Construction 101 Plans: AI Training Data Risk in 2026

Featured image for Your Flight Plans Are Training Data

Why "Flight Plans" Is the Right Word

A flight plan is the single source of truth for everyone involved in a flight. Pilot, dispatcher, controller, regulator, insurer— all of them working from the same signed document. Construction plans serve the same function for a different industry. They are the firm's intellectual core and the legal instrument that binds every signer to it.

Aviation built an entire safety culture around the idea that the plan is the plan. You don't fly off a different one. You don't share it with people who aren't part of the operation. When something goes wrong, the plan is what gets read in the room.

Construction plans were designed under that same discipline— signed, sealed, version-controlled, regulated. AI tools were not. Most of them were built for general consumer use, and their data practices reflect that origin.

Once plans leave the firm's perimeter, they don't come back. Aviation built an entire safety culture around that fact. Construction is about to need one too.

What the Defaults Actually Say in 2026

Consumer-tier AI tools train on your inputs by default. Enterprise-tier tools do not. The line between them is contractual, not technical— and it shifted significantly in 2025 when Anthropic changed its consumer terms.

Three vendors matter most for the firms reading this. Here's what each one's own disclosure pages say right now.

OpenAI: ChatGPT Free vs. Plus vs. Enterprise

ChatGPT Enterprise, Business, Edu, Healthcare, Teachers, and the API platform do not use customer data for training by default.1 ChatGPT Free and ChatGPT Plus do— unless the user opts out in Data Controls. Zero Data Retention (ZDR), which means OpenAI keeps no record of the inputs after the response, is available only under an Enterprise agreement.

Paid Plus is consumer. That is the most common point of confusion in the firms I've talked to. A monthly subscription does not buy you the contractual protections. Enterprise does.

Anthropic: The September 28, 2025 Consumer Change

On September 28, 2025, Anthropic began training on consumer Claude chats by default and extended data retention to five years.2 This applies to Free, Pro, Max, and Claude Code plans. Users have to opt out. The change was announced August 28, 2025 and took effect a month later.

Claude for Work, Team, Enterprise, Government, Education, and the API are excluded under Commercial Terms.3 Those tiers continue to operate under the prior data practice.

The point isn't that Anthropic did something wrong. The point is that vendor defaults shift. A policy your firm relied on in August was different by the end of September. This is the operating reality— firms need to monitor, not assume.

Bluebeam: The Transparency Paradox

Bluebeam states clearly that it does not use customer data to train AI models.4 And Bluebeam Max's AI features, when enabled, share prompts, PDF text, markup data, and Studio file metadata with the connected third-party LLM client. Bluebeam itself flags that users must verify the LLM client's terms separately, because those policies vary.

Bluebeam is being honest about this on their AI Transparency page. That's exactly why it's worth naming clearly. The downstream LLM's terms govern the downstream use. A firm authorizing Bluebeam Max for confidential project work has to read two sets of terms, not one.

Vendor Defaults at a Glance

ToolTierTrains on User Data?RetentionNotes
ChatGPTFree / PlusYes, by defaultVariableUser must opt out in Data Controls
ChatGPTEnterprise / Team / Business / Edu / APINo, by defaultConfigurable (ZDR available on Enterprise)The contractual tier
ClaudeFree / Pro / Max / Claude CodeYes, by default (as of Sept 28, 2025)5 yearsMust opt out
ClaudeWork / Team / Enterprise / Gov / Edu / APINoPer Commercial TermsExcluded from Sept 2025 change
Bluebeam MaxAll tiers (AI features)Bluebeam: No / Third-party LLM: depends on LLMVaries by LLMModel Context Protocol (MCP) passes data to downstream LLM whose terms govern

Harmonic Security analyzed 22.4 million enterprise GenAI prompts in 2025; 87% of sensitive-data exposures specifically occurred via ChatGPT Free.5 That figure tells you which tier is doing most of the leaking.

The Samsung Lesson (Twenty Days)

In March 2023, Samsung engineers pasted proprietary source code and confidential meeting transcripts into ChatGPT on three separate occasions within twenty days.6 Samsung banned generative AI tools company-wide a month later. The submitted data could not be recalled.

What leaked: internal semiconductor source code, defect-detection algorithms, and meeting notes from one of the most technically sophisticated organizations on the planet. The engineers weren't malicious. They were senior. They were trying to get work done faster.

Three incidents in twenty days. The organization was sophisticated, the engineers were senior, no one was malicious. The data was gone.

Samsung's lesson isn't that AI tools are dangerous. It's that defaults plus deadlines plus a paste field is a complete IP loss vector— and it takes less than a month. AEC firms operate at less internal-security maturity than Samsung's semiconductor division, not more. The mechanism transfers cleanly.

What Shadow AI Costs (The Cross-Industry Numbers)

IBM's 2025 Cost of a Data Breach Report found that organizations with high shadow AI use paid an average of $670,000 more per breach than the global average.7 97% of organizations that experienced an AI-related breach lacked proper AI access controls.8

The rest of the IBM 2025 picture:

  • 63% of surveyed organizations have no AI governance policy in place.9
  • Only 17% have technical controls capable of preventing employees from uploading confidential data to public AI tools.10
  • Shadow AI is now a top-three breach factor.7

These numbers are cross-industry. No AEC-specific shadow AI breach cost dataset exists yet. The cross-industry data is the floor, not the ceiling. AEC firms operate at less mature shadow-AI controls than the cross-industry average, not more.

What we do have on AEC specifically: only 27% of AEC firms currently use AI for automation, problem-solving, or decision-making.11 Data-sharing security is the top integration challenge those firms cite, at 42%.12 Which means the firms not yet adopting AI are blocked by exactly the question this article is about.

The 27% figure comes from a single Bluebeam-funded survey of more than 1,000 AEC technology decision-makers across the US, UK, France, Germany, and Australia.13 Worth knowing the source on that one. It's one data point, well-collected, and the only one currently published at that scope.

What "Construction 101" Should Now Include

Four moves define the new baseline: tier discipline, a written usage policy, contractor governance, and vendor diligence. Each is a partners' meeting agenda item— not a year-long initiative. The AIA published its own version of this baseline in 2025.

1. Tier discipline. Only enterprise-tier tools touch project data. Paid Plus is still consumer. Verify each tool your firm authorizes against its current Enterprise Privacy or Commercial Terms page— not the sales deck. Maintain a written approved-tool register, and put one principal's name next to it.

2. A written AI usage policy. Short. Reviewed annually. Enforced. The AIA's "Guidance for the Responsible Use of AI by Architecture and Design Firms" is the starting frame; firms tailor from there.14 Our AI governance strategy framework walks through what to include for a mid-market firm.

3. Contractor and subcontractor governance. A firm using ChatGPT Enterprise internally is still exposed if its sub-K consultant uses ChatGPT Free for the same project. Sub-K agreements should address AI input restrictions in language as specific as your confidentiality clauses already are. Your insurance broker may already be asking.

4. Vendor diligence. Read each AI vendor's transparency page, not the marketing page. Where a tool pipes data to a downstream LLM— Bluebeam Max via MCP, and similar features in other platforms— the downstream LLM's terms govern. Make verification the procurement team's job, and use a consistent AI decision framework for founders so the same questions get asked every time.

The AIA AI Task Force is the profession's version of this conversation.14 The 2025 AIA Annual Business Meeting also adopted an AI Policy Resolution covering usage policies, an ethical framework, and integration of AI into the next AIA Five-Year Strategic Plan.15 The profession is having this conversation. Your firm should be at that table.

The way out of shadow AI isn't to ban it. Samsung tried that. The way out is governance built on what your defaults actually say.

Frequently Asked Questions

Does ChatGPT train on my construction plans?

If your staff use ChatGPT Free or Plus, yes— by default— unless they have opted out in Data Controls.1 ChatGPT Enterprise, Business, Team, Edu, Healthcare, Teachers, and the API platform do not use customer data for training. The line between consumer and enterprise is contractual. Paid Plus is consumer.

Did Anthropic change its data policy in 2025?

Yes. On September 28, 2025, Anthropic began using new chats from consumer Claude users (Free, Pro, Max, and Claude Code) for model training by default, with retention extended to five years unless users opt out.2 Claude for Work, Team, Enterprise, Government, Education, and API tiers are excluded under Commercial Terms.3

Is Bluebeam Max safe to use on confidential project data?

Bluebeam states it does not train AI models on customer data.4 When Bluebeam Max's AI features are enabled, Bluebeam shares prompts, PDF text, markup data, and Studio file metadata with the connected third-party LLM client— whose terms govern downstream use. Verify the LLM client's terms before authorizing the feature on confidential work.

What is shadow AI in construction firms?

Shadow AI is the use of AI tools— typically free or consumer accounts on personal devices— outside the firm's approved technology stack. IBM's 2025 Cost of a Data Breach Report identifies it as a top-three costliest breach factor, adding an average of $670,000 per incident.7 63% of surveyed organizations have no AI governance policy at all.9

What is the AIA AI Task Force?

The American Institute of Architects established its AI Task Force to address the opportunities and challenges of AI in architecture.14 The Task Force published "Guidance for the Responsible Use of AI by Architecture and Design Firms," covering professional responsibility, data governance, privacy, and intellectual property. The 2025 AIA Annual Business Meeting also adopted an AI Policy Resolution covering AI usage policies, an ethical framework, and integration into the next AIA Five-Year Strategic Plan.15

Both Are True

AI is real leverage for AEC firms. Bluebeam's 2025 data shows 68% of early adopters saving at least $50,000 and 46% reclaiming 500 to 1,000 hours through AI use.16 The same Bluebeam data shows that data-sharing security is the top barrier preventing the other 73% from getting there.12 Both halves are true.

The firms that will capture AI's leverage are the ones that govern it like a flight plan. Signed responsibility. Version control. A single source of truth for what's allowed. Move closer to the work, not further from it.

If translating these defaults into a firm-wide policy feels like the kind of thing that should already be on next quarter's partners' meeting agenda, that's the work Dan Cumberland Labs does with mid-market AEC firms— often through AI strategy services for established firms, sometimes through a fractional AI officer role, and sometimes as a single strategy audit that gives partners the language to make the call themselves. The 27% of AEC firms already adopting AI are demonstrating what's possible; the question for the rest is governance, not whether. See measuring AI ROI for adopters for the numbers the early adopters are tracking.

Construction 101 used to mean reading a section view. It still does. It also means knowing where your plans go when they touch AI. Both are true. All of it matters.

References

  1. OpenAI, "Enterprise privacy at OpenAI" (2025) — https://openai.com/enterprise-privacy/
  2. Anthropic, "Updates to Consumer Terms and Privacy Policy" (2025) — https://www.anthropic.com/news/updates-to-our-consumer-terms
  3. Anthropic, "Updates to Consumer Terms and Privacy Policy" (2025) — https://www.anthropic.com/news/updates-to-our-consumer-terms
  4. Bluebeam, "AI Transparency" (2025) — https://www.bluebeam.com/company/ai-transparency/
  5. Harmonic Security, "What 22 Million Enterprise AI Prompts Reveal About Shadow AI in 2025" (2026) — https://www.harmonic.security/resources/what-22-million-enterprise-ai-prompts-reveal-about-shadow-ai-in-2025
  6. AI Incident Database, "Incident 768: ChatGPT Implicated in Samsung Data Leak of Source Code and Meeting Notes" (2023) — https://incidentdatabase.ai/cite/768/
  7. IBM Security / Ponemon Institute, "2025 Cost of a Data Breach Report: Navigating the AI rush without sidelining security" (2025) — https://www.ibm.com/think/x-force/2025-cost-of-a-data-breach-navigating-ai
  8. IBM Security, "IBM Report: 13% Of Organizations Reported Breaches Of AI Models Or Applications, 97% Of Which Reported Lacking Proper AI Access Controls" (2025) — https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications,-97-of-which-reported-lacking-proper-ai-access-controls
  9. IBM Security / Ponemon Institute, "2025 Cost of a Data Breach Report: Navigating the AI rush without sidelining security" (2025) — https://www.ibm.com/think/x-force/2025-cost-of-a-data-breach-navigating-ai
  10. IBM Security / Ponemon Institute, "2025 Cost of a Data Breach Report: Navigating the AI rush without sidelining security" (2025) — https://www.ibm.com/think/x-force/2025-cost-of-a-data-breach-navigating-ai
  11. Bluebeam (Nemetschek Group), "New Bluebeam Report Shows Early AI Adopters in AEC Seeing Significant ROI Despite Uneven Adoption" (2025) — https://press.bluebeam.com/2025/10/new-bluebeam-report-shows-early-ai-adopters-in-aec-seeing-significant-roi-despite-uneven-adoption/
  12. Bluebeam (Nemetschek Group), "New Bluebeam Report Shows Early AI Adopters in AEC Seeing Significant ROI Despite Uneven Adoption" (2025) — https://press.bluebeam.com/2025/10/new-bluebeam-report-shows-early-ai-adopters-in-aec-seeing-significant-roi-despite-uneven-adoption/
  13. Bluebeam (Nemetschek Group), "New Bluebeam Report Shows Early AI Adopters in AEC Seeing Significant ROI Despite Uneven Adoption" (2025) — https://press.bluebeam.com/2025/10/new-bluebeam-report-shows-early-ai-adopters-in-aec-seeing-significant-roi-despite-uneven-adoption/
  14. American Institute of Architects, "AI Task Force" (2025) — https://www.aia.org/resource-center/ai-task-force
  15. American Institute of Architects, "2025 Annual Business Meeting addresses AI usage in architecture, Fellowship qualifications" (2025) — https://www.aia.org/article/2025-annual-business-meeting-addresses-ai-usage-architecture-fellowship-qualifications
  16. Bluebeam (Nemetschek Group), "New Bluebeam Report Shows Early AI Adopters in AEC Seeing Significant ROI Despite Uneven Adoption" (2025) — https://press.bluebeam.com/2025/10/new-bluebeam-report-shows-early-ai-adopters-in-aec-seeing-significant-roi-despite-uneven-adoption/
Dan Cumberland

Dan Cumberland

Dan Cumberland has spent his career at the intersection of technology and human behavior. With an MA in psychology, a background in software development, and six companies built (two exits), he was building AI systems years before ChatGPT made them mainstream. Through Dan Cumberland Labs, he helps engineering firms, construction companies, and professional services leaders implement AI that makes their teams more effective—not less necessary. Through his newsletter and other writings, he is read by millions, including leaders at firms like Google, Microsoft, and Amazon.

AI Strategy

Our blog

Latest blog posts

Tool and strategies modern teams need to help their companies grow.

View all posts