Organizations have zero visibility into 89% of AI usage, despite security policies according to a LayerX report.
71% of connections to GenAI tools are done using personal non-corporate accounts. Among logins using corporate accounts, 58% of connections are done without Single-Sign On (SSO). These interactions bypass organizational identity and access management (IAM) systems, leaving security teams blind to how GenAI tools are used and what data is being shared.
Casual GenAI users unaware of data exposure risks
Most GenAI users are casual and may not be aware of the risks of GenAI data exposure. Only 15% of enterprise employees use it every week, and while a small percentage of users use it extensively, most users are casual users.
Software developers are the largest constituency of active users. Among enterprise users, 39% of users who use GenAI tools belong to research and development, 28% belong to sales and marketing. IT, HR, and finance users make up single digits only.
The research shows that 20.63% of all users have installed an AI-enabled browser extension. Of those who have such an extension installed, 45% have more than one such extension. 58% of GenAI browser extensions have a permission scope classified as ‘high’ or ‘critical,’ compared to 66.6% of all extensions.
Finally, 5.6% of AI extensions are classified as ‘malicious’ and can be used to steal data.
90% AI usage is concentrated in large, well-known apps, but there is a long tail of shadow AI applications. ChatGPT alone accounts for 50% of enterprise usage, and the top 5 AI SaaS apps for 85% of AI usage.
However, outside of the handful of well-known apps there is a long tail of lesser-used AI tools that fly under the radar. As a result, security manages don’t know which other AI apps are used, and where to put controls.
A small number of users expose large volumes of data
While text input is the standard form of interaction with GenAI tools, copy/paste and file upload are the channels through which data can leak at scale. Approximately 18% of users paste data to GenAI tools, and about 50% of that is company information.
“As enterprises embrace GenAI, security teams face a growing challenge, protecting against the threats they can’t see,” says Or Eshed, CEO of LayerX.
The report’s findings highlight the need for a proactive, risk-based approach to securing the hidden threats of GenAI adoption within organizations. CISOs and security managers should implement a comprehensive framework to mitigate AI-related risks. This includes mapping GenAI usage in the organization to understand the company risk profile and build an effective remediation strategy.
Organizations should also enforce AI auditing at the endpoint level to gain visibility into employee AI activity and detect potential data leaks. Additionally, restricting personal accounts and enforcing SSO ensures that employees use corporate GenAI accounts with built-in security measures.
“Banning all AI usage is not a long-term solution in a world that is becoming increasingly AI-driven. This is why it’s critical to apply security restrictions that are adaptive and contextual, to enable employees to use AI securely, without sacrificing productivity,” concluded Eshed.