Stephen John T. Carlos
A. Business Rationale: Why Explicit AI/Agent Access Controls Are Critical
- Restoring AI Productivity: HIPAA compliance disables ClickUp Brain AI and Agents from automating or updating private lists and custom fields, reducing productivity for regulated organizations that rely on AI.
- Operational Flexibility: The current “all or nothing” approach (make lists public or lose AI) is impractical for sensitive workflows. Allowing explicit, auditable consent for AI access would enable automation where appropriate, without broadly weakening privacy.
- Consistency and Transparency: If AI can comment on tasks (even with sensitive info) but not update fields or automate, the privacy boundary is unclear. Confirmation-based access would make the process transparent and auditable, supporting compliance.
B. Privacy Risks and Confirmation-Based Access
- Risk of Unauthorized Disclosure: Granting AI/Agent access to private lists could expose PHI or sensitive data to automation or third-party subprocessors. However, ClickUp’s AI respects user permissions and has “zero data retention” agreements for HIPAA workspaces.
- Mitigation via Explicit Consent: Requiring explicit, logged confirmation before granting AI/Agent access would mitigate risk by:
i. Ensuring only authorized admins grant access.
ii. Providing an audit trail.
iii. Allowing risk-based decisions per list or field.
- No Additional Exposure vs. Comments: Since AI can already comment on tasks, the incremental risk of allowing field updates—when explicitly confirmed—appears limited, especially if all actions are logged and subject to zero-retention and audit requirements.
C. Clarification for ClickUp Devs
- What privacy or compliance risk remains if explicit, auditable confirmation is required before granting AI/Agent access to private lists or fields in HIPAA workspaces?
- Given AI can already comment on tasks, what additional risk is prevented by blocking field updates or automation, assuming all actions are logged and subject to zero-retention agreements?
- Would ClickUp consider granular, confirmation-based access control for AI/Agents, so regulated organizations can selectively enable automation without broadly weakening privacy?
Chari Cada
Agents are not able to fill up Custom fields or task field attributes when it is coming from private lists even when permissions are granted