

AI tools can be safe for project data and intellectual property, but only when they are designed and deployed with strong security controls, clear IP terms, and disciplined internal practices. The question is not whether AI is inherently risky for steel estimators, but whether the specific tools you adopt meet the standards that authoritative frameworks already define for any enterprise software handling sensitive information.
This article sits under The Ultimate Guide to Steel Estimating and walks through what data and IP protection actually means for AI estimating tools, what frameworks like NIST and SOC 2 expect, and what questions you should ask any vendor (including LIFT) before uploading your drawings.
Steel estimators handle some of the most sensitive information in any project:
The risk surface widens with AI because the data is no longer just stored locally. It is processed by models, transmitted across networks, and sometimes (depending on the vendor) used to train shared systems that other customers also touch. That makes vendor security posture a procurement question, not just an IT question.
For more on adopting AI without disrupting existing workflows, see How AI Integration Transforms Existing Steel Estimating Workflows Without Disrupting Your Team.
Two frameworks set the bar that any AI estimating tool should be measured against.
NIST AI Risk Management Framework (AI RMF 1.0). Released by the US National Institute of Standards and Technology in January 2023, the NIST AI RMF provides voluntary guidance for organizations designing, developing, deploying, or using AI systems. It covers the full AI lifecycle from design through retirement and explicitly addresses risks to security, privacy, data integrity, and intellectual property. NIST organizes the framework around four functions: Govern (oversight and accountability), Map (context and risk identification), Measure (analysis and tracking), and Manage (prioritize and respond to risk). The framework is voluntary, but it has become the de facto standard for enterprise AI risk management.
SOC 2 Trust Services Criteria. Developed by the AICPA (American Institute of Certified Public Accountants), the SOC 2 framework evaluates an organization's controls across five trust categories: Security (required for every SOC 2 audit), Availability, Processing Integrity, Confidentiality, and Privacy. The 2017 Trust Services Criteria, updated in 2022 with revised points of focus, define what auditors examine when validating that a SaaS or AI platform handles customer data responsibly. SOC 2 reports come in two types: Type I evaluates control design at a point in time, Type II evaluates operating effectiveness over a period (typically 6-12 months).
Together, NIST AI RMF and SOC 2 give procurement teams a defensible baseline for evaluating any AI estimating vendor.
Drawing from NIST AI RMF and the AICPA Trust Services Criteria, modern AI construction tools should meet the same standards as other enterprise SaaS platforms.
Encryption in transit and at rest. Strong encryption (typically TLS 1.2+ in transit and AES-256 at rest) is now a baseline expectation for any platform handling customer data. The AICPA's SOC 2 security criteria (Common Criteria CC6) cover logical and physical access controls including encryption.
Access control and tenant isolation. SOC 2 emphasizes role-based access control, multi-factor authentication, and strict least-privilege policies. For multi-tenant SaaS platforms, tenant isolation is critical to prevent one customer's data from being accessible to another.
Logging, monitoring, and incident response. SOC 2 Common Criteria CC7 cover system operations including central logging, anomaly detection, and breach response procedures. NIST AI RMF's "Manage" function specifically calls for incident detection and response capabilities for AI systems.
Data residency and regulatory alignment. Enterprise buyers increasingly expect data residency options, GDPR/CCPA alignment where applicable, and clear data handling policies that align with their own compliance obligations.
The point is not that every AI estimating tool needs every certification on day one. The point is that you should be able to ask a vendor where they stand on each of these dimensions and get a substantive answer.
AI introduces some IP risks that traditional estimating tools did not have. The NIST AI RMF explicitly identifies intellectual property as one of the risk areas the framework is designed to address, alongside security, privacy, and data integrity.
Three risk areas worth understanding:
Training on your data. If an AI vendor uses your drawings or BOMs to train shared models without clear restrictions, there is a risk that patterns from your projects could influence outputs for other customers. The mitigating control is a clear contractual statement about whether customer data is used for cross-tenant model training and, if so, how it is de-identified.
Public or consumer AI tools. Sending confidential drawings into general-purpose consumer AI tools (the kind that store inputs to improve their service) can violate NDAs or data protection obligations to your customers. The fix is using purpose-built enterprise AI tools with explicit data handling commitments, not consumer-grade tools.
Unclear ownership of outputs. Who owns the BOM the AI generates from your drawings? Who owns any model improvements that came from your usage? These questions need clear contractual answers, not assumptions. NIST AI RMF's "Govern" function calls for explicit ownership and accountability documentation.
For a deeper look at the broader risk landscape, see What AI Can and Cannot Do in Steel Estimating: Setting Realistic Expectations.
Both NIST AI RMF and standard SOC 2 control frameworks recommend a combination of technical and process controls.
Classify and minimize data. Decide which project files are safe to send to AI tools and which should be masked or excluded. Avoid feeding unnecessary sensitive data into any system. NIST AI RMF's "Map" function specifically calls for data inventory and risk classification as a starting point.
Enforce strong access control. Use role-based permissions so only authorized estimators and managers can upload and access AI outputs. Combine with single sign-on (SSO) and multi-factor authentication for any users with access to sensitive project data.
Encrypt everything. Confirm your AI tools encrypt data at rest and in transit. The AICPA Trust Services Criteria treat encryption as a foundational security control under SOC 2.
Audit and monitor. Run regular audits and use monitoring tools to spot unusual data access or cross-project leaks. SOC 2 Common Criteria CC7.3 covers monitoring controls; NIST AI RMF's "Manage" function calls for ongoing risk monitoring.
Clarify IP in contracts. Use IP ownership agreements and clear data-use terms with AI vendors, especially regarding training data, model improvements, and output ownership. The cost of getting these clauses right at contract signing is trivial compared to fixing them later.
LIFT is an AI-powered SaaS product built specifically for structural steel takeoff. Like any enterprise AI tool, it should be evaluated against the same security and IP frameworks discussed above.
What is true about how LIFT operates:
What you should ask SketchDeck (and any AI estimating vendor) before adoption:
These are not gotcha questions. They are the questions any well-run procurement process asks, and any AI vendor serious about enterprise customers should be able to answer them with substance.
Wondering whether your team is ready to roll out an AI tool with the right controls in place? 5 Signs Your Steel Estimating Process Is Ready for an AI Transformation gives you a quick readiness check before you start a pilot.
For a steel shop considering LIFT or any other AI estimating tool, data security and IP protection should be built into the rollout plan from day one, not added as an afterthought.
A practical checklist:
Internal policies.
Vendor due diligence.
Technical implementation.
For the change management side of bringing AI to your team responsibly, see Change Management for AI in Steel Estimating: How to Bring Your Team Along.
The "is AI safe for my project data?" question has a clear answer: yes, when the tool is designed with NIST AI RMF and SOC 2-aligned controls, and when your shop deploys it with disciplined internal practices. The risk is not AI itself. The risk is treating AI tools like generic consumer software when they are handling enterprise-grade sensitive data.
The framework gives you a defensible procurement process. Ask the same questions of every vendor. Document the answers. Build the rollout plan around the controls that matter most to your customers' IP obligations and your own commercial confidentiality.
Handled this way, AI tools like LIFT can give steel estimators the speed and capacity benefits of automation while still respecting project confidentiality and protecting your IP. The first step is simple. Run a vendor security review on your shortlist and start a pilot with the tool that holds up. You can start by booking a live demo.
