A significant gap exists between what organizations believe about their AI security and the reality of their safeguards. While many companies rely on training sessions or warnings to prevent employees from sharing sensitive data, a mere 17% have the technological controls in place to block or scan uploads to public AI tools. This leaves the vast majority of organizations vulnerable, as employees often use unmonitored devices to share customer records, financial information, or even credentials with chatbots. Once this data enters an AI system, it is nearly impossible to retrieve and could be embedded in training models for years, creating unpredictable security risks.
This issue is made worse by a dangerous overconfidence among leaders. A third of executives mistakenly believe their company has full visibility into all AI usage, but in reality, only 9% have functional governance systems. This disparity between perception and reality means organizations are largely unaware of just how much sensitive information their employees are exposing. Without visibility, they cannot track or control data flows, making them blind to potential threats.
The problem has serious compliance implications. Regulators worldwide are rapidly creating new rules for AI, with U.S. agencies issuing 59 new AI-related regulations in 2024 alone. Despite this trend, only 12% of companies see compliance violations as a major concern. Without the ability to track what employees upload to chatbots, organizations can’t meet the requirements of regulations like GDPR, which mandates a record of all processing activities, or HIPAA, which requires audit trails for patient data. This lack of visibility makes it impossible to comply with these and other critical regulations, such as SOX.
In practice, this means most companies are unable to answer fundamental questions, like which AI tools hold their customer data or how to delete it if a regulator requests it. Every employee’s use of a chatbot could, in effect, become a compliance failure. This highlights a critical need for a new approach to data security in the age of AI.
For CISOs, the report’s findings underscore two key priorities: implementing technical controls and addressing compliance. First, technical safeguards, such as blocking sensitive data uploads and scanning content before it reaches AI platforms, must become a foundational security practice. While employee training is helpful, the data shows it is not a sufficient standalone solution. Second, CISOs must demonstrate that their organizations can see and control how data moves into AI systems. Regulators are already issuing penalties, and showing a proactive approach to AI governance is now an essential part of a robust security strategy.
Reference:
