Why we’re not training on your data

<aside> 💡

Founder note: Let’s set this straight. We don't train on your data. Why? Because we think it's not a good idea.

The performance of our assistants come from a clean knowledge base that AI models look into to provide you with a great answer. Training on user conversations could make this worse. More data risks degrading performance.

We don't want to deal with the headache that comes from potentially training AI on sensitive information (if it was shared). As a "calm" company, we decided our AIs aren't trained on any conversation. Read related post.

</aside>

At ISMS Copilot, we often get asked why we don't automatically learn from user conversations to improve our AI assistants. The answer might surprise you: it's a deliberate choice that puts quality and trust first. I made a post on this here.

Here's the thing about building AI for security compliance: it's really easy to get it wrong. Not just a little wrong. Completely wrong. While it might seem intuitive that more data equals better performance, the reality is more nuanced, especially in the compliance domain.

Why We Take a Controlled Approach

Quality Over Quantity. Instead of automatically absorbing every conversation, we focus on carefully curated, high-quality datasets. This ensures our guidance remains accurate and aligned with current standards and best practices.
Protection Against Misinformation. Automatic learning from user conversations could make our assistants vulnerable to incorrect information. One wrong input could cascade into misguided advice for future users – something we can't risk when dealing with security compliance.
Respecting Privacy and IP. We believe your conversations, company-specific implementations, and intellectual property belong to you. By not training on user data, we ensure that your sensitive information stays yours, and other users won't inadvertently benefit from your proprietary approaches.

Our Improvement Process

Instead of automatic learning, we:

Manually review and validate any potential improvements
Focus on conceptual corrections (like fixing a control reference)
Exclude personal, confidential, or company-specific information
Only incorporate anonymized, generalizable insights

This careful approach means our improvements are: