89% of buyers want AI in consulting. 57% are terrified of what happens to their data.
That tension defines the market right now. Enterprise buyers know they need consulting partners who use AI. They also know that every AI tool is a potential data leak, every prompt a possible training input, every generated artifact a question mark for IP ownership. The question that matters is a concrete one: "Where does my data go when you use Claude on my codebase?"
The fear isn't theoretical. In 2025, Deloitte delivered a $290,000 report to the Australian government stuffed with fabricated AI citations. A month later, a $1.6 million healthcare report for a Canadian province contained fake academic references. Both incidents triggered government investigations. Neither report disclosed AI usage upfront.
We think there's a better way to operate. Be honest about using AI. Be specific about how you protect client data. Put the commitments in the contract, not the marketing copy. And then actually follow through.
Five rules. No exceptions. No asterisks.
These aren't aspirational principles. They're operational rules encoded into our contracts, our toolchain configuration, and our delivery process. If we violate them, you'll know, because we put the verification mechanisms in your hands.
Your data never trains a model
Every AI tool we use runs on enterprise or API tiers with contractual guarantees that client data is excluded from model training. No exceptions. No "opt-out" that someone forgot to check. The exclusion is baked into the commercial agreement between us and every provider.
Enterprise tiers only. Always.
Consumer AI subscriptions are prohibited for all client work. Not discouraged. Prohibited. The data protections that matter, training exclusion, data retention limits, SOC 2 compliance, and IP indemnification, only exist at the enterprise level. That's where we operate.
Every deliverable is human-reviewed
AI generates. Humans validate. Every piece of work that reaches you has been reviewed by a senior Conductor who verified the accuracy, checked the reasoning, and confirmed alignment with your requirements. No AI output ships without human judgment applied to it.
Full tool transparency in every contract
Your engagement letter will specify exactly which AI tools we'll use and how. If we add a new tool to the stack, you'll know before it touches your data. You always have the right to approve or restrict specific tools for your engagement.
You can opt out. No penalty.
Every contract includes an AI opt-out mechanism for any workstream or the entire engagement. We'll be upfront about how it affects timelines and cost. But the choice is yours, and we respect it without argument.
Every tool we use. Every protection that comes with it.
Transparency means naming names. Here are the AI providers we use for client work, the tiers we operate on, and the specific data commitments each one provides. If a provider changes their terms, we evaluate the impact and notify affected clients.
Anthropic
Enterprise / APIOpenAI
Enterprise / APIGitHub Copilot
Business / EnterpriseLocal Models
Self-hostedWe maintain a model-agnostic architecture and deploy internal gateways for switch over if necessary. If a primary provider experiences an outage or a security incident, we route to alternatives automatically. If a provider changes their data handling terms, we evaluate the impact before any client data flows through updated infrastructure.
What enters AI tools. What never does. Who reviews.
A blanket "we protect your data" statement doesn't help your security team. This table does. It specifies exactly what types of information are eligible for AI-assisted processing, what is categorically excluded, and who is accountable for enforcement.
| Category | What enters AI tools | What never enters AI tools | Who reviews |
|---|---|---|---|
| Source code | Code under active development, with client approval | Production credentials, API keys, and secrets | Senior Conductor |
| Architecture | System diagrams, technical specifications | Client financial data, PII | Senior Conductor |
| Documentation | Technical writing drafts, analysis frameworks | Legal agreements, HR records | Senior Conductor |
| Data analysis | Aggregated/anonymized datasets, with approval | Raw PII, PHI, and financial records | Senior Conductor + domain specialist |
| Client communications | Draft summaries, meeting notes structure | Confidential strategy documents | Senior Conductor |
You choose how much AI touches your work.
Not every engagement needs the same level of AI involvement. We offer three workflow modes, and the choice is always yours. We'll be upfront about the trade-offs so you can make an informed decision.
AI-assisted workflow
AI tools accelerate research, code generation, analysis, and documentation. Every output reviewed by a senior Conductor. Fastest delivery, lowest cost. This is how most engagements run.
Restricted workflow
AI tools limited to specific workstreams you approve. Sensitive code or data handled without AI. Moderate impact on timeline and cost. Common for regulated industries.
No-AI workflow
All work performed without AI tools. Available for engagements where policy or regulation prohibits AI-assisted delivery. Significant impact on timeline and cost. We'll be transparent about the trade-offs.
Principles are easy. Mechanisms are what matter.
Writing a governance policy is easy. The question is whether the systems exist to enforce it. Here's what our data protection looks like in practice, not in a slide deck.
Identity and access management
SSO, MFA, and device management across all team members and contractors. No personal accounts touching client systems. Credential rotation on a defined cadence. When an engineer finishes an engagement, access is revoked during comprehensive offboarding.
Endpoint security
End-point security on every machine that touches client work. Full-disk encryption. Remote wipe capability. These aren't optional for team members or contractors. If the endpoint doesn't meet our security baseline, it doesn't touch client data.
AI prompt isolation
Client data sent to AI tools travels through our LiteLLM gateway, which enforces provider routing rules, logs usage for audit trails, and ensures sensitive data only reaches providers whose data handling meets the engagement's requirements.
Audit trails
Complete logs of AI interactions, prompts, and outputs, available for client review on request. If you want to see exactly how AI was used on a specific deliverable, we can show you. Not a summary. The actual record.
Five-gate quality pipeline
Every piece of AI-generated code passes through security scanning, test validation, quality metrics, performance benchmarks, and deployment readiness checks before a human ever sees it. Details on our How We Work page.
Conductor review on everything
The final gate is always human. A senior Conductor validates accuracy, confirms alignment with requirements, and verifies that all factual claims and recommendations are grounded in real sources. This is the step Deloitte skipped. We don't.
You'll always know how AI contributed to your deliverables.
How AI contributed to your deliverables should never be a mystery. If you're paying for expert analysis and you receive AI-generated text with hallucinated citations, you deserve to know. If AI drafted the initial code and a senior engineer refined it, you deserve to know that too.
Every deliverable we produce includes a clear disclosure of how AI contributed to the work. Not because a regulation requires it (though EU AI Act transparency obligations take effect in August 2026). Because it's the honest thing to do.
Human-authored
Conceived, written, and reviewed entirely by our team. AI may have been used for research or reference, but the work product is original human output.
AI-assisted
AI tools contributed to drafting, code generation, or analysis. A senior Conductor directed the AI, reviewed outputs, and validated the final deliverable.
AI-drafted, human-validated
AI generated the initial draft or codebase. Our Conductor reviewed, refined, tested, and validated the output against requirements and quality standards.
What you'll see on every deliverable
Each report, analysis, code delivery, or recommendation includes: the AI tools used, the nature of AI contribution (research, drafting, code generation, and analysis), the human review process applied, and an attestation that all factual claims were verified by the Conductor who owns the engagement.
What goes in the contract
Every MSA and SOW we sign includes AI-specific provisions. These aren't optional addenda. They're standard terms.
The frameworks behind the commitments.
Governance that lives in a PDF nobody reads is governance in name only. Ours is built into tools, workflows, and contracts. Here's the compliance infrastructure we operate on and are building toward. For how we handle your data more broadly, including the controls we actually run and our honest SOC 2 roadmap, see our security practices.
NIST AI Risk Management Framework
ActiveOur operational governance baseline. The framework's four functions (Govern, Map, Measure, and Manage) structure how we identify and mitigate AI-specific risks across every engagement. Adoption of NIST AI RMF provides an affirmative defense under the Colorado AI Act.
Regulatory readiness
ActiveWe track and prepare for the Colorado AI Act (enforcement pending legislative action in 2026), EU AI Act high-risk provisions (August 2026), and the accelerating wave of state-level AI regulation. Our strategy: comply to the most stringent standard, then map it to each additional jurisdiction.
Questions we hear from CTOs and General Counsel.
Does Made In Tandem use AI when working on client projects?
Yes. We're unapologetically AI-first. AI is structural to our delivery model, not a bolt-on. Every engagement uses AI tools for code generation, analysis, documentation, and quality assurance. We'll also tell you exactly which tools we use, how we use them, and what protections are in place. And every AI-assisted deliverable is reviewed and validated by a senior Conductor before it reaches you.
Will my code or data be used to train AI models?
No. We exclusively use enterprise and API tiers from every AI provider, all of which contractually guarantee that customer data is never used for model training. This applies to Anthropic Claude, OpenAI, GitHub Copilot, and every other tool in our stack. Consumer-tier AI tools are prohibited for all client work. This isn't a setting we toggle; it's a commercial agreement between us and each provider.
What happens if an AI provider has a data breach?
Our model-agnostic architecture means we're never dependent on a single provider. If a provider experiences a security incident, we route to alternatives while we assess the impact. Our contractual language specifies exactly which tools are used and how data is handled, which means a provider incident doesn't become a client retention crisis. We'll communicate promptly and transparently about any incident that could affect your data.
Can you work in regulated industries like healthcare or insurance?
Yes. For healthcare engagements touching PHI, we execute Business Associate Agreements and use HIPAA-compliant AI options (Azure OpenAI, AWS Bedrock, or the OpenAI API with BAA). Insurance and energy clients carry their own regulatory requirements; we meet or exceed the compliance standards our clients operate under.
Who owns the AI-generated code and deliverables?
You do. Our contracts assign all IP to the client upon delivery, including AI-assisted work product. Where available, we use providers that offer IP indemnification (OpenAI's Copyright Shield, Microsoft's Customer Copyright Commitment) to provide additional protection.