, EU data residency and governance designed in line with ISO/IEC 42001 and the EU AI Act, is built so that trust is a property of the system, not a leap of faith. See how Admincontrol brings secure AI to board management and M&A.
Explore Admincontrol Board Portal Explore Admincontrol Data RoomRelated Articles
See all posts