Govern

Enterprise tier vs. consumer tier: same AI product, different legal reality

May 2026 · Jason Lee

The most consequential misunderstanding in business AI adoption fits in one sentence: “we use [vendor]” is not a compliance posture, because the same vendor’s product exists in tiers with materially different terms.

The model may be identical. The interface may be identical. What differs is the contract — and in a regulated business, the contract is the product.

THE TIER GAP Same model. Different legal reality. Typical pattern across major platforms — verify the actual terms of your actual tier. Consumer tier personal account, free or personal-paid May train on your inputs by default Retains conversations by default No BAA or DPA available — at any price No SSO, no admin visibility, no policy enforcement No audit trail the organization can produce Sensitive data here = uncontrolled disclosure Enterprise / API tier organizational contract, verified terms Contractual commitment: no training on your data Retention controls, zero-retention configurable BAA / DPA signable — the boundary extends SSO, role-based access, admin controls Attributable logging the organization owns The approval that matters: this tier, this agreement “We use [vendor]” approves the logo. Governance approves the tier.

What typically differs, tier to tier

Exact terms vary by vendor and change over time — which is itself the point — but the pattern is consistent across the major platforms:

  • Training on your inputs. Consumer tiers have historically defaulted to using conversations to improve models, with opt-outs of varying visibility. Enterprise and API tiers typically commit contractually to not training on your data. For privileged, PHI-class, or client-confidential material, this single term is the difference between a protected disclosure and an uncontrolled one.
  • Data retention. Consumer tiers retain conversation history by default — convenient for the user, unaccounted-for from a records standpoint. Enterprise tiers offer retention controls, including zero-retention configurations on API traffic.
  • The agreements you can actually sign. BAAs for HIPAA-covered workflows and DPAs for everything else are available on enterprise and API tiers. They are not available on a personal account, at any price, because the vendor cannot take on those obligations for an account it cannot verify belongs to a business.
  • Identity and administration. SSO, role-based access, domain capture, admin-visible usage — enterprise features that are not conveniences; they are the mechanism by which your policy becomes enforceable and your usage becomes auditable.
  • Audit and logging. Consumer accounts give the organization nothing: no visibility, no export, no attribution. If you cannot produce a record of what was sent, you cannot answer an auditor, a regulator, or opposing counsel.

The failure mode this creates

An organization “approves ChatGPT” (or any peer product) in a policy memo. Staff read the approval, use their personal accounts, and the organization believes it has a governed deployment. It has the opposite: sanctioned-sounding shadow AI, with sensitive data flowing under consumer terms while leadership reports the tool is “approved.”

The approval that matters is tier-specific: this vendor, this tier, under this agreement, for these use cases. Anything less specific approves the logo, not the legal reality.

The two-question test

For every AI tool in your organization, you should be able to answer:

  1. Which tier are we actually on — verified by looking at the account and the agreement, not by asking the vendor’s sales page?
  2. Do the terms of that tier permit the data we are actually sending it — training excluded, retention controlled, the right agreement signed?

If either answer is “not sure,” you have found this quarter’s most urgent governance task. It is usually a two-week fix: inventory the accounts, consolidate onto the enterprise tier, capture the stragglers with SSO domain enforcement.

Which tier is your organization actually on?

The tier audit is part of the vendor and model risk review inside the AI Readiness Assessment — every tool, its actual tier, its actual terms, and the remediation plan.