Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI and Copilot exposure: what IAM teams are missing


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 257
Topic starter  

TL;DR: Financial services teams are using GenAI to accelerate coding, research, and internal app delivery, but Proofpoint says shadow AI, misconfigured Microsoft 365 permissions, and third-party integrations are creating new data leakage paths that security leaders cannot ignore. The governance gap is now about controlling data access and prompt-time exposure, not blocking AI outright.

NHIMG editorial — based on content published by Proofpoint: GenAI, shadow AI, and data security in financial services

Questions worth separating out

Q: How should security teams govern shadow AI without blocking productivity?

A: Use visibility-based controls instead of blanket bans.

Q: Why do sanctioned AI assistants create data exposure risk in collaboration platforms?

A: Sanctioned AI assistants inherit the permissions of the repositories they query, so any over-shared file or loosely governed workspace can become visible through the assistant interface.

Q: What do organisations get wrong about AI-enabled third-party apps?

A: Many teams focus on the AI tool itself and miss the integrations attached to it.

Practitioner guidance

  • Inventory all AI entry points Map approved GenAI tools, browser-based LLM use, and AI-enabled integrations that can access corporate content.
  • Re-review collaboration permissions for AI exposure Audit SharePoint, OneDrive, and team-space access to find content that would become visible if queried through an AI assistant.
  • Apply prompt-time data controls Use redaction, blocking, and exception handling for prompts that contain confidential or regulated information.

What's in the full article

Proofpoint's full article covers the operational detail this post intentionally leaves for the source:

  • How the Fintech team used Proofpoint Endpoint DLP and ITM to redact sensitive data in real time for approved exceptions.
  • How the hedge fund structured an AI oversight committee across legal, IT, security, and data science to manage approvals.
  • How Proofpoint Managed Services escalated DLP incidents based on business requirements and risk priority.
  • How the organisations trained employees who were granted access to public GenAI tools such as Gemini and Grok.

👉 Read Proofpoint's analysis of GenAI data exposure and shadow AI in finance →

Shadow AI and Copilot exposure: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Shadow AI is now a governance failure, not just a policy violation. The article shows employees will use AI whenever it improves productivity, which means security teams cannot rely on prohibition alone. Once corporate data is sent to unapproved LLMs, the organisation loses control over retention, audit, and downstream processing. That makes AI usage governance part of the broader identity and data security stack, not a side issue for awareness training. The practitioner conclusion is to govern the data path, not only the app list.

A question worth separating out:

Q: How should IAM and data security teams respond to AI-driven leakage risk?

A: They should treat AI as an access path to sensitive information and align identity review, data classification, and DLP controls around that reality. The practical priority is to reduce over-permissioned content, control external app consent, and make exceptions visible to security and compliance owners. That approach gives governance teams a defensible view of where data can flow.

👉 Read our full editorial: Shadow AI and Copilot data exposure are outpacing governance



   
ReplyQuote
Share: