Farr Shepherd

Annette Garcia-Acosta

The employee who logged out
Shepherd opened with a story he tells often.

A family office lost a staff member to a routine departure. A few weeks later, leadership realized that a meaningful chunk of the employee's work product was missing. It wasn't in SharePoint, the shared inbox, or on the network drive.

The employee had been running nearly all their work through a personal AI account. Every document, every draft had been created on a platform the office had no access to and no claim on. When the employee logged out for the last time, the work went with them.

The painful part was the lack of recourse. The office had no written policy prohibiting personal AI accounts for work. Technically, no rule had been broken. There was no way to demand the return of work produced that the firm had paid for.

This, Shepherd argued, is why a written AI policy is the first step on any adoption roadmap. It is the highest-leverage move a family office can make, and most haven't made it.

Start narrow
Once the policy is in place, Shepherd sees the same mistake almost every time. The new tool gets connected to everything in sight – SharePoint, Google Drive, the email archive, the family photo library, the trust documents, the investment memos.

The appeal is obvious. AI promises to lighten workloads and make offices more efficient. But the model can't tell sensitive material from routine material. It reads whatever it is given access to, and eventually it will read something it shouldn't.

Shepherd's recommendation is narrow first, wide later. A pilot of three to five users run for 30 days, with one mandate: find the holes. What can the tool reach that it shouldn't? What is showing up in outputs that has no business being in the system? He compared the exercise to a sieve. Find the leaks before the whole organization starts pushing material through.

He flagged free-tier tools as something to ban outright. With most consumer AI products, prompts and uploads can become training data. He pointed to a JP Morgan piece from earlier this year describing a family office executive who discovered that an AI model appeared to know intimate details about the family. The trail led back to a family member using a free AI app as a personal therapist. The lesson: enterprise products only.

When the builder is the risk
Some family offices have moved past off-the-shelf tools and started building custom AI – proprietary models trained on their investment research, operations, and family records. This is a much bigger undertaking, requiring months of work, specialized consultants, purpose-built data lakes, and an architecture outside the office's normal IT footprint.

In a custom build, Shepherd argued, the consultant introduces more risk than the technology. The family office is handing its data architecture to an outsider, and most offices don't have the documentation to judge whether that outsider can be trusted with it.

His due diligence centers on questions that force specific answers. Does the vendor have access to the actual data, or is it encrypted and inaccessible to them? What encryption is used, who controls the keys? Can the vendor prevent its own engineers from looking at the data? What happens to the data, and to the trained model, when the engagement ends?

Vague responses are the warning. A consultant who can't explain their data access controls, or who has no defined deletion procedure, should not be advanced to a contract.

The same scrutiny should extend to the office's outside advisors. Lawyers, accountants, and consultants all touch sensitive data, and the office usually has no visibility into the AI tools those parties are running. A governance policy that stops at the office's own staff leaves a much larger group of users entirely unmanaged.

The next wave: agents
Shepherd closed by flagging the development he expects to dominate next year's conversation: agentic AI. Unlike the AI tools most offices have used so far, agents take actions – booking flights, moving files, sending payments.

Drop that capability into a family office and the risk multiplies. An agent with access to the inbox, the calendar, and the financial accounts has shifted from reading information to acting on it.

A second risk compounds the first. Agents read email, documents, and web content. If someone hides a malicious instruction inside any of that material – and attackers are starting to – the agent can be tricked into carrying it out. A wire transfer might look authorized because the agent was deceived into initiating it. A sensitive file might end up where the wrong people can see it.

Two guardrails are non-optional: 1) limit what any agent can reach, so that a mistake or manipulation stays contained, and 2) require a human to approve anything involving money, personal data, or sensitive files, with an audit trail behind every action. Most family offices won't be building agents in-house; they will adopt them from vendors. Which makes the first questions practical. Whose agent is this? Where does it run? What can it reach?

One thing this quarter
Asked what a family office should do this quarter if it did nothing else, Shepherd named three workstreams to run in parallel: write the policy, catalog the data and who can reach it, and pilot before scaling.

Each step requires realizing that AI is now part of how the organization operates and treating it accordingly.

The offices that put guardrails in place this year will be in a different position from the ones that wait until something has gone wrong. Shepherd has seen both. The first conversation, he said, is the cheaper one.

Shepherd and Garcia-Acosta developed two checklists discussed during the session – an AI Deployment Readiness Checklist covering governance, configuration, and access controls, and an AI Consultant Vetting Checklist for offices considering a custom build. Both are available on request from Decypher Technologies.