New Research AI Is Already the

A new Enterprise AI and SaaS Data Security Report by AI & Browser Security company LayerX proves just how outdated that mindset has become. Far from a future concern, AI is already the single largest uncontrolled channel for corporate data exfiltration—bigger than shadow SaaS or unmanaged file sharing. The findings, drawn from real-world enterprise browsing telemetry, reveal a counterintuitive truth: the problem with AI in enterprises isn’t tomorrow’s unknowns, it’s today’s everyday workflows.

Sensitive data is already flowing into ChatGPT, Claude, and Copilot at staggering rates, mostly through unmanaged accounts and invisible copy/paste channels.

Perhaps the most surprising and alarming finding is how much sensitive data is already flowing into AI platforms: 40% of files uploaded into GenAI tools contain PII or PCI data, and employees are using personal accounts for nearly four in ten of those uploads. Even more revealing: files are only part of the problem. The real leakage channel is copy/paste. 77% of employees paste data into GenAI tools, and 82% of that activity comes from unmanaged accounts. On average, employees perform 14 pastes per day via personal accounts, with at least three containing sensitive data. That makes copy/paste into GenAI the #1 vector for corporate data leaving enterprise control.

The report’s recommendations are clear, and unconventional:

1. Treat AI security as a core enterprise category, not an emerging one. Governance strategies must put AI on par with email and file sharing, with monitoring for uploads, prompts, and copy/paste flows.
2. Shift from file-centric to action-centric DLP. Data is leaving the enterprise not just through file uploads but through file-less methods such as copy/paste, chat, and prompt injection. Policies must reflect that reality.
3. Restrict unmanaged accounts and enforce federation everywhere. Personal accounts and non-federated logins are functionally the same: invisible. Restricting their use - whether fully blocking them or applying rigorous context-aware data control policies - is the only way to restore visibility.
4. Prioritize high-risk categories: AI, chat, and file storage. Not all SaaS apps are equal. These categories demand the tightest controls because they are both high-adoption and high-sensitivity.

To read the complete article see: The Hacker News.