Notifications
Clear all
Topic starter
22/06/2026 10:23 am
TL;DR: AI use has moved into core workflows, with Nudge Security reporting that 96.0% of organizations now use OpenAI, 77.8% use Anthropic, and 17% of prompts include copy-paste or file uploads, while sensitive-data events are led by secrets and credentials at 47.9%. That makes AI governance a continuous identity and data-flow problem, not a policy exercise.
NHIMG editorial — based on content published by Nudge Security: AI Adoption Research Reveals How Widespread AI Use Is Transforming Security Governance
By the numbers:
- OpenAI is present in 96.0% of organizations, with Anthropic at 77.8%.
- 17% percent of prompts include copy/paste and/or file upload activity.
- Detected sensitive-data events are led by secrets and credentials (47.9%), followed by financial information (36.3%) and health-related data (15.8%).
Questions worth separating out
Q: How should security teams govern AI tools that are embedded in enterprise workflows?
A: Security teams should govern embedded AI tools as part of the identity and access model, not as standalone software.
Q: Why do AI prompts create identity and data-security risk?
A: AI prompts create risk because they can carry sensitive content outside the original system’s protection boundary.
Q: When should organisations treat an AI tool like a non-human identity?
A: Organisations should treat an AI tool like a non-human identity whenever it can access systems, move data, or take actions beyond simple chat output.
Practitioner guidance
- Inventory AI tools and integrations continuously Track which AI applications are present, what systems they connect to, and whether those links include productivity suites, repositories, or knowledge platforms.
- Classify prompt data as a governed egress channel Extend data handling rules to include copy-paste, uploads, and pasted secrets inside AI sessions.
- Review AI scopes like delegated identities Treat agentic tools as non-human identities with specific permissions, owners, and review intervals.
What's in the full report
Nudge Security's full research covers the operational detail this post intentionally leaves for the source:
- An anonymized telemetry breakdown of which AI tools are most prevalent across enterprise environments.
- The detailed prompt-volume and file-upload patterns that show how AI use is changing data movement.
- Visibility into which business systems AI tools are most commonly integrated with, including productivity and code platforms.
- The source report’s full methodology for interpreting observed usage across customer environments.
👉 Read Nudge Security's research on AI adoption, governance, and enterprise risk →
AI adoption and governance: are identity controls keeping up?
Explore further
22/06/2026 11:16 am
AI governance has become an identity governance problem, not a model governance problem. The article shows that AI is now present in core enterprise workflows and connected to systems that already carry sensitive permissions. That means the control question shifts from approving a tool to governing its runtime position inside the identity fabric. Practitioners should stop treating AI as a separate policy domain and start treating it as part of the enterprise access model.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: What should teams do when AI starts connecting to productivity and code systems?
A: Teams should re-evaluate the full trust boundary, because connected systems expand the AI tool’s effective blast radius. Review which repositories, knowledge bases, and productivity applications are reachable, then narrow access to the smallest workable set. If the tool can move across multiple systems, it should be governed as an access path, not a feature.
👉 Read our full editorial: AI adoption is turning governance into a real-time identity problem
