Notifications
Clear all
Topic starter
11/06/2026 11:28 pm
TL;DR: Enterprise telemetry shows 45% of employees already use generative AI, 77% paste data into prompts, and 67% of AI usage happens through unmanaged personal accounts, making AI the largest blind spot for data exfiltration in the modern enterprise, according to LayerX Security. The security problem is no longer adoption, but the collapse of governance around unsanctioned identity and clipboard-driven leakage.
NHIMG editorial — based on content published by LayerX Security: Enterprise AI and SaaS Data Security Report 2025
By the numbers:
- 45% of enterprise employees are already using generative AI tools.
- 77% of employees paste data into GenAI prompts.
- 67% of AI usage happens through unmanaged personal accounts.
Questions worth separating out
Q: How should security teams stop employees pasting sensitive data into AI prompts?
A: Security teams should control the browser or endpoint where the paste occurs, not rely only on network or file DLP.
Q: Why do unmanaged AI accounts create a governance problem for IAM teams?
A: Unmanaged AI accounts break the link between identity, policy, and accountability.
Q: How do organisations know whether AI usage is becoming shadow IT?
A: Look for AI activity that occurs outside SSO, outside managed endpoints, or through personal accounts that cannot be tied back to enterprise policy.
Practitioner guidance
- Instrument browser-level paste controls Inspect copy and paste events in the browser before data reaches AI prompts, chat windows, or web forms.
- Reclassify non-federated AI access as unmanaged Inventory AI tools used with personal accounts or non-SSO logins and treat them as shadow access until they are bound to enterprise identity controls.
- Apply destination-aware data policy Allow business use of AI tools only where policies can distinguish enterprise destinations from consumer destinations and block sensitive data accordingly.
What's in the full report
LayerX Security's full report covers the operational detail this post intentionally leaves for the source:
- Per-channel breakdowns of where sensitive data is leaving enterprise workflows, including paste, upload, and messaging paths
- Browser-telemetry methodology that shows how the organisation measured sanctioned, unsanctioned, and shadow usage
- Operational guidance for building browser-level enforcement around sensitive data movement
- The report's full activity segmentation across AI, SaaS, CRM, ERP, and messaging use cases
👉 Read LayerX Security's report on enterprise AI and SaaS data security →
AI data exfiltration through prompts and paste is the governance gap?
Explore further
12/06/2026 8:09 am
AI governance has become an identity problem before it is a model problem. The report shows employees using consumer AI through unmanaged accounts, which means policy, accountability, and auditability are detached from the enterprise identity plane. That is why conventional SaaS governance cannot simply be extended into AI by naming the tool category. Practitioners should treat the identity path as the first control question, not the last.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when sensitive data leaks through consumer AI tools?
A: Accountability sits with the organisation’s identity, data protection, and security governance owners, because the risk comes from unmanaged access paths and weak content controls. If the enterprise permits use without federation, classification, and enforcement at the browser, the responsibility cannot be shifted to the employee alone.
👉 Read our full editorial: AI data exfiltration is outpacing enterprise governance controls
