Onyrisanitize
All articles
Fundamentals6 min read

The hidden cost of a single leaked prompt

A sensitive prompt feels free: two seconds saved. The real cost — fines, trust, remediation — is submerged. Why we underrate it, and how to cancel it.

By Pierre de ONYRI

Pasting sensitive data into AI feels free: two seconds saved, a task done. But that's the tip of the iceberg. Below the waterline sits the real cost of a leak — regulatory penalty, lost trust, remediation, time — and our brain is wired not to see it: it discounts what's distant and uncertain. So we accept a risk we never actually priced. The fix isn't to price it better, it's to bring that cost to zero.

The visible tip: two seconds saved

At the moment of copy-paste, the only tangible number is the gain: the time you save yourself. Immediate, certain, pleasant. It wins the decision because it's the only term in the equation you perceive clearly.

An iceberg: a small visible tip represents the seconds saved, a much larger submerged mass represents the hidden cost of a leak.
What you see: the time saved. What you don't: the mass of costs that only surfaces after the leak.

The submerged mass: what a leak really costs

  • Regulatory: a data breach can trigger penalties and mandatory notification to the authority.
  • Trust: a client, patient or partner whose data leaked doesn't come back easily.
  • Remediation: investigation, secret rotation, legal counsel, crisis comms — time and money.
  • Irreversibility: data that has left can't be taken back; the cost can stretch over years.

Why the brain underrates this cost

Two mechanisms combine. First, temporal discounting: a future cost mechanically weighs less than a present gain. Second, invisibility: until the leak happens, the cost has no face, so no emotional weight. The paradox: we know a loss hurts about twice as much as an equivalent gain feels good — but that loss aversion only fires once the loss is concrete. Too late.

The real fix: bring the cost to zero

As long as there's a trade-off — time against risk — the risk will eventually be taken. The way out is to remove the trade-off: if sensitive data never leaves in the clear, there's no bet left to lose. An engine detects and masks identifying elements before sending, and restores the answer in the browser. The time saved stays; the submerged cost disappears.

That's exactly what ONYRI Sanitize does: browser-side anonymization makes whatever could leak worthless. You keep the two seconds saved, without the hidden bill that comes with them.

Frequently asked questions

What's the real cost of a leaked prompt?
Far more than the seconds saved: a possible regulatory penalty, lost trust, remediation costs (investigation, secret rotation, legal), and above all irreversibility — data that has left can't be taken back. The cost surfaces afterward, which makes it easy to ignore in the moment.
Why do we underrate this risk in the moment?
Because the brain discounts the future and the cost is invisible until the leak happens. Loss aversion, which would make us pull back, only fires against a concrete loss — by then it's too late for the decision to paste.
How do I eliminate this cost without giving up AI?
By removing the trade-off: anonymize sensitive data before sending. If what leaves is neutralized, a leak exposes nothing usable. You keep AI's time savings without the hidden cost.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next