“Is AI safe?” is too broad by itself. Summarizing a public NAR page has a different risk from reading a client's financial records. Preparing a private checklist has a different risk from publishing listing remarks. Suggesting a calendar draft has a different risk from changing a contract deadline.
NAR describes Realtors as the human in the loop for AI-assisted real estate work and highlights data privacy, fair housing, copyright, and compliance risk. HUD's current overview identifies the Fair Housing Act's protected classes. HUD withdrew its 2024 digital advertising guidance in September 2025 and says it should not be relied upon as authoritative. The FTC advises businesses to collect only what they need, limit access, secure it, and honor privacy commitments. The operating design must convert those responsibilities into concrete rules.
Risk is data × action × consequence
A strong model does not reduce every part of that equation. A highly capable system with broad mailbox access and sending authority may create more risk than a smaller model producing a read-only internal report.
Ten controls that make AI safer
- Approved job. Name the business result, owner, audience, and explicit exclusions. “Help with real estate” is not an operating boundary.
- Approved tools and accounts. Maintain a register of vendor, plan, account owner, allowed use, prohibited data, retention, training setting, integrations, and review date.
- Data classification. Mark public, internal, confidential, and restricted information before choosing where it may go.
- Minimum access. Grant only the account, folder, time window, record type, and action needed. Read access is different from modify, send, delete, or admin access.
- Source visibility. Keep links to controlling documents and systems. Separate observed fact, representation, calculation, and inference.
- Deterministic rules where possible. Use ordinary logic for stable transfers, calculations, limits, and approvals. Reserve model judgment for language and controlled choices.
- Human review. Define which outputs require which authorized reviewer before they affect a client, transaction, public record, or system.
- Testing. Use representative history, edge cases, conflicts, missing data, malicious content, and known failures before live reliance.
- Logs and monitoring. Record sources, proposed and completed actions, approvals, errors, outages, and changes. Alert when a source is unavailable.
- Incident and shutdown. Name who can stop schedules, revoke tokens, preserve evidence, correct harm, notify the broker, and decide whether the employee may restart.
Use a simple data classification
| Class | Real estate examples | Default rule |
|---|---|---|
| Public | Published listing, public website, public market report, public regulation | Approved tool may use; still verify accuracy, license, and attribution |
| Internal | SOP, non-sensitive checklist, training note, internal agenda | Approved business account; no public sharing |
| Confidential | Client communication, offers, private CRM notes, transaction documents, inspection details | Only specifically approved workflow, minimum records, defined retention, human owner |
| Restricted | Passwords, API keys, authentication codes, government IDs, payment data, wire instructions, highly sensitive identity or financial data | Keep out of general AI tools; use the controlling secure system and approved specialist process |
Do not paste confidential documents into a tool simply because it has a chat box. Review the account type, vendor terms, retention, model-training use, storage, subprocessors, permissions, deletion process, and whether the brokerage approved that exact use.
Treat every permission as a separate decision
Google explains that linked apps can request different access levels, from viewing information to creating, editing, and deleting account data. Its Gmail API documentation distinguishes metadata, read, compose, modify, send, and full-mailbox access and recommends the narrowest scope possible.
Use an authority ladder:
- read public source;
- read limited approved internal source;
- prepare private report;
- prepare draft outside the live system;
- create a draft or proposed record change;
- make a narrow reversible internal change;
- send, publish, delete, sign, change rights, or move money.
Each level requires its own need, test, log, reviewer, and rollback. Never share the main account password with a third-party tool when an approved scoped connection is available. Store secrets in a secrets manager or operating-system credential store, not prompts, chat history, source files, or ordinary documents.
Fair housing risk is wider than listing remarks
Review AI use in:
- listing and neighborhood language;
- generated or altered property images;
- audience selection and ad delivery;
- lead scores, ranking, routing, and response priority;
- buyer property recommendations and search filters;
- tenant screening and qualification;
- valuation, credit, insurance, and financial recommendations;
- chatbot answers about schools, safety, demographics, or who a neighborhood is “for.”
HUD's withdrawn 2024 guidance described how automated targeting or delivery could deny people information about housing opportunities. HUD withdrew that guidance in September 2025 and says it should not be relied upon as authoritative. The withdrawal did not repeal the Fair Housing Act, but it changes what can be cited as current HUD policy. Treat platform optimization as a risk to review with the responsible broker and qualified counsel, not as proof of compliance.
Accuracy needs sources and authority
NAR's broker guidance says AI output is not fully reliable and recommends review for accuracy. In practice:
- property facts point to the listing source packet;
- contract dates point to the executed document and derivation;
- market statistics point to the report, period, geography, and calculation;
- quotes point to the original source;
- client instructions point to verified communication;
- uncertainty is labeled instead of rewritten as confidence.
A citation does not transfer responsibility. The authorized human still checks that the source controls the fact, is current, applies to the situation, and supports the output.
Business documents can contain hostile instructions
An email, webpage, PDF, form submission, or CRM note may contain text that tells the AI to ignore its rules, expose data, send a message, or take another action. Treat retrieved content as untrusted evidence, not instructions. The employee's operating rules come from the approved system configuration.
Reduce the danger by separating instructions from data, limiting tools, filtering destinations, requiring structured outputs, blocking secret retrieval, using allowlists for consequential actions, and keeping outbound work behind approval.
Vendor review questions
- What data is collected, stored, retained, and used for training?
- Which account plan and settings apply to the proposed use?
- Which subprocessors and regions handle the data?
- Can access be narrowed by scope, folder, record, role, and time?
- Can the business export and delete its data?
- What logs, alerts, backups, and incident notifications exist?
- What happens when the product, model, price, terms, or permissions change?
- Who owns the connected account and can revoke it?
A recognizable brand does not approve every workflow. A tool may be appropriate for public brainstorming and inappropriate for confidential transaction files under the same account.
What should always begin behind human review
Some narrow actions may earn more authority after approval and testing, but the decision should be explicit. Technical capability is not business authorization.
A prelaunch safety test
- Normal cases. Representative daily work with known accepted outputs.
- Missing data. The source is absent, stale, unavailable, or lacks a required field.
- Conflicts. Two approved sources disagree.
- Wrong identity. Similar names, properties, threads, or transactions.
- Permission denial. A tool or account refuses access mid-run.
- Hostile content. A document or message contains instructions aimed at the employee.
- Unsafe request. A user asks the system to exceed policy or authority.
- Duplicate run. The schedule or webhook fires twice.
- Outage. Model, vendor, network, or source is unavailable.
- Shutdown. The owner stops the workflow, revokes access, preserves the log, and confirms no queued action remains.
The first fifteen minutes of an incident
- Stop. Use the kill switch to stop the schedule, connection, or action without destroying evidence.
- Protect. Escalate urgent client, transaction, privacy, fair housing, financial, or security risk to the responsible broker or specialist.
- Preserve. Keep source, output, recipients, user, permissions, timestamps, logs, and known changes.
- Contain. Revoke the minimum affected token, session, account, or permission when authorized.
- Correct and notify. Follow brokerage, legal, regulatory, insurer, vendor, MLS, and client response requirements.
- Fix the control. Update the source rule, permission, test, approval, or monitoring that allowed the failure before restart.
Safest useful first employee
Start with a private read-only report over one approved source. Examples: CRM cleanup candidates, transaction exceptions, inbox triage, or a daily calendar brief. Require source links and no live changes. Run it beside the current process, log misses and false alarms, and only add draft creation or narrow writes after the output proves useful.
The brokerage AI use-policy guide provides the broader governance framework. The AI system comparison helps choose the simplest behavior. Each workflow guide on this site defines its own sources, tests, permissions, and human line.
Frequently asked questions
Is a paid AI account safer than a free account?
It may provide different controls, contracts, retention, or data-use settings, but price alone is not the review. Check the exact product, plan, settings, terms, connection, data, and use.
Can AI read client emails?
Only through approved access and for an approved purpose. Use minimum OAuth scopes, restrict the records and actions, protect confidential information, log access, and keep reply sending behind the defined reviewer.
Should Realtors disclose AI use?
The trigger depends on the workflow, representation, applicable requirements, brokerage policy, and client expectation. Define it before launch instead of leaving each user to improvise.
Can a safety checklist eliminate mistakes?
No. Controls reduce probability and consequence and improve detection and recovery. Keep monitoring, human judgment, and a shutdown path.
Primary sources
- National Association of REALTORS®, Artificial Intelligence in Real Estate.
- National Association of REALTORS®, Hot Topics in Broker Risk Reduction.
- U.S. Department of Housing and Urban Development, Housing Discrimination Under the Fair Housing Act. Current protected-class and enforcement overview.
- U.S. Department of Housing and Urban Development, Notice of Withdrawal of FHEO Guidance Documents, September 17, 2025. This notice withdrew the 2024 digital-advertising guidance and says it should not be relied upon as authoritative.
- Federal Trade Commission, Start with Security.
- Federal Trade Commission, Privacy and Security.
- Google Account Help, Share Some Access to Your Google Account Data with Apps from Other Developers.
- Google for Developers, Choose Gmail API Scopes.
Editorial note: Laws, guidance, vendor terms, and product controls change. Adapt this operating framework with the responsible broker and qualified professionals. Last reviewed July 13, 2026.
Map the risk before connecting the data.
The AI Employee Map defines the job, data classes, minimum access, authority, human review, tests, monitoring, and kill switch.
Book the $250 AI Employee Map