
Enterprise adoption of AI-powered tools has opened a new front in data security: unintentional data leakage through employees pasting sensitive information into chatbots, AI search tools, and coding assistants, often without realizing the data is leaving the organization’s control.
TechRadar reports that the problem has reached crisis proportions as businesses deploy AI tools like ChatGPT, Claude, Copilot, and Gemini across their workforces without corresponding data governance controls. Unlike traditional data breaches caused by external attackers, this type of leakage is typically accidental: an employee pastes customer data into a prompt, a developer uploads proprietary code to an AI coding assistant, or a salesperson asks an AI to analyze a confidential spreadsheet.
The scale. Research from multiple security firms suggests that the majority of enterprises now have sensitive data flowing through third-party AI models without adequate oversight. Common leakage vectors include:
- Direct prompt input: Employees paste personally identifiable information, financial data, or trade secrets into AI chat interfaces whose terms of service permit training on inputs.
- Enterprise AI search tools: Platforms like Microsoft Copilot and Glean index internal documents and can surface information beyond what users are authorized to see, violating “need-to-know” access principles.
- AI coding assistants: Developers upload proprietary source code to cloud-based code completion services, exposing intellectual property to model training pipelines.
- SaaS integration sprawl: AI plugins and extensions connected to enterprise SaaS tools inherit OAuth tokens scoped far beyond what the workflow requires.
Regulatory pressure. The problem is attracting regulatory attention. The EU AI Act and the Digital Operational Resilience Act (DORA) both require financial institutions and critical infrastructure operators to demonstrate that AI tool integrations do not create unauthorized data exposure pathways. The SEC’s Cyber and Emerging Technologies Unit is actively examining AI governance representations made by regulated entities.
Experts recommend organizations deploy prompt-level classification and real-time enforcement systems that inspect data before it reaches an AI model, segment AI tool permissions to minimum necessary access, and create auditable logs of all data flowing through AI pipelines. A policy document without technical enforcement, they note, does not prevent data from leaving.
Source: TechRadar, Knostic, Wiz

