A controlled study investigating data security in leading artificial intelligence platforms has found no evidence that sensitive information entered by users is retained or leaked to other users. The research, conducted by Search Atlas, examined six major large language models—OpenAI, Gemini, Perplexity, Grok, Copilot, and Google AI Mode—through experiments designed to replicate worst-case data exposure scenarios.
The findings provide significant reassurance for businesses and privacy-conscious individuals concerned about the confidentiality of proprietary information shared with AI tools. Across all platforms evaluated, researchers discovered a complete absence of data leakage concerning user-provided sensitive information. The comprehensive study can be accessed at https://searchatlas.com.
The first experiment investigated whether AI models would reproduce private information after being exposed to it. Researchers constructed 30 question-and-answer pairs without any public information, search indexing, online references, or presence in known training data. Each model underwent a three-step process where questions were posed without context, correct answers were subsequently provided, and then the same questions were asked again to determine if models would repeat the newly introduced information.
Across all six platforms, none produced a single correct answer after exposure. Models that initially declined to respond continued to do so, while those that tended to hallucinate answers persisted in generating incorrect responses rather than repeating the injected facts. This setup simulated a worst-case scenario in which a user inputs proprietary or sensitive information into an AI system, with no evidence that the information was retained for future responses.
The experiment revealed behavioral variations across platforms. Models from OpenAI, Perplexity, and Grok exhibited a tendency to respond with uncertainty when reliable information was lacking, leading to more frequent "I don't know" responses. In contrast, Gemini, Copilot, and Google AI Mode were more inclined to generate confident yet incorrect answers. Nevertheless, none of these incorrect responses matched the previously provided private information.
The second experiment assessed whether information retrieved via live web search would remain and reappear in a model's responses once search access was turned off. Researchers chose a real-world event that took place after the training cutoff of all models evaluated, ensuring that any correct answers during the experiment could only originate from live web retrieval.
When search was enabled, models answered the vast majority of questions correctly. However, once search was immediately disabled and the same questions were posed again, those correct answers largely disappeared. The only questions that models could still answer correctly without search were those whose answers could reasonably be inferred from pre-existing training data or general knowledge, rather than from information retrieved moments earlier.
One of the study's most practical conclusions is the clear distinction between hallucination and data leakage. The platforms that exhibited lower accuracy were Gemini, Copilot, and Google AI Mode, and they did not do so by repeating information they had previously received. Instead, their errors stemmed from generating confident, plausible-sounding answers that were simply incorrect. OpenAI and Perplexity showed the lowest levels of hallucination.
This distinction is significant when assessing AI risk. A prevalent concern is that an AI system might expose sensitive information from one user to another. In this study, researchers found no evidence supporting that scenario. The more consistently observed issue was hallucination, where models fill knowledge gaps with fabricated facts. While this does not involve sharing private information, it introduces a different challenge: individuals and organizations must ensure AI-generated responses are reviewed and verified, especially in contexts where accuracy is paramount.
For businesses and privacy-conscious users, the findings provide reassuring news. If sensitive information is shared with an AI model during a single session, such as proprietary business strategies or private details, the model does not seem to absorb that information into a lasting memory that could be revealed to other users. Instead, the data acts more like temporary "working memory" utilized to generate a response within that interaction.
For developers and AI builders, the study emphasizes the importance of retrieval-based systems. Strategies such as Retrieval-Augmented Generation, which connect models to live databases or search systems, remain the most dependable way to ensure AI responses are accurate for current events, proprietary information, or frequently updated data. Without retrieval, the model lacks a built-in mechanism to retain facts discovered during earlier interactions.
Manick Bhan, Founder of Search Atlas, stated that much concern surrounding enterprise AI adoption stems from a reasonable but untested assumption that sensitive information input into these systems will somehow be leaked. The research aimed to rigorously test that assumption under controlled conditions rather than speculate. Across every platform assessed, the data did not support it. While this does not imply that AI is risk-free—hallucination remains a genuine and documented issue—the specific fear that data may be leaked to another user is not something researchers found evidence for.
