b"We divide third-party managed tools into four broad categories (public, consumer, business, and enterprise), but we acknowledge that specific GAI tools may not fit neatly within one category. The takeaway is that tools alignedwithpublicandconsumer-alignedsafeguardsarelesslikelytobeappropriateforprocessing confidential or sensitive personal information, and tools aligned with the business or enterprise safeguards are preferable. Table 2: Classification of GAI Tools by SafeguardsWerecommendlawyersfocusontechnicalfundamentalsoverbroadlabels.Don'tmakesecurity assumptions based on whether a GAI tool is licensed as a free or paid version or is marketed as a consumer or business version. For example, you might find a GAI tool that allows model training by default (making it more aligned with the consumer-level safeguards in Table 2) but also allows users to opt-out of model training (changing it to be more aligned with the business-level safeguards in Table 2). It is the actual safeguards, and not the marketing label, that matter most when protecting client information.(1) Authentication Authentication refers to the security measures that protect the login process for a third-party managed GAI tool. As illustrated in Table 2, a public GAI tool typically provides no controls (for example, the public version of ChatGPT can be used by anyone with an internet connection and does not require creating an account or logging in). Consumer-aligned tools typically allow users to create individual accounts but may lack advanced protectionssuchasmulti-factorauthentication.Business-alignedtoolsshouldrequiremulti-factor authentication,whileenterprise-alignedtoolsusuallyoffermoresophisticatedaccount-management capabilities, such as single sign-on (SSO).Page | 13"