Know what opting out does and does not do
Opting out of AI training tells a model provider not to use your prompts and outputs to improve their models. It is worth doing, but it is a setting, not a control. A toggle buried in a vendor settings page depends on every user finding it, every account being on the right tier, and the provider honoring it. It also does nothing about data that should never have been sent in the first place. Treat opt-out as one layer, and enforce the rest at the point where prompts leave your boundary.
Step 1: Move to a tier that excludes training by default
Consumer tiers of most AI tools may use your inputs to train unless you opt out, and the opt-out can be per account. Business and enterprise tiers usually exclude training by default and put it in the contract. Inventory which tools your teams use and which account tier each person is on. Move sanctioned use onto a tier where training exclusion is the default rather than a checkbox each user has to find and keep enabled.
Step 2: Get the exclusion in writing
Confirm the training exclusion in the agreement, not only in a settings screen. Look for a data processing agreement or terms that state your inputs and outputs are not used for model training, name the retention period, and describe deletion. A contractual exclusion is enforceable and auditable. A UI toggle is neither in a way a regulator will accept. Keep the signed terms with your compliance records so you can show the basis for the claim.
Step 3: Turn off any per-user training settings
Even on the right tier, some tools expose a per-user or per-workspace training option. Set it to excluded centrally where the admin console allows, and verify it for existing accounts rather than assuming the default applied retroactively. Removing the choice from individual users closes the gap where one person leaves training on and quietly feeds data back to the provider.
Step 4: Enforce it at the gateway
Settings and contracts assume the data should reach the model at all. The stronger control is to make sure no sensitive prompt reaches a training-eligible endpoint in the first place. Route requests only to endpoints with training excluded, and redact personal data and secrets before any prompt leaves your boundary. Enforced at a gateway every request passes through, this does not rely on each user staying on the right tier or the provider honoring a toggle. The sensitive data simply never travels to a place where training could touch it.
Step 5: Log and verify
Keep a record of which endpoints requests were routed to and what was redacted, so you can show that sensitive prompts went only to training-excluded destinations. Periodically re-check tiers and agreements, since vendors change terms. The audit trail turns opt-out from a claim into evidence: you can demonstrate, per request, where data went and that training-eligible endpoints did not receive sensitive content.
How Difinity helps
Difinity enforces this at the gateway. Secure Chat routes requests to approved, training-excluded endpoints, redacts sensitive data before it leaves your boundary, and logs every interaction for audit, with full observability. Opt-out stops being a toggle each user has to maintain and becomes an enforced control your team gets from the first message, in one governed tool they adopt in minutes.
Frequently asked questions
How do I opt out of AI training?
Move sanctioned use to a business or enterprise tier that excludes training by default, get the exclusion in the agreement, turn off any per-user training settings, and enforce routing to training-excluded endpoints at a gateway so sensitive prompts never reach a training-eligible model.
Is a settings toggle enough to opt out of training?
It helps but is not sufficient. A toggle depends on every user finding and keeping it on and the provider honoring it. A contractual exclusion plus gateway enforcement is auditable and does not rely on individual settings.
Can I prove our data is not used for training?
Yes, with the right layers: a signed exclusion in the agreement plus a gateway audit trail showing which endpoints requests went to and what was redacted, demonstrating sensitive prompts reached only training-excluded destinations.