Echoing what another commenter said, depending on your industry, the data you deal with, and competitive landscape, what your CIO said may be sensible. Note especially that parent commenter works at a small startup, where security posture is typically more lax, for good business reasons.
One very common risk is simply giving another company your clients data. Your company may have confidentiality contracts with its corporate clients that prevent this. Alternatively, consider for example the situation where you are trying to integrate AI into a customer service process. Your customers may have some legally protected expectation of how their personal data is processed by your company.
