Here's a test worth remembering. Last week a security researcher pointed SpaceXAI's Grok Build coding tool at a repo, told it to just reply "OK," and explicitly instructed it not to open any files. It uploaded the entire repository anyway — full Git history included, along with secrets that had been deleted months earlier. A separate user watched it hoover up their whole home directory: SSH keys, password-manager databases, the works.
The specific tool matters less than what it reveals. The AI sitting in your editor has read access to the single most sensitive asset your company owns — your source code and everything tucked inside it — and most teams have no idea what it actually transmits.
What happened
Per reporting from The Register and The Verge, researchers at Cereblab found that Grok Build packaged whole repos as Git bundles and shipped them, unredacted, to a cloud storage bucket — well beyond what comparable tools like Claude Code, Gemini, and Codex send when they open individual files to answer a prompt. An independent researcher called the volume of retained data "excessive," noting the exposure could include proprietary code, unpatched vulnerabilities, infrastructure details, personal data, and credentials.
SpaceXAI moved fast once it blew up: it flipped a server-side flag (disable_codebase_upload: true) that stopped the uploads, said teams on zero-data-retention were never affected, and pointed everyone else at a /privacy command. Elon Musk promised that previously uploaded data would be "completely and utterly deleted" — then, in the same breath, asked users to keep sharing because it "helps with debugging." The company later open-sourced the client.
Two things stand out, and they're the actual lesson:
- The company said "privacy settings are always respected." But turning off the visible "improve the model" toggle did not stop the uploads. What stopped them was an undocumented global flag nobody could see, and the
/privacycommand SpaceXAI recommended is a per-session retention switch — not the thing that fixed it. As the researcher put it: "The right default is off." - Nobody can verify the deletion. There's a tweet, not an incident report.
The setting you clicked and the thing the software actually does are two different facts. With an AI tool wired into your codebase, the gap between them is measured in credentials.
The trap almost everyone is in: ZDR ≠ private
The most useful thing to internalize here has nothing to do with Grok. It's that Zero Data Retention governs retention, not transmission. Your code still travels to the provider; ZDR is a promise about what they do with it after it arrives. That's a meaningful promise — but it is not "my code never leaves," and teams routinely conflate the two.
It gets worse on the plans most individuals actually use, where the default leans toward collect, as Laurie Voss catalogued: GitHub Copilot's Free/Pro tiers train on your inputs, outputs, and code snippets unless you opt out (Business and Enterprise are exempt by contract); OpenAI's Codex may train on individual-plan content unless you opt out; Cursor's Privacy Mode has to be on to stop storage and training. Enterprise tiers are generally fine. Individual seats, on defaults, frequently are not — and that's exactly what a lot of small teams are running.
What I'd actually do
You don't need to ban AI coding tools. The productivity is real and your competitors are using them. You need to treat them like what they are: data processors with deep access to your IP.
- Inventory what's in use, and on which plan. Which AI tools does your team run in editors and CI, and is each on an enterprise/Business tier or a personal seat? The personal seats are where the leakage lives.
- Know that ZDR is retention, not transmission. If code confidentiality actually matters, require enterprise tiers with ZDR and understand it doesn't mean the code stays on the machine.
- Verify the defaults against the vendor's data-use page — not the marketing. Assume "training/retention on" until you've confirmed otherwise, and re-check after updates. Settings drift; a toggle you set last quarter may not cover a feature shipped this quarter.
- Get secrets out of the blast radius. Use a secrets manager, keep credentials out of the repo, and turn on secret scanning. Do not assume the agent will honor
.gitignoreor "don't open that file" — Grok Build didn't. - For sensitive codebases, raise the floor. Enterprise/Business tiers, self-hosted or open-source agents, or local models — and write it into policy so it's a default, not a per-developer choice.
- Judge vendors by how they handle the bad day. A real incident report — affected versions, scope, what was accessed, verified deletion — is worth more than a founder's tweet. Reward the ones who publish it.
The bottom line
Grok Build will be a footnote. The pattern won't: we've wired autonomous tools with broad read access into our most sensitive systems, faster than we've built the governance to match. The AI in your editor can quietly touch more of your company's IP than most of your employees can.
That's not an argument to rip it out. It's an argument to treat it like any other processor handling your crown jewels — inventory it, tier it, verify what it sends, and keep the secrets out of its reach. The convenience arrived by default. The controls won't.
- AI coding
- data governance
- source code
- secrets
- vendor risk



