5. What Happens to Your Data Inside an AI System

There are three broad ways a system learns, and knowing them is useful mainly because it lets you ask better questions about your own data.

Supervised learning works from labelled examples. The system is shown inputs paired with the correct outputs, and it adjusts until its predictions match. This suits problems where the right answer is known and can be collected: classification, extraction, prediction against a historical record.

Unsupervised learning works without labels. The system finds structure in data on its own, grouping things that resemble each other or identifying what does not fit. This suits problems where you do not know in advance what you are looking for.

Reinforcement learning works from feedback rather than answers. The system takes actions, receives a signal about whether the outcome was good, and adjusts. It suits problems where the right move depends on a sequence of decisions rather than a single one.

Real systems mix these. The taxonomy is a way of thinking, not a strict division, and it is rarely worth arguing about which category a given system belongs to.

The point most enterprise buyers have not been told

Here is the thing that matters far more than the taxonomy, and it is routinely left out of the vendor conversation.

Most enterprise AI deployments do not train a model on your data at all.

They take a model that has already been trained, at enormous cost, by someone else, and they supply your context at the moment a question is asked. Your documents are retrieved and handed to the model as part of the request. Your rules are expressed in the instructions. The model's parameters do not change. Nothing of yours is absorbed into it. This is a very different arrangement from the one most people imagine when they hear that an AI system will learn their business, and the difference has direct consequences for what you are exposed to.

What it changes for you

Three questions follow, and they are the ones we would put to any vendor including ourselves.

Is anything trained on our data. The honest answers are a plain no, or a precise yes with your consent attached and a description of what that means. A vague answer here is the single clearest signal to slow down. If nothing is trained, then your data is being processed at request time and not absorbed, which is a much easier thing to reason about and to govern.

What is retained after the work is done. Processing transiently and storing permanently are different risk profiles wearing similar language. Ask for specifics: what is written to disk, where, for how long, and under whose control.

And the question buyers reach late: who owns what the system learned. Not the model's parameters, which have not changed, but the structured record the deployment accumulated while it worked. The decisions taken, the reasoning behind them, the patterns that emerged. In our manufacturing work we have seen this record become more valuable than the workflow that produced it, and it is the part of the arrangement that is most often left unsaid in a contract. At signature it is a clause. At exit it is a negotiation.

What we are still working out

Fine-tuning is the open question. Adapting a foundation model on a customer's own data produces genuinely better results in narrow domains, and it also creates dependencies for both sides that are uncomfortable to unwind. We have kept our distance from it so far, favouring retrieval and instruction over parameter change, and we think that is right for now. We are not certain it will still be right in two years.

We are also watching what happens to the boundary between processing and training as models gain persistent memory across sessions. The clean line we currently rely on, that your data is used and not retained, becomes harder to hold if the system is designed to remember. That has governance implications we do not think the industry has fully confronted, and neither, honestly, have we.

Mitochondria is an agentic AI product company based in Amsterdam and Pune. ISO 27001:2022 certified. Classified within the limited and minimal risk tiers of the EU AI Act, with controls aligned to the GDPR, UK GDPR and India's DPDP Act.

Previous
Previous

4. Agentic AI: What Changes When Software Acts

Next
Next

6. Where Enterprise AI Creates Value