The Confidentiality Wall: Why Consulting Firms Can't Just Plug Past Work into AI

Key takeaway: Consulting firms have collectively poured over $10 billion into AI since 2023, building enterprise search tools, RAG pipelines, and internal assistants. But most of them have hit the same wall: the content these systems need — past deliverables, strategy decks, engagement outputs — is confidential. The problem isn't the AI. It's that there's no scalable way to make the content safe to ingest. Document-level sanitisation is the missing infrastructure layer.

Last updated: March 2026

The biggest AI investment in professional services history

Let's start with what's actually happening. The Big Four and MBB firms have collectively invested more than $10 billion in AI capabilities since 2023. Not research. Not experiments. Production systems, enterprise licences, custom-built platforms, and thousands of dedicated AI hires.

McKinsey built Lilli, their internal AI assistant. The numbers are staggering: 72% of their 45,000 employees use it. It searches more than 100,000 documents across 40+ internal sources. Every major firm has some version of this — Deloitte, BCG, Bain, PwC, EY, Accenture — all building retrieval-augmented generation systems, enterprise knowledge platforms, and AI-powered search tools designed to surface the right insight at the right moment.

The thesis is straightforward and correct: consulting firms produce extraordinary intellectual output on every engagement. Strategy frameworks, market analyses, implementation playbooks, operating model designs. Most of it gets used once, filed somewhere, and never seen again. The typical firm reuses roughly 5% of its past deliverables. The other 95% sits in SharePoint folders and partner hard drives, invisible to the rest of the organisation.

AI was supposed to fix this. Build a system that can search, understand, and surface relevant past work — and suddenly every consultant has access to the collective expertise of the entire firm. It's a compelling vision. And in theory, it works.

In practice, firms keep running into the same problem.

The discovery nobody talks about publicly

Here's what happens in practice. A firm invests heavily in an AI platform. The engineering team builds the retrieval pipeline, tunes the embeddings, sets up the vector database. The system works beautifully in testing with a curated set of documents.

Then someone asks the obvious question: what content are we actually going to put in this thing?

And the room goes quiet.

Because the content the system needs — real engagement deliverables, actual strategy decks, genuine client work — is almost entirely confidential. Every slide deck contains client names, financial data, strategic plans, competitive analyses, organisational details, and management opinions that are covered by NDAs and professional obligations. You can't just dump 100,000 PowerPoint files into a RAG system and hope for the best.

The risk isn't that someone deliberately shares confidential data. It's that the system works exactly as designed — retrieving and synthesising relevant content — and in doing so surfaces client details to people who were never on that engagement. A consultant asks for "best practices in telco cost reduction" and the AI pulls from a deck that still contains the client's margin targets and restructuring timeline. No malice required. Just an AI system doing its job on content that was never prepared for broad consumption.

The confidentiality wall isn't a minor speed bump on the road to AI-powered knowledge management. It's the defining constraint. And most firms are only now realising how fundamental it is.

Why can't you just restrict access?

The first instinct is access controls. Build the system, ingest everything, but limit who can see what based on engagement teams, practice groups, or clearance levels.

This fails for two reasons.

First, the whole point of a knowledge system is cross-pollination. A healthcare consultant working on a hospital merger should be able to find relevant frameworks from a financial services merger two years ago. A supply chain team in Singapore should be able to surface distribution models developed for a client in Germany. If you lock content down to the original engagement team, you've built an expensive filing system, not a knowledge platform.

Second, access controls don't solve the actual problem. The content itself is confidential. It doesn't become safe just because only "authorised" people can see it. A consultant who wasn't on the Acme Corp engagement shouldn't see Acme Corp's five-year revenue projections, regardless of their seniority or practice group. The NDA doesn't have a "but it's fine if a colleague reads it for research" clause.

Access controls are a governance layer, not a content safety layer. They answer "who can search?" but not "what's safe to surface?"

The three bad options

Once firms realise that access controls aren't sufficient, they typically land on one of three approaches — each with serious drawbacks.

Option 1: Ingest everything and accept the risk

Some firms quietly decide to put everything into the AI system and manage the risk through policy rather than technology. "Consultants know to treat everything as confidential." "We'll add a disclaimer." "Our people are professionals."

This is the approach that looks pragmatic until it isn't. All it takes is one AI-generated summary that includes a client's unreleased financial data appearing in a pitch deck for a competitor in the same industry. Or a junior consultant asking the AI system about best practices for cost reduction and getting back a response that includes identifiable details from a specific client engagement.

The risk isn't that the AI will "leak" data in the dramatic sense. It's that the system faithfully does what it's designed to do — retrieve and synthesise relevant content — and in doing so surfaces confidential details to people who shouldn't see them. The better the AI works, the higher the risk.

Option 2: Exclude most content and limit the system

The conservative approach: only ingest content that's already been cleared for broad internal use. Methodology documents, published thought leadership, generic templates, training materials.

This is safe. It's also pointless. The whole value proposition of these AI systems is accessing the firm's real engagement experience — the actual analyses, the genuine strategic insights, the specific frameworks developed for specific problems. Generic methodology decks are already on the intranet. Nobody needs a million-dollar RAG pipeline to find them.

Firms that take this approach end up with an AI system that's technically functional but practically useless. Adoption drops because consultants quickly learn the system doesn't have anything they can't already find. The investment sits there, underperforming, while the leadership team wonders why adoption metrics look so disappointing.

Option 3: Manually redact content before ingestion

The theoretically correct answer: review every document before it goes into the AI system, remove confidential content, and ingest only the sanitised versions.

The maths makes this approach a bottleneck almost immediately. Manual redaction takes 4–8 hours per deck when done properly. A mid-size consulting firm might have 50,000–200,000 past deliverables. Even at the low end, that's 200,000 person-hours of review work. At a loaded cost of $100/hour for the knowledge management team members qualified to do this, that's $20 million before the AI system sees its first real document.

Firms that take this route are doing the right thing — the intent is correct. But the throughput can't keep pace with demand. New deliverables are produced every week. Every new engagement creates content that needs the same treatment before it can enter the knowledge system. KM teams end up in a permanent backlog, processing a fraction of what the AI system needs while the rest waits.

Some firms try a hybrid: manually review "high-value" content and exclude the rest. This is pragmatic, but the result is still a system with significant content gaps — and an ever-growing queue of material that hasn't been touched.

This is a structural problem, not a technology problem

Here's the part that most AI roadmaps miss entirely.

The confidentiality wall isn't a bug in the AI system. It's not a configuration issue. It's not something that better prompting or finer-grained permissions will solve. It's a structural gap in the content pipeline.

Think about it this way: consulting firms have invested heavily in the consumption layer (AI systems that can search and reason over content) and the storage layer (document management, SharePoint, knowledge repositories). What's completely missing is the preparation layer — the systematic process that transforms confidential deliverables into content that's safe for broad consumption.

Every other industry that deals with sensitive content at scale has built this layer:

• Healthcare has de-identification standards (HIPAA Safe Harbor, Expert Determination) and certified tools to apply them
• Government has declassification processes, FOIA review procedures, and redaction standards
• Legal has privilege review workflows, protective order processes, and e-discovery platforms
• Financial services has data masking and anonymisation pipelines for PII and account data

Consulting has nothing equivalent. No standard methodology for sanitising deliverables. No established tooling designed for the specific types of sensitivity that consulting content contains. No preparation layer between "raw confidential deliverable" and "content safe for AI ingestion."

This gap didn't matter much when knowledge reuse meant one partner emailing a deck to another partner who was on the same client. It matters enormously when you're building systems designed to make content searchable across the entire firm.

Why standard redaction tools don't work here

The obvious response is: "There are plenty of redaction tools. Just use one of those."

This misses the fundamental difference between consulting content sensitivity and the sensitivity types that existing tools are built for. For a comprehensive breakdown of why consulting redaction is its own discipline, the short version is this:

Standard redaction tools are built for PII — personal data defined by regulation. Names, email addresses, ID numbers, account numbers. The categories are finite, well-defined, and pattern-matchable. A Social Security number is always nine digits in a specific format. An email address always contains an @ symbol. These tools are good at what they do.

Consulting deliverables contain a fundamentally different type of sensitive content. The sensitivity in consulting content is business information, not personal data — and it doesn't follow predictable patterns. A revenue figure is just a number until you know whose revenue it is. A market entry strategy is just text until you know which company is planning it.

The hardest part is inference risk. Slide 12 mentions "consumer packaged goods." Slide 28 shows "annual revenue approximately £8 billion." Slide 45 references "headquartered in the UK with operations across 14 European markets." Each detail is generic on its own. Together, they narrow to a handful of possible clients — maybe one. Any tool that processes content element by element, slide by slide, is structurally blind to this. Detecting inference risk requires understanding how information combines across an entire document. Most tools don't even attempt it.

This is why context-aware approaches to redaction matter for this use case. Pattern matching finds the obvious things. Understanding what content means in context — and how seemingly innocuous details combine to create identification risk — requires something fundamentally different.

What does "AI-ready" content actually mean?

There's a lot of hand-waving in the industry about making content "AI-ready." Usually this means metadata tagging, document classification, and format standardisation. All useful. None sufficient.

For consulting firms, AI-ready content has a dual requirement that most definitions ignore: it must be safe to surface to anyone at the firm, and it must still be useful when they find it.

Safe alone isn't enough. You can make any document safe by deleting it. The hard part is making it safe while preserving the intellectual value — the frameworks, the analytical approaches, the strategic thinking, the methodologies that made the deliverable worth keeping in the first place.

This is why standard redaction falls short. Black-boxing every potentially sensitive element in a strategy deck makes it safe, sure. It also makes it unreadable. A slide that says "[REDACTED] should pursue [REDACTED] in the [REDACTED] market through [REDACTED]" has zero knowledge value. You've solved confidentiality by destroying the reason anyone would search for the document. That's not AI-ready — that's just a different kind of waste.

AI-ready sanitisation means:

• Client identifiers removed or generalised — "Acme Corp" becomes "a mid-market consumer goods company," not "[REDACTED]"
• Sensitive financials normalised or removed — exact figures replaced with ranges or relativised, or stripped entirely where they're client-specific
• Strategic content assessed for inference risk — combinations of details that could identify the client, even without explicit naming, detected and addressed
• Analytical frameworks and methodologies preserved — the reusable intellectual property stays intact
• Document remains coherent and useful — a consultant finding this through the AI system should be able to learn from it

The difference between "redacted" and "AI-ready" is the difference between a document that's safe but useless and a document that's safe and valuable.

The path forward: sanitisation as infrastructure

The firms that will actually realise the value of their AI investments are the ones that treat document sanitisation as infrastructure — not an afterthought, not a manual review process, not a compliance checkbox, but a core part of the content pipeline.

What does this look like in practice?

A preparation layer between creation and consumption

Every deliverable, at the point of completion or shortly after, goes through a sanitisation process that produces an AI-ready version. The original stays in the secure engagement folder. The sanitised version enters the knowledge system. Two versions of the same document: one for the record, one for the firm.

Purpose-built for consulting content

The sanitisation layer needs to understand the specific types of sensitivity that consulting deliverables contain. Not just PII patterns. Not just keyword matching. The full spectrum: direct identifiers, indirect inference risk, and non-public information. It needs to work across entire documents, understanding how details on one slide relate to details on another.

Scalable enough to address the backlog

A firm with 100,000 past deliverables can't review them manually at 4–8 hours each. The sanitisation approach needs to handle volume without requiring proportional human effort. That doesn't mean zero human oversight — it means the heavy lifting is automated and humans review outputs rather than doing the work from scratch.

Integrated with existing workflows

The sanitisation layer needs to fit into how consulting firms already work. That means working with PowerPoint (because that's what consultants produce), integrating with existing document management systems, and producing output that AI systems can actually ingest. Asking firms to change their delivery format or document management approach is a non-starter.

Meeting enterprise security standards

Any system that touches client deliverables needs to meet the security standards that consulting firms' clients expect. That means SOC 2 compliance, proper data handling, access controls, and audit trails. A sanitisation tool that itself becomes a security risk defeats the purpose entirely.

What this means for your AI roadmap

If you're at a consulting firm that's building or evaluating AI capabilities, here's the honest assessment:

Your AI system is only as valuable as the content you can safely put into it.

The models are good enough. The retrieval systems work. The infrastructure is there. The bottleneck is content availability. And the content bottleneck is fundamentally a confidentiality problem.

Most AI roadmaps treat content preparation as a phase — "clean up and ingest existing documents" — without recognising that for consulting firms, this phase is actually the hardest part of the entire initiative. It's where the budget should be, and it's where most firms are underinvesting.

The firms that solve this first will have a genuine competitive advantage. Not because their AI is better, but because their AI has something to work with. When your system can search across thousands of sanitised engagement deliverables while your competitor's can only search methodology templates and thought leadership, the difference in output quality is enormous.

This isn't about replacing human judgement. Senior consultants will always bring experience and intuition that no AI system can replicate. But those consultants are dramatically more effective when they can find a relevant precedent in minutes rather than hoping someone in their network has worked on something similar.