The Hyperscaler AI Telemetry Audit
What Microsoft, Google, and AWS collect when you use their AI. An independent research brief on enterprise cloud AI data handling, regulatory exposure, and the risks most organizations have not assessed.
Hyperscalers Audited
Microsoft Azure OpenAI/Foundry, Google Cloud Vertex AI/Gemini, AWS Bedrock/SageMaker.
Abuse Monitoring Retention
Microsoft retains prompts and completions for up to 30 days. Human review possible on flagged content.
Regulatory Crackdown
May 2026 joint investigation into OpenAI confirms Canadian regulators are actively scrutinizing AI data practices.
Executive Summary
Enterprise adoption of cloud-hosted generative AI has outpaced legal and security review. Organizations are feeding proprietary data, customer records, and strategic queries into APIs owned by three vendors — Microsoft, Google, and Amazon Web Services — without a clear inventory of what those vendors log, retain, analyze, or disclose.
This audit examines the telemetry and data-handling practices of the three dominant hyperscaler AI platforms:
- Microsoft Azure OpenAI / Foundry
- Google Cloud Vertex AI / Gemini
- Amazon Web Services Bedrock / SageMaker
Key finding: While all three vendors promise that customer prompts are not used to train foundation models, each platform generates a substantial metadata footprint — API call logs, token counts, latency metrics, IP addresses, identity objects, and abuse-monitoring telemetry — that creates compliance surface area most enterprises have not assessed. The May 2026 joint PIPEDA investigation into OpenAI confirms that Canadian regulators are now actively scrutinizing these practices.
For organizations subject to PIPEDA, provincial privacy laws, GDPR, or sector-specific regulations (healthcare, finance, defense), the default configuration of cloud AI APIs presents material risk. This report documents those risks and outlines the audit framework elect-rix applies when assessing client AI infrastructure.
1. The Stakes: Why Telemetry Matters
When an employee submits a prompt to a cloud AI model, the organization leaks more than just the text of the query. The transaction produces:
| Data Category | Example | Business Risk |
|---|---|---|
| Prompt content | Customer record, contract clause, proprietary algorithm | IP exposure, privacy breach |
| Response content | Generated code, strategic recommendation, legal analysis | Derivative IP claims |
| API metadata | Token count, model version, timestamp, latency | Competitive intelligence, usage fingerprinting |
| Identity telemetry | Entra ID object ID, IAM principal, API key fingerprint | Insider threat profiling, access pattern mapping |
| Network telemetry | Source IP (full or masked), region, user-agent | Geolocation, organizational structure inference |
| Abuse flags | Content filter triggers, policy violations, flagged completions | Regulatory scrutiny, employee monitoring |
The misconception: "We have an enterprise agreement that says our data is not used for training."
The reality: Training-data commitments address only one vector. They do not eliminate logging, do not prevent subpoena-driven disclosure, and do not exempt the vendor from retaining prompts for abuse monitoring, debugging, or legal compliance.
2. Methodology
This audit is based on:
- Published vendor documentation (Microsoft Learn, AWS Documentation, Google Cloud Terms) as of June 2026
- Regulatory findings — Office of the Privacy Commissioner of Canada, PIPEDA Findings #2026-002 (May 6, 2026)
- Independent technical analysis of API logging behavior and diagnostic telemetry
- Enterprise architecture reviews conducted by elect-rix in production environments
This report does not rely on vendor marketing materials. Where documentation is ambiguous, we note the gap and classify it as an unverified risk.
Scope
This audit covers the default and commonly-deployed configurations of three hyperscaler AI platforms as documented and observed through June 2026: Microsoft Azure OpenAI / Foundry, Google Cloud Vertex AI / Gemini, and Amazon Web Services Bedrock / SageMaker. It addresses telemetry, logging, retention, and metadata exposure relevant to Canadian data-sovereignty and PIPEDA obligations.
Limitations
- Vendor data-handling practices change frequently; findings reflect documentation and observed behaviour current as of the publication date below and may not reflect subsequent changes.
- Enterprise agreements, regional deployments, and private-networking configurations can materially alter telemetry behaviour. Organization-specific exposure requires a direct assessment.
- Where vendor documentation is silent or ambiguous, items are classified as unverified risks rather than confirmed practices.
- This report is informational and is not legal advice. It does not establish an attorney-client relationship.
Published: June 16, 2026 · Version: 1.0 · Next scheduled review: December 2026
3. Microsoft Azure OpenAI / Foundry
3.1 Official Data Commitments
Microsoft publishes five core commitments for Azure OpenAI and Foundry Models:
- Prompts and completions are NOT available to other customers
- They are NOT available to OpenAI or other model providers
- They are NOT used to improve models without explicit permission
- They are NOT used to train generative AI foundation models without permission
- Fine-tuned models are exclusively available to the creating customer
Source: Microsoft Learn — Data, Privacy, and Security for Models Sold by Azure
3.2 What Microsoft Actually Processes
Microsoft processes five categories of data:
- Prompts and generated content — inputs and outputs
- Uploaded data — files for fine-tuning, assistants, batch processing
- Stateful entity data — message history, thread content, stored completions
- Augmented data — retrieved documents for RAG/grounding
- Training & validation data — prompt-completion pairs for custom models
3.3 Abuse Monitoring — The Hidden Retention Window
Microsoft acknowledges that prompts and completions are retained for up to 30 days for abuse detection and mitigation. During this window:
- Content is analyzed for harmful output, jailbreak attempts, and code-of-conduct violations
- Human reviewers may review flagged content
- The data resides within the customer-specified geography but may move between regions within that geography for operational purposes
Critical caveat: "Global" and "DataZone" deployment types expand processing geography significantly. A "Global" deployment may process data in any region where the model is deployed, though data at rest remains in the designated geography.
3.4 Native Logging Gaps — What Enterprises Cannot See
Azure OpenAI emits three log types via diagnostic settings:
| Log Type | Captured | Not Captured |
|---|---|---|
| Audit Logs | ListKeys operations only | User identity, prompt content, model calls |
| Request/Response Logs | Action type, timestamp, status code, first 3 octets of IP, response time | Prompt content, response content, token usage |
| Trace Logs | Undocumented / unknown | Unknown scope |
As of January 2024: Entra ID object ID was added to RequestResponse logs. Microsoft now logs who made the call but not what was in it.
Enterprise impact: Native logs are insufficient for chargeback, input/output auditing, and token-level forensic analysis. Organizations must deploy an API gateway (Azure API Management or equivalent) to capture the telemetry they actually need — which means the gateway layer now becomes a second point of data exposure.
3.5 Subpoena and Disclosure Risk
Microsoft operates under U.S. law. The Microsoft Products and Services Data Protection Addendum (DPA) governs data handling, but like all U.S.-based cloud providers, Microsoft is subject to:
- U.S. CLOUD Act — compels disclosure of data held by U.S. providers regardless of physical location
- FISA 702 / PRISM — upstream collection of communications content
- National Security Letters — gag-ordered data requests
Microsoft publishes a transparency report but cannot disclose the volume of classified requests.
4. Google Cloud — Vertex AI & Gemini
4.1 Data Use Framework
Google Cloud's position on AI data usage is tiered:
| Tier | Data Use Policy |
|---|---|
| Consumer Gemini (free) | Data may be used to improve models; human review possible |
| Consumer Gemini (paid/Google One AI) | Data not used for training if "Gemini Apps Activity" is turned off |
| Google Workspace Gemini | Data not used for training without permission; governed by Workspace terms |
| Vertex AI (enterprise) | Customer data is not used to train models; governed by Cloud Data Processing Addendum |
Critical distinction: Google's consumer and enterprise AI stacks are not the same product. An employee using gemini.google.com with a personal account exposes corporate data to consumer-grade terms. Shadow AI — employees using consumer tools for work — is the fastest-growing ungoverned data channel in enterprise IT.
4.2 The Google AI Studio Trap
Google AI Studio (formerly MakerSuite) operates under consumer terms unless the organization activates a Google Cloud billing account. Many developers begin prototyping in AI Studio and later "migrate" to Vertex AI without understanding that the prototyping phase subjected their data to consumer data-use policies.
4.3 Telemetry and Logging
Google Cloud logs API activity through Cloud Audit Logs. For Vertex AI:
- Admin Activity logs — record API calls that modify resources (model deployment, endpoint creation)
- Data Access logs — record API calls that read data (must be explicitly enabled; disabled by default due to cost/volume)
- System Event logs — record Google-initiated actions
What is NOT logged natively: Prompt content and response content are not captured in Cloud Audit Logs. However:
- Latency, token count, and error rates are exposed via Cloud Monitoring
- Request/response logging requires customer-implemented instrumentation
- Model Garden (third-party models hosted on Vertex AI) may have separate telemetry terms
4.4 Data Residency and the Multi-Region Problem
Google Cloud allows data location selection for specific services. However:
"Google may replicate Customer Data within other Regions in the same country (or countries of the Multi-Region) for backup, reliability, debugging, support, maintenance, or security."
Source: Google Cloud Service Specific Terms
This replication authority means that a "Canada" region selection does not guarantee data never touches U.S. infrastructure for operational purposes. Debugging and support activities are explicitly exempted from data-location commitments.
4.5 Pre-GA Offerings — The Liability Void
Google's Pre-GA terms (Alpha, Beta, Preview, Experimental) contain explicit disclaimers:
"PRE-GA OFFERINGS ARE PROVIDED 'AS IS' WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES... [They] are not covered by any SLA or Google indemnity."
Enterprise AI teams frequently adopt preview features (e.g., early Gemini model versions, agent frameworks) without legal review of these terms. The result: production workloads running on software with no warranty, no SLA, and no data-location guarantees.
5. Amazon Web Services — Bedrock & SageMaker
5.1 The Shared Responsibility Model
AWS applies its standard shared responsibility model to AI services:
- AWS responsibility: Global infrastructure security
- Customer responsibility: Content security, access configuration, encryption management
Source: AWS Bedrock Data Protection Documentation
5.2 Bedrock Data Handling
AWS Bedrock uses a Model Deployment Account architecture:
- One deployment account per model provider per region
- Accounts are owned by the Bedrock service team — not by the model provider (Anthropic, Meta, etc.)
- Model providers have no access to these accounts after model delivery
- Providers cannot access Bedrock logs or customer prompts/completions
AWS commitments:
- Customer content is not used for marketing or advertising
- Content is not disclosed without customer agreement except under legal compulsion
- Customers choose the AWS Region(s) for storage
- AWS attempts to redirect governmental requests to the customer
5.3 The CloudTrail Blind Spot
AWS CloudTrail captures API calls for Bedrock and SageMaker. However:
- CloudTrail logs the API action (e.g., `InvokeModel`) but not the payload
- Prompt and response content are not written to CloudTrail
- Token usage is available via CloudWatch metrics but requires explicit metric stream configuration
- VPC Flow Logs capture network metadata but not application-layer content
Enterprise impact: Like Azure, AWS requires an intermediary proxy or application-layer logging to audit inputs and outputs. This proxy becomes a critical security control — and a critical vulnerability if misconfigured.
5.4 Third-Party Model Risk
Bedrock hosts models from Anthropic, Meta, Stability AI, Cohere, and others. While AWS states that model providers cannot access customer data, the legal chain is complex:
- Anthropic trains Claude on undisclosed datasets
- AWS deploys a copy of Claude in its Model Deployment Account
- Customer prompts go to the AWS-hosted copy
- AWS does not train on customer data
The unverified risk: Whether Anthropic's training data included legally problematic sources (copyrighted works, personal data scraped without consent) affects the compliance posture of every output generated by the model. AWS does not warrant the provenance of third-party model training data.
6. The Metadata Layer: What Vendors Don't Talk About
Even when prompt content is protected, the metadata surrounding AI API calls reveals significant organizational intelligence:
| Metadata Element | What It Reveals |
|---|---|
| Token count patterns | Document length, complexity of queries, workload type |
| Timestamp distribution | Operating hours, team locations, project deadlines |
| Model selection | Use case (code generation vs. summarization vs. image generation) |
| Error rate trends | Data quality issues, model capability gaps |
| IP address / region | Office locations, remote worker geography |
| Identity objects | Who is using AI, how often, for what business function |
| Content filter triggers | Topics the organization researches, policies employees test |
This metadata is not covered by "your data is not used for training" promises. It is operational telemetry that vendors retain for billing, capacity planning, product improvement, and abuse prevention.
The strategic risk: A competitor or adversary with access to this metadata (via breach, subpoena, or insider action) could reconstruct organizational priorities without ever seeing a single prompt.
7. Regulatory Context: The Canadian Crackdown
7.1 PIPEDA Findings #2026-002 — OpenAI Investigation
On May 6, 2026, the Office of the Privacy Commissioner of Canada, joined by Quebec, British Columbia, and Alberta privacy authorities, issued findings against OpenAI OpCo, LLC regarding ChatGPT.
Key findings:
- Jurisdiction affirmed: Canadian privacy laws apply to OpenAI despite its U.S. corporate structure. "The Internet has no borders."
- Overbroad collection: OpenAI's collection of publicly accessible and licensed data for training was found inappropriate — not merely incidental, but systematic and excessive
- Consent deficiencies: OpenAI failed to obtain valid consent for collection, use, and disclosure of personal information
- Transparency failures: Users were not adequately informed about what data was collected and how it was used
- Accuracy risks: Generated personal information (hallucinations about individuals) creates defamation and misrepresentation risks
Source: Office of the Privacy Commissioner of Canada — PIPEDA Findings #2026-002
7.2 Implications for Enterprise Cloud AI Users
The OpenAI investigation has cascading implications:
- Liability chain: If OpenAI's training data collection was non-compliant, outputs generated from that training may carry tainted provenance. Organizations using these outputs for customer-facing applications assume downstream liability.
- Shadow AI exposure: Employees using consumer ChatGPT (not enterprise Azure OpenAI) subject the organization to the exact practices found non-compliant by the OPC.
- Due diligence standard: The investigation establishes that "we have an enterprise agreement" is insufficient. Organizations must now verify:
- What training data was used for the specific model version they deploy
- Whether that training data included Canadian personal information collected without consent
- Whether outputs can be traced to non-compliant training sources
7.3 GDPR and Cross-Border Transfer Risk
For organizations with EU operations or EU data subjects:
- The Schrems II decision invalidated the Privacy Shield framework
- Standard Contractual Clauses (SCCs) remain valid but require Transfer Impact Assessments (TIAs)
- U.S. CLOUD Act and FISA 702 create structural conflicts with GDPR Article 44-49
- Meta's €1.2 billion fine (2023) for unlawful EU-U.S. data transfers set the precedent
Organizations using cloud AI for EU data subjects must document why the transfer is lawful — a burden that increases with every new model deployment.
8. Enterprise Risk Assessment Matrix
| Risk Vector | Microsoft | AWS | Mitigation Complexity | |
|---|---|---|---|---|
| Prompt retention for abuse monitoring | 30 days | Varies by tier | Not disclosed | Medium |
| Subpoena exposure (U.S. law) | High | High | High | High — structural |
| Metadata logging (IP, identity, tokens) | Extensive | Extensive | Extensive | High — requires proxy |
| Third-party model training provenance | N/A (OpenAI models) | Model Garden risk | Bedrock provider risk | Very High — unverifiable |
| Shadow AI / consumer-tier bleed | High (Copilot consumer) | High (Gemini consumer) | Medium | Medium — policy + DLP |
| Pre-GA feature liability | Medium | High (explicit disclaimer) | Medium | Low — legal review |
| Data residency guarantee | Geography only | Same-country replication | Region-specific | Medium |
| Canadian regulatory alignment | Under scrutiny | Under scrutiny | Under scrutiny | Very High — evolving |
9. The Alternative: Air-Gapped & Local Deployment
The only configuration that eliminates the risks documented in this audit is local AI inference on hardware the organization owns and controls.
| Requirement | Cloud AI Default | Local Deployment |
|---|---|---|
| Prompt content leaves organization | Yes — via API | No — remains on device |
| Metadata logged by vendor | Yes — extensive | No vendor telemetry |
| Subpoena exposure | U.S. legal jurisdiction | Domestic legal jurisdiction only |
| Abuse monitoring retention | 30 days (Microsoft) | None — customer-controlled |
| Training data provenance | Unverifiable | Fully auditable (if self-trained) |
| Network dependency | Internet required | LAN-only operation possible |
| Shadow AI risk | High | None — no consumer alternative |
Trade-offs: Local deployment requires capital expenditure (hardware), technical expertise (deployment, maintenance), and capacity planning (GPU resources, model selection). For organizations where data sovereignty is non-negotiable — healthcare, defense, finance, critical infrastructure — these trade-offs are features, not bugs.
10. Recommendations
For Organizations Currently Using Cloud AI
- Conduct a telemetry audit. Inventory every AI API call leaving your network. Document vendor, model, data classification of prompts, and applicable regulatory regime.
- Ban consumer-tier shadow AI. Implement technical controls (DNS filtering, DLP, endpoint detection) to prevent employees from using consumer ChatGPT, Gemini, or Claude for work purposes.
- Review deployment types. If using Azure OpenAI, avoid "Global" deployments for sensitive workloads. If using Google Vertex AI, verify data location settings and replication policies.
- Implement gateway logging. Accept that native vendor logs are insufficient. Deploy an API gateway with input/output auditing — and secure the gateway with the same rigor as the AI service itself.
- Document Transfer Impact Assessments. For EU or cross-border data, maintain TIAs for every cloud AI service. Update them when models change.
- Monitor regulatory evolution. The PIPEDA OpenAI investigation is not the end. Expect sector-specific guidance from health authorities, financial regulators, and defense procurement.
For Organizations Evaluating AI Strategy
- Classify data before selecting architecture. Not all AI workloads require the same privacy posture. Public marketing copy generation? Cloud AI may be appropriate. Patient diagnosis support? Local inference is likely mandatory.
- Pilot with local deployment. Test model capabilities, integration patterns, and user workflows on local hardware before committing to cloud API contracts. Migration from local to cloud is trivial. Migration from cloud to local is a data-retention nightmare.
- Negotiate contracts with telemetry carve-outs. Enterprise agreements should explicitly define what metadata vendors may retain, for how long, and for what purposes. Most standard agreements are silent on metadata.
11. About This Report
This audit was prepared by elect-rix Technology Solutions, operating under RixBot Technologies Inc., a New Brunswick corporation. We design, deploy, and audit local AI infrastructure for organizations that cannot accept the data-sovereignty risks of cloud-hosted models.
Our methodology combines vendor documentation review, regulatory tracking, and hands-on infrastructure assessment. We do not sell cloud AI subscriptions. We sell control.
For a confidential assessment of your organization's AI telemetry exposure, contact elect-rix Technology Solutions via the contact page. All engagements begin with a scoped, fixed-fee assessment and a signed confidentiality agreement.
Sources and References
- Microsoft Learn. "Data, Privacy, and Security for Models Sold by Azure in Microsoft Foundry." https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy
- Microsoft Learn. "Implement Advanced Monitoring for Azure OpenAI in Foundry Models Through a Gateway." https://learn.microsoft.com/en-us/azure/architecture/ai-ml/guide/azure-openai-gateway-monitoring
- Journey Of The Geek. "Logging in Azure OpenAI Service." https://journeyofthegeek.com/2023/04/13/logging-in-azure-openai-service/
- AWS Documentation. "Data Protection in Amazon Bedrock." https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html
- AWS. "AWS Data Privacy FAQs." https://aws.amazon.com/compliance/data-privacy-faq/
- Google Cloud. "Service Specific Terms." https://cloud.google.com/terms/service-terms
- Google Workspace. "Generative AI Security, Compliance and Privacy." https://workspace.google.com/security/ai-privacy/
- Office of the Privacy Commissioner of Canada. "PIPEDA Findings #2026-002: Joint Investigation of OpenAI OpCo, LLC." May 6, 2026. https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2026/pipeda-2026-002/
- Concentric AI. "Google Gemini Security Risks and Privacy Concerns Explained." https://concentric.ai/google-gemini-security-risks/
This report is provided for informational purposes and does not constitute legal advice. Organizations should consult qualified legal counsel for guidance on specific compliance obligations.
© 2026 elect-rix Technology Solutions / RixBot Technologies Inc. All rights reserved.
Your Organization's AI Telemetry: Audited
Want a confidential assessment of your AI infrastructure's data exposure? We map every vendor, model, and regulatory gap — and deliver a board-ready report.
Request an Assessment