GenAI prompts and sensitive data leaks: what IAM teams need to know

TL;DR: Lasso found that 13% of employee-submitted GenAI prompts contained sensitive organizational data, with 30% of code-sharing prompts exposing credentials or proprietary code and 38% of network-exposure prompts revealing internal infrastructure details, according to Lasso Security. The risk is not the chatbot itself but the governance gap between everyday employee use and enforceable data-sharing controls.

NHIMG editorial — based on content published by Lasso Security: Lasso Research Reveals 13% of Generative AI Prompts Contain Sensitive Organizational Data

By the numbers:

• 13% of employee-submitted prompts to GenAI chatbots contained security or compliance risks.
• 30% of prompts in the code and token sharing category included exposed credentials, secrets, or proprietary code.
• 38% of network information exposure prompts posed direct risks by enabling network reconnaissance and unauthorized access.

Questions worth separating out

Q: How should security teams prevent employees from sharing sensitive data in GenAI prompts?

A: Combine policy, browser-level enforcement, and user education.

Q: Why do GenAI chat tools create data leakage risk for IAM and security teams?

A: Because authentication does not control disclosure.

Q: What do organisations get wrong about prompt injection and jailbreak risk?

A: They often treat the problem as model behaviour alone.

Practitioner guidance

• Block sensitive data at the point of prompt submission Inspect prompts before they leave the browser or enterprise gateway and stop secrets, credentials, customer data, and regulated content from being submitted to GenAI tools.
• Define allowed-data rules by role and tool Publish clear controls for which employee groups can use which GenAI tools, and map permitted data classes to each approved use case.
• Discover and catalogue shadow LLM usage Inventory every GenAI platform and assistant in use across the organisation, including personal accounts and browser-based tools that bypass central procurement.

What's in the full report

Lasso Security's full research covers the operational detail this post intentionally leaves for the source:

• The underlying prompt-category breakdown across code, network, PII, PCI, and safety exposure
• The browser-based protection workflow that Lasso describes for blocking prompt submission
• The Shadow LLM discovery approach for locating unapproved GenAI tools across the enterprise

👉 Read Lasso Security's research on sensitive data exposure in GenAI prompts →

GenAI prompts and sensitive data leaks: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →