AI Tools for Construction Companies — What's Safe, What's Not
By Tom Hermstad · HD Tech
Quick Answers: AI Tools for Construction
What AI tools are safe for construction companies?
Safe AI tools for construction companies are those with enterprise data agreements that do not use your inputs to train their models. These include Microsoft Copilot for M365 (works inside your existing Microsoft environment), Procore's AI features (data stays within your Procore account), Autodesk AI within Autodesk Construction Cloud, and Buildertrend AI features for residential builders. General-purpose tools like standard ChatGPT, Claude.ai, and Gemini should not receive client names, project budgets, or subcontractor financials.
What data should construction companies never enter into AI tools?
Never enter into a general AI tool: client names combined with project details, bid pricing or cost breakdowns, subcontractor quotes and financial terms, contract language containing proprietary terms, employee personal data, bonding capacity or financial statements, or any information covered by NDA with a client or GC. This information shared with a third-party AI server can expose you to liability and competitive harm.
Is it safe to use AI to write construction proposals?
AI can safely help with proposal structure, boilerplate language, and proofreading — as long as you do not paste in actual client-specific data, real pricing, or proprietary scope details. Use AI on a sanitized version of your scope, then populate real project details yourself. Tools like Microsoft Copilot within your own tenant are safer for this since data stays inside your environment.
Do construction companies need a cybersecurity policy for AI?
Yes, and general contractors are increasingly requiring it. Public agencies and large GCs are adding cybersecurity addenda to subcontract agreements requiring subs to have written IT policies, including AI use policies. Without one, you may be unable to qualify for certain public works or private GC relationships by 2026–2027.
Where Construction Companies Are Getting Burned
The construction industry is rapidly adopting AI — for takeoffs, scheduling, RFI responses, safety reports, and client communications. The efficiency gains are real. The risk is equally real and mostly invisible until something goes wrong.
The most common exposure we see: project managers using ChatGPT to draft RFI responses or change order justifications, pasting in actual project details, subcontractor quotes, or client communications. That data now lives on OpenAI's servers. In a competitive bid environment, that could mean your pricing strategy or scope approach is no longer confidential.
AI Risk by Construction Role
| Role | Common AI Use | Risk Level | Safer Alternative |
|---|---|---|---|
| Project Manager | RFIs, schedules, daily reports | Medium — client and project data | Procore AI, Copilot in M365 |
| Estimator | Bid proposals, quantity takeoffs | High — pricing and competitive data | Copilot in Excel, ProEst AI |
| Field Superintendent | Safety reports, punch lists | Low — if no PII or financials | Most tools acceptable for general content |
| Owner/Principal | Client emails, contract summaries | High — contract terms, NDA content | Copilot in Outlook within M365 tenant |
| HR/Admin | Job postings, onboarding docs | Medium — employee personal data | Copilot in M365, no employee PII in prompts |
What Procore AI Actually Does With Your Data
Procore's AI features (as of 2026) operate within your Procore account under their enterprise data agreement. Procore states they do not use customer data to train shared AI models. Their AI assists with RFI drafts, submittals, and schedule analysis using your project data — but that data stays within Procore's environment and your account. This makes it substantially safer than general AI tools for project-level work.
Ransomware Is Still the Bigger Threat
AI data leakage is a real but slow-burn risk. Ransomware is the acute threat. According to Sophos's 2024 State of Ransomware report, construction is one of the top-five targeted industries, with an average ransom payment of $1.2 million and average recovery costs exceeding $2 million. Construction firms are targeted because they have large transactions, thin IT security, and high pressure to pay quickly to keep projects on schedule.
AI adoption without corresponding security hygiene (patching, MFA, backup verification) increases this risk — AI tools mean more cloud services, more API integrations, and more attack surface for ransomware actors to exploit.
Tom Hermstad, President of HD Tech: "We have GC clients who require their subs to provide proof of cyber insurance and a written IT policy before award. It started with public works — now we see it in private GC agreements too. Having the policy and the coverage is becoming table stakes to bid certain work."
What a Construction Firm AI Policy Needs to Cover
A practical AI policy for a construction company does not need to be 20 pages. It needs to cover: (1) approved AI tools by role; (2) a clear prohibited data list (bids, client financials, contract terms, employee PII); (3) a sign-off that employees have read it; and (4) a process for requesting approval for a new AI tool. That is it. HD Tech can provide a template in under an hour.
Frequently Asked Questions
Yes — purpose-built tools like Togal.AI, Countfire, and Stack CT use AI for takeoffs within their own platforms with proper data controls. Using general ChatGPT to analyze uploaded drawings or quantity data is higher risk since that information goes to OpenAI's servers. Stick to platform-native AI for quantity data.
Most current cyber policies were written before widespread AI adoption and may not explicitly cover data leakage via AI tools. Review your policy with your broker and ask specifically about third-party AI tool coverage. Some insurers are adding exclusions or requiring AI use disclosures in renewals as of 2025–2026.
Keep it simple. A 15-minute onboarding covering: here are the approved apps, here is the list of things you never type into any AI tool, and here is who to ask if you want to use something new. Pair it with a one-page cheat sheet on the job trailer bulletin board. Compliance is about removing friction, not adding lectures.
Tools like Buildots, Alice Technologies, and SmartPM operate as SaaS platforms with standard enterprise data agreements. Review their DPA before use, particularly around subprocessors. For schedule data that includes pricing tied to activities, understand whether that data leaves the platform for AI processing or stays local.
Minimum baseline for 2026: MFA on all accounts (especially email and cloud storage), a managed backup solution verified monthly, endpoint protection (not just antivirus), and cyber liability insurance. Beyond that, your IT support needs to be someone who proactively monitors — not just someone you call when things break.
Get a Free IT and AI Risk Review for Your Construction Firm
HD Tech works with construction companies across Orange County to evaluate their current technology stack, identify AI and cybersecurity risks, and put a policy in place that satisfies GC requirements. Free assessment, no sales pressure.
Schedule Your Free IT Health Check or call 877-540-1684.
Serving Construction Companies Across Southern California
HD Tech provides managed IT and cybersecurity services to construction companies in Orange County, Los Angeles, Irvine, Anaheim, Fullerton, Santa Ana, Long Beach, Riverside, and throughout the Southern California region.
Tom Hermstad
President & CMO, HD Tech
Tom Hermstad has led HD Tech since 1995, building one of Southern California's most trusted managed IT and cybersecurity firms. He specializes in helping Orange County businesses eliminate IT headaches and stay ahead of evolving cyber threats — in plain English.