The Three Moments That Matter

Security habits don't need to be elaborate. Three specific moments account for most of the practical value. None of them are complicated. All of them, applied consistently, represent the difference between security-aware AI use and the default.

The pause before sharing is the first moment. Before you put any data into an AI tool, before you paste it into a prompt, before you upload a file — a two-second check. Does this belong here? Is this data I'm comfortable with this tool processing? Have I anonymized or redacted what I need to redact? This isn't about never using AI tools. It's about the moment of recognition that some data has different rules, and the choice of whether to follow those rules.

The verification step for unexpected requests is the second moment. Before you act on any urgent or unusual request — via email, message, chat, or phone — verify independently. Call the number you know for the organization, don't use the number in the email. Check in on a secure channel if someone says they need urgent access. Ask the person in person if the request sounds suspicious. This is the same verification principle that worked before AI existed, and it still works. The requests may be more convincing now — that's the only thing that's changed.

The question before building or using something new is the third moment. Before you enable a new AI feature, before you automate something with an agent, before you build a new AI workflow — what access does this need? What data does it process? What could go wrong? This is the agentic risk thinking from Module 3, applied to your own situation. It takes maybe a minute. It prevents most of the worst outcomes.

These three moments, applied consistently over time, become automatic. That's the goal. Not a checklist you consciously run through every time, but a series of reflexes that are the default.