General 18 min read

Some Notes Should Never Reach the AI: A Plain-Text Boundary You Decide Once

MMNMNOTE
aiprivacypolicyplain-textdecision-layerowasphallucinationbyoklocal-first

The redact-PII advice and the training-opt-out toggle both answer the same question: what should I do once I have decided to send this note to the AI? The upstream question is missing — which whole notes should never reach the AI at all? The honest answer is a written one. Put it in a plain-text file. Decide once. Re-read it later.

A .ai-policy.md next to your notes is small, ugly, and stubborn. It is also the only artifact that survives both your forgetfulness and your tool's defaults. The redact pass is hygiene1; the vendor-default check is configuration2; the policy file is the decision — the one piece that depends on you and stays on you. The OWASP top-10 for LLMs and a Singapore proof both agree the model will not get this right for you34.

The conversation is missing its upstream layer

The AI-and-your-data debate has settled on two downstream layers: scrub the data before you paste it, and check whether your provider trains on what you send. Both assume the decision to send was correct. The layer above them is missing: which classes of notes should never be eligible to be sent, by any tool, on any day.

That upstream layer is hard to remember, easy to drift on, and impossible to delegate to the model. It is the kind of decision that gets made cleanly once and badly fifty times. The clean version belongs in a file.

Hallucination is the floor, not a bug to outgrow

Three Singapore researchers, Ziwei Xu, Sanjay Jain, and Mohan Kankanhalli, formalised the limit in 2024. In Hallucination is Inevitable: An Innate Limitation of Large Language Models, they prove that "LLMs cannot learn all the computable functions and will therefore inevitably hallucinate if used as general problem solvers"4. The result is about what an LLM is — not a complaint about this generation.

Empirical numbers anchor that floor. A 2025 study by Abeer Alessa and colleagues, Quantifying Cognitive Bias Induction in LLM-Generated Content, measured that "LLMs expose users to content that changes the context's sentiment in 26.42% of cases (framing bias), hallucinate on 60.33% of post-knowledge-cutoff questions, and highlight context from earlier parts of the prompt (primacy bias) in 10.12% of cases, averaged across all tested models"5.

Sixty point three three percent — on the kind of question a research assistant is most useful for. The number is high because the problem is hard, not because the engineering is bad.

Even the best-case task has a non-zero floor. Vectara's public Hallucination Leaderboard tests grounded summarisation with the instruction, "Summarize using only the information in the given passage. Do not infer. Do not use your internal knowledge."6 The lowest-hallucinating model in 2025, antgroup/finix_s1_32b — posts a 1.8% rate; several frontier reasoning models score above 10% on the same constrained benchmark6.

Low-but-non-zero is the correct mental model. For some classes of note, low-but-non-zero is the wrong risk profile. (Vectara is a vendor publishing its own benchmark; cite it as that, not as the industry consensus.)

The standards body says guardrails are not optional

OWASP's LLM01:2025 Prompt Injection entry is unusually candid for a standards document. "Given the stochastic influence at the heart of the way models work, it is unclear if there are fool-proof methods of prevention for prompt injection"3. The mitigations OWASP recommends are not patches that close the hole — they are a layered set of guardrails sitting outside the model.

The verbatim list reads: "Implement input and output filtering," "Enforce privilege control and least privilege access," "Require human approval for high-risk actions (Implement human-in-the-loop controls for privileged operations)," "Segregate external content (Separate and clearly denote untrusted content)"3. Four guardrails — all layered outside the model, all assuming the model itself cannot be trusted to enforce them.

A .ai-policy.md is the human-readable layer above all four. Input filtering says don't paste raw user data into the model. Privilege control says don't give the agent more file access than it needs. Human-in-the-loop says some actions require you to look at them. Segregating untrusted content says some text should never become instructions. The policy file is the one guardrail the model cannot quietly remove.

A .ai-policy.md, written once, re-read forever

Here is a worked example. One file, sitting at the root of a notes folder, written in plain Markdown. Every rule names a folder and the policy that applies to it. The point is not to copy this verbatim — the point is that yours will be similarly short, similarly boring, and similarly yours.

# ~/notes/.ai-policy.md
# Last reviewed: 2026-06-27
# This file is a decision-continuity artifact, not a security control.
# An AI you give a file path to will read what is at that path.
# The boundary is your hand: choose to never include the file.

## Allowlist — these folders are safe to send to a hosted AI
- notes/reading/        # public articles, my notes ON them, no client data
- notes/code-snippets/  # MIT-licensed code I wrote, no API keys
- notes/blog-drafts/    # things I intend to publish anyway

## Deny — never paste into a hosted AI, ever, for any reason
- notes/medical/        # symptoms, conditions, doses, providers
- notes/legal/          # in-flight drafts, settlement terms, counsel notes
- notes/finances/       # account numbers, balances, identifiers
- notes/secrets/        # passwords, keys, recovery phrases
- notes/people/         # private notes about specific named people

## Redact-first — strip the named fields, then send
- notes/clients/        # strip client name, project codename, dollar amounts
- notes/meetings/       # strip attendee names, employer, internal acronyms
  # see the redact-before-AI workflow: /blog/redact-before-you-hand-a-note-to-ai

## Human-approval-required — read the diff before pasting
- notes/journal/        # personal; never paste a whole entry; quote one line if needed
- notes/research/       # check whether the note already contains a client quote

## Tools
- Default chat: <provider you trust enough to send Allowlist material to>
- Local model: ollama / lmstudio for Deny material when a model is needed at all
- Never enable: "share my conversation history" toggles for any of the above

Five sections. About forty lines. Re-readable in under a minute. It is not magic.

The folder rules are a policy you decided once, when you were thinking clearly, and that you can read again before any session in which you are not. The policy is also content-addressable in the human sense — it lives next to the notes it governs. You see it when you ls. You see it when you back up. You see it when you migrate to a different app. It is a note like every other note.

The discipline this file replaces is the per-session guess. "Is it okay to drop this meeting summary into the chat?" is a fine question; answering it from cold every Tuesday is the failure mode. The file is your answer to the cold question, written down so you do not have to re-derive it under deadline pressure. It is the version-controlled record of your judgment, not a control that enforces it.

What the file is not

It is not a security boundary — an AI agent you give a file path to will read what is at that path. A coworker who copy-pastes a "Deny" note into their own chat is not stopped by your file. A leaky tool that syncs your home directory to a vendor is not stopped either. The policy is a record of your decision; enforcement is the file system, your tooling, and your hand.

The companion controls do the enforcing. File-system permissions and folder excludes in your editor or agent are the operating-system layer. Redacting the text you do send is the post-decision hygiene1. Checking the vendor-default training and retention behaviour is the configuration layer2.

The append-only discipline keeps an agent you do trust from overwriting what it should not7. An AI that needs instructions of its own gets them in its system-prompt file, not in yours8. The .ai-policy.md sits above all of them: it decides whether the question of "send / don't send" even gets raised on a given folder.

There is also no magic about Markdown — the file works because you will open it and read it. Choose any format you will re-read.

What .ai-policy.md does well, in three sentences

It separates the decision from the moment of action — you no longer re-derive your boundary under time pressure. It makes the policy auditable by the only audience that matters: a future version of you, plus a coworker or a partner you trust to read it. It survives every tool migration — one Markdown file, in a folder you control, readable in any text editor.

The Fedora project learned the absence of this layer in public. In May 2026, an "allegedly rogue agent had been pestering the project in a number of ways: reassigning bugs, fabricating unhelpful replies to bugs, and even persuading maintainers to merge questionable code"9; the LWN write-up by Joe Brockmeier reached 552 points on Hacker News10.

The lesson is not that AI agents go wrong — it is that the first question about an agent's blast radius is which files it could see in the first place. A policy decision, not a containment one.

How this lives alongside MNMNOTE

A .ai-policy.md is just another Markdown note. In MNMNOTE, your notes are plain Markdown files in folders on your own device. Deciding which folders an AI can see is a file-path question, not a vendor-feature toggle. The policy file is portable, version-controllable, and re-readable — it travels with the rest of your notes because it is one of them.

A note on AI features more broadly: MNMNOTE's bring-your-own-key approach means you pick the provider you trust enough to send a given class of note to. Your notes stay on your own device by default; AI features you opt into send the text you choose to your chosen provider, under that provider's terms. The .ai-policy.md exists precisely to make that "text you choose" a deliberate, written act — not a per-session guess.

The medical and legal folders in the example above are illustrative. Notes about your health are not a substitute for professional medical care; notes about a legal matter are not legal advice. The deny-default in those folders is about exposure to a third-party model, not about the value of writing things down for yourself.

Schneier, 2016, before the language was ready

A decade before this debate had a name, Bruce Schneier wrote a CNN op-ed called Data Is a Toxic Asset, So Why Not Throw It Out? The line is the inversion this whole essay rests on: "What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous"11. He was writing about retailers and email leaks.

Read it again as a question about your notes and a third-party model. The cheapest data to protect is the data you did not hand to anyone. The data you did not hand to anyone is the data you wrote down — for yourself, in plain text, on your own device — and decided, on purpose and in writing, never to forward.

Frequently asked questions

These eight questions are the verbatim shapes of what people search before they reach for a policy file. The answers below are the ones the policy file then answers in writing, once and on your terms, so the cold version is the one that runs at midnight when you are tired.

What should I NOT give to ChatGPT, Claude, or any hosted AI? Anything that lives in a folder you have decided in writing not to send. Default-deny categories for most people: medical records, legal drafts, financial identifiers, secrets and credentials, and private notes that name other people. Default-allow categories: public reading notes, code you wrote yourself with no keys in it, and drafts you intend to publish anyway. The point is to make the rule a folder-level policy you authored once.

How do I decide which notes are safe to share with AI? Write a .ai-policy.md. Group your folders into allow, deny, redact-first, and human-approval-required, and write one line about why each folder is in that bucket. The deciding is the work; the file is where the work is stored so you do not redo it next week.

Is there a way to set boundaries on what an AI agent reads from my files? The honest answer has two halves. Your .ai-policy.md is a decision-continuity artifact — a written rule for you to follow, not an enforcement mechanism. The actual enforcement is operating-system permissions, folder excludes in your tooling, agent tool scoping, redaction of what you do send1, and append-only writes for what you let an agent change7.

Can I tell ChatGPT or Claude not to use my chats for training? Usually yes, but the default and the path differ by vendor and product, and the labels drift over time. A separate post covers vendor defaults and how to check yours2. The .ai-policy.md sits one layer above that: even with training turned off, you may not want certain folders sent to any model at all.

What is prompt injection and how do I prevent it? Prompt injection is when text the model reads — from a page, a file, a calendar invite — changes how it behaves. OWASP's LLM01:2025 says outright that there are no fool-proof prevention methods3. The upstream rule that follows is plain: do not feed an AI the class of file where a prompt-injection blast radius is unacceptable. Keep the deny list short and specific.

Is my AI assistant safe to use for personal, medical, or financial notes? Match the answer to the risk profile of the note class, not the assistant's marketing. Hallucination is not going to zero456, and the standards body is candid that prompt-injection mitigations are layered, not absolute3. For medical and financial notes specifically, default-deny is the cleaner rule; if you ever need a model in the loop, run a local one.

What's a good AI usage policy for personal notes? A short one. Allow what is already public or yours. Deny what would hurt to leak. Redact what falls in between. Require yourself to look before pasting anything from a journal or a research folder that may contain other people's words. Re-read the file once a quarter, and change it when your life changes.

An AI agent ran wild on a project I work on — how do I stop it? The Fedora write-up by Joe Brockmeier is the recent worked example9. The first question is not how to contain the agent — it is which files the agent could see at all. That is a policy decision: a written, folder-level allowlist applied to every tool you grant access. Containment is a downstream layer; the policy is upstream.


The decision about which of your notes should never reach the AI is the one decision the model cannot make for you. Write it down once; let the file outlast your mood; let it travel with the notes it protects.

This essay is anchored on Bruce Schneier's 2016 inversion — data as a toxic asset — applied to a problem he was not writing about11. The other side of the same coin lives at mnmnote.com.

Footnotes

  1. MNMNOTE blog. Redact Before You Hand a Note to AI. https://blog.mnmnote.com/posts/redact-before-you-hand-a-note-to-ai. 2 3

  2. MNMNOTE blog. Does Your AI Assistant Train on Your Notes? https://blog.mnmnote.com/posts/does-your-ai-assistant-train-on-your-notes. 2 3

  3. OWASP Gen AI Security Project. LLM01:2025 Prompt Injection. https://genai.owasp.org/llmrisk/llm01-prompt-injection/. Accessed 2026-06-27. 2 3 4 5

  4. Xu, Z., Jain, S., & Kankanhalli, M. Hallucination is Inevitable: An Innate Limitation of Large Language Models. arXiv:2401.11817, 2024-01-22; last revised 2025-02-13. https://arxiv.org/abs/2401.11817. Accessed 2026-06-27. 2 3

  5. Alessa, A., Somane, P., Lakshminarasimhan, A., Skirzynski, J., McAuley, J., & Echterhoff, J. Quantifying Cognitive Bias Induction in LLM-Generated Content. arXiv:2507.03194 (v2, 2025); accepted IJCNLP-AACL 2025. https://arxiv.org/abs/2507.03194. Accessed 2026-06-27. 2

  6. Vectara. Hallucination Leaderboard. https://github.com/vectara/hallucination-leaderboard. Accessed 2026-06-27. 2 3

  7. MNMNOTE blog. An Append-Only Note and an AI That Cannot Overwrite. https://blog.mnmnote.com/posts/an-append-only-note-and-an-ai-that-cannot-overwrite. 2

  8. MNMNOTE blog. Your AI System Prompt Belongs in a File. https://blog.mnmnote.com/posts/your-ai-system-prompt-belongs-in-a-file.

  9. Brockmeier, J. AI agent runs amok in Fedora and elsewhere. LWN.net, 2026-06-10. https://lwn.net/Articles/1077035/. 2

  10. Hacker News discussion of the Brockmeier LWN article. https://news.ycombinator.com/item?id=48484584.

  11. Schneier, B. Data Is a Toxic Asset, So Why Not Throw It Out? schneier.com, 2016-03-04 (originally CNN.com op-ed, 2016-03-01). https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html. 2