By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ProofpointPublished January 16, 2026

TL;DR: Financial services teams are using GenAI to accelerate coding, research, and internal app delivery, but Proofpoint says shadow AI, misconfigured Microsoft 365 permissions, and third-party integrations are creating new data leakage paths that security leaders cannot ignore. The governance gap is now about controlling data access and prompt-time exposure, not blocking AI outright.


At a glance

What this is: Proofpoint’s analysis says GenAI is already embedded in finance workflows, but shadow AI, permissive collaboration settings, and third-party integrations are expanding data loss risk faster than governance can keep up.

Why it matters: IAM, IGA, and data security teams need to treat GenAI tools as access paths to sensitive information, because the same permission mistakes that overexpose files can now surface that data directly inside AI workflows.

👉 Read Proofpoint's analysis of GenAI data exposure and shadow AI in finance


Context

GenAI has moved from experimentation into daily business use, which means the control problem has shifted from whether employees will use AI to how organisations govern the data those systems can reach. In finance, that matters because sensitive files, research inputs, and source code can be exposed through collaboration platforms and connected applications if permissions are too broad or misconfigured.

The identity angle is straightforward: when sanctioned tools, browser extensions, and AI-enabled integrations inherit existing access rights, IAM and IGA decisions become data-security decisions. Shadow AI adds an unmanaged layer on top, because it bypasses approved access paths entirely and makes visibility, auditability, and policy enforcement much harder.


Key questions

Q: How should security teams govern shadow AI without blocking productivity?

A: Use visibility-based controls instead of blanket bans. Identify which tools are in use, who is using them, and what data they can access, then apply targeted policies by role and data sensitivity. That approach preserves legitimate AI adoption while reducing exposure from unsanctioned tools and unreviewed data paths.

Q: Why do sanctioned AI assistants create data exposure risk in collaboration platforms?

A: Sanctioned AI assistants inherit the permissions of the repositories they query, so any over-shared file or loosely governed workspace can become visible through the assistant interface. When access groups are too broad, AI can surface material that users were never meant to find through normal navigation. The control issue is least privilege, not model quality.

Q: What do organisations get wrong about AI-enabled third-party apps?

A: Many teams focus on the AI tool itself and miss the integrations attached to it. AI-enabled apps can pull data into supplier environments, expand consent scopes, and create new retention and audit gaps. Organisations need to review app permissions as part of their identity and data governance programme, especially where tenant-wide consent is already in place.

Q: How should IAM and data security teams respond to AI-driven leakage risk?

A: They should treat AI as an access path to sensitive information and align identity review, data classification, and DLP controls around that reality. The practical priority is to reduce over-permissioned content, control external app consent, and make exceptions visible to security and compliance owners. That approach gives governance teams a defensible view of where data can flow.


Technical breakdown

Shadow AI turns GenAI usage into an unmanaged access channel

Shadow AI is not just unsanctioned software use. It is a parallel access path where employees place corporate data into public or unapproved LLMs, often outside logging, data loss prevention, and retention controls. Once information enters that workflow, organisations lose line of sight into where it is stored, processed, and potentially reused. The governance issue is not only user behaviour. It is that identity, device, and data policy controls were never extended to the tool in the first place.

Practical implication: classify approved and unapproved AI use separately, then apply access policy and DLP enforcement at the prompt and session layer.

Copilot exposure follows the permissions model, not the user’s intent

Sanctioned GenAI tools inherit the security of the environment they query. If Microsoft 365 content is over-shared, poorly segmented, or tied to broad group membership, AI can retrieve information that the user did not expect to see in one place. That is a classic permissions problem, but GenAI makes it visible at conversational speed. The real failure is not the model. It is the upstream access model and the absence of least-privilege discipline across collaboration data.

Practical implication: review SharePoint, OneDrive, and M365 access paths as AI-ready data sources, not just collaboration repositories.

Third-party integrations expand the blast radius of AI data flows

Once AI is embedded into productivity tools, research apps, and developer workflows, every integration becomes a potential data egress path. The article’s example of thousands of connected applications shows how quickly the supplier surface grows, especially when AI features are bundled into tools users already trust. This creates a governance overlap between IAM, third-party risk, and data security because access decisions now determine what external services can process or retain.

Practical implication: inventory AI-capable integrations, then tighten consent, scope, and review processes for any application that can read corporate content.


Threat narrative

Attacker objective: The practical objective is to obtain sensitive corporate data through AI-assisted access paths without needing to break traditional perimeter controls.

  1. Entry begins when employees use shadow AI tools or sanctioned GenAI services with overly broad access to corporate content.
  2. Escalation occurs when misconfigured collaboration permissions or connected third-party applications expose files, prompts, and internal knowledge beyond intended audiences.
  3. Impact is data leakage, supplier-side processing of sensitive information, and increased exposure of source code, research, or regulated records.

NHI Mgmt Group analysis

Shadow AI is now a governance failure, not just a policy violation. The article shows employees will use AI whenever it improves productivity, which means security teams cannot rely on prohibition alone. Once corporate data is sent to unapproved LLMs, the organisation loses control over retention, audit, and downstream processing. That makes AI usage governance part of the broader identity and data security stack, not a side issue for awareness training. The practitioner conclusion is to govern the data path, not only the app list.

AI-ready permissions create a new form of access leakage. The Copilot example is not a model flaw. It is a permissions flaw made visible by generative interfaces that can retrieve whatever the underlying repository allows. That exposes a named concept here: conversational permission leakage, where overly broad collaboration access becomes instantly queryable through AI. The practitioner conclusion is to treat access reviews as AI exposure reviews.

Third-party AI integrations are expanding identity risk at the supply-chain edge. The finding that thousands of applications connect to a single M365 tenant shows how quickly permissions sprawl across sanctioned tools, browser extensions, and embedded AI features. This is where IAM and third-party risk converge, because consent scopes and tenant permissions now govern whether external services can process sensitive data. The practitioner conclusion is to reduce integration sprawl before it becomes an audit blind spot.

Security committees need operational authority, not just oversight language. The hedge fund’s cross-functional committee is a useful signal because GenAI governance touches legal, IT, security, and business process owners at once. Frameworks such as NIST CSF and OWASP are only effective when they are backed by enforceable access controls, data classification, and exception handling. The practitioner conclusion is to align AI governance with control ownership, not committee visibility alone.

What this signals

Conversational permission leakage: GenAI is turning old access mistakes into visible disclosure events, which means governance teams need to measure what AI can retrieve, not just what humans can browse. If collaboration permissions remain broad, AI will expose them in plain language to any user with the right prompt.

Finance and regulated enterprises should expect AI adoption to outpace policy unless controls are attached to content, consent, and exception handling. The practical next step is to connect collaboration governance with NIST AI 600-1 Generative AI Profile and internal data classification so prompt-time access reflects business risk.

This also argues for closer review of connected tools through the lens of OWASP Agentic AI Top 10, because the security problem is no longer only model misuse. It is the accumulation of data paths, consent scopes, and embedded AI features that collectively widen the blast radius.


For practitioners

  • Inventory all AI entry points Map approved GenAI tools, browser-based LLM use, and AI-enabled integrations that can access corporate content. Include sanctioned copilots, public chat tools, and embedded features inside productivity apps so security teams can apply consistent policy across the full prompt surface.
  • Re-review collaboration permissions for AI exposure Audit SharePoint, OneDrive, and team-space access to find content that would become visible if queried through an AI assistant. Prioritise sensitive projects, HR material, and regulated data, then tighten group membership and inheritance where broad read access creates conversational leakage.
  • Apply prompt-time data controls Use redaction, blocking, and exception handling for prompts that contain confidential or regulated information. Controls need to operate at the point of use so that employees can still work productively without sending sensitive text into unmanaged AI services.
  • Tighten third-party application consent Review tenant-level app consent, OAuth grants, and AI-capable integrations that can read or export enterprise data. Remove stale authorisations, restrict high-risk scopes, and require business justification for apps that process internal content outside the primary environment.

Key takeaways

  • GenAI adoption in finance is creating a governance problem where collaboration permissions, prompt-time exposure, and shadow AI all intersect.
  • Proofpoint’s examples show that misconfigured M365 content and thousands of connected applications can turn AI into a data leakage path at scale.
  • The control response is not a blanket ban, but tighter identity governance, app consent review, and data controls applied where AI actually touches information.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack surface, NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST AI RMFGOVERNThe article centres on governance for GenAI use and AI oversight committees.
NIST CSF 2.0PR.AC-4Over-broad collaboration access is the exposure path behind Copilot leakage.
NIST SP 800-53 Rev 5AC-6Least privilege is the direct control issue when AI tools inherit broad repository access.
OWASP Agentic AI Top 10NHI-03AI-enabled tools and prompt flows introduce non-human access patterns that need governance.
GDPRArt.32The article involves employee and HR data exposure through AI workflows.

Assign clear accountability for AI use, exception handling, and data access decisions across business and security teams.


Key terms

  • Shadow AI: AI agents, copilots, or connected tools operating without full visibility or governance from security teams. Shadow AI becomes an identity problem when those systems authenticate with unmanaged tokens, service accounts, or OAuth apps that can reach production resources.
  • Conversational Permission Leakage: Conversational permission leakage occurs when an AI assistant exposes information that already existed in an over-permissioned repository. The user is not exploiting the model so much as querying weak access controls through a natural-language interface, which can make legacy sharing mistakes easier to detect and abuse.
  • Prompt-Time Data Control: Prompt-time data control is the set of technical and policy measures that inspect, redact, block, or route information before it enters an AI system. It is distinct from traditional perimeter filtering because the risk happens at the moment a user submits content to an AI service.
  • AI Oversight Committee: An AI oversight committee is a cross-functional governance group that reviews use cases, data access, and risk acceptance for AI systems. In practice, it becomes effective only when it has access to logs, policy authority, and clear escalation paths, not when it exists as a symbolic review forum.

What's in the full article

Proofpoint's full article covers the operational detail this post intentionally leaves for the source:

  • How the Fintech team used Proofpoint Endpoint DLP and ITM to redact sensitive data in real time for approved exceptions.
  • How the hedge fund structured an AI oversight committee across legal, IT, security, and data science to manage approvals.
  • How Proofpoint Managed Services escalated DLP incidents based on business requirements and risk priority.
  • How the organisations trained employees who were granted access to public GenAI tools such as Gemini and Grok.

👉 The full Proofpoint article covers the Copilot exposure example, third-party app sprawl, and the controls used by two financial firms.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security and identity practitioners build controls that scale across access, automation, and AI-adjacent risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org