Rising Enterprise GenAI Use Could Pose Risky for Corporate Data

The enterprise’s love affair with third-party GenAI productivity tools is going strong, even as the increased usage adds pressure to already stretched corporate security teams. In the United States, around 75 percent of  leaders / managers and 51 percent of frontline employees use GenAI for productivity. 1 Employees typically access GenAI tools through a browser, using the technology for productivity, research, and content creation. Security issues arise when GenAI uses the information to train itself and to answer general queries. With this in mind, corporate IT departments should review GenAI security now, especially with Gartner predicting that by 2030 more than 40% of global organizations will suffer security incidents due to AI tools.2 

Browsers, Third-Party Tools, and Data Leaks 

The browser powers much of enterprise GenAI use as it is an easy-to-use gateway to the Internet. As such, it lacks many enterprise-grade protections, such as network endpoint security and data loss prevention protocols.  To understand the security issues with third-party GenAI tools, it helps to see the browser as operating in an information Wild West without the strictness of endpoint security or data loss protection enablement.  

The typical corporate user does not plan to expose  corporate data, but he/she does not understand the path of the information inputted. GenAI platforms are programmed to be always learning, so any data it gets is used for self-training and in answers to other queries.  GenAI does not differentiate between “safe” and sensitive data inputs, meaning customer or employee PII, intellectual property,  and insider corporate knowledge are treated as regular information. 

GenAI Data Leaks in the Real World     

In early 2023, Amazon’s internal legal team noticed that outputs from OpenAI’s ChatGPT on coding read the same as answers to problems given to prospective Amazon employees. The company’s employees had been placing data snippets into ChatGPT for tasks like debugging or confirming a correct answer. Unbeknownst to Amazon, ChatGPT then trained itself on the data and included it in all queries, including those from outside the company. Similarly in 2023, Samsung experienced three leaks of confidential information as a result of employees using GenAI. The exposed information included source code, detailed meeting notes, and hardware data.  

As a result of the leaks, Amazon immediately instituted a policy prohibiting the sharing of confidential information on third-party GenAI. Samsung banned GenAI tools for employees, and by December 2025 only certain Samsung departments can use third-party GenAI. Both companies discovered that it is very difficult to delete information from third-party GenAI services once inputted. 

The Rise of Shadow GenAI  

Many companies may not have the luxury of discovering and stopping information being used by GenAI because they are not aware that their employees are using them. It is estimated that workers in 90 percent of companies are using chatbots, but they not letting their IT departments know.3 In addition to data appearing on GenAI platforms, shadow AI use can leave the company vulnerable to more intricate attacks, such as data poisoning, launch prompt injection attacks, phishing, and other threats. Shadow AI also has compliance risks, with the lack of governance leaving companies vulnerable to fines for not following data privacy protocols. 

Malware and Phishing 

GenAI tools can be used by threat actors to generate scripts, obfuscate code, or craft social engineering code to discover network vulnerabilities. There have not been many cases of malware spreading by GenAI use, but the instances are expected to rise in the coming years. 

GenAI can enable hyper-personalized phishing by generating context-aware emails, deepfakes, or even voice clones. GenAI makes it harder for employees to spot fakes during usage, leading to potential unauthorized access of networks or Intellectual Property. 

The Best Company Response to GenAI Use 

There are steps a company can take to utilize the benefits of GenAI third-party tools while still keeping their data and compliance in check. 

Establish Policies 

First, the company should develop and enforce policies on GenAI platform use. The guidelines should include allowable platforms, types of data that can be input, and the departments that are allowed to use these tools. The “Rulebook” should also address regulatory compliance, gaining input from the legal and security teams on best practices. 

Build a Zero-Trust Architecture 

A company should consider a zero-trust architecture to secure access to GenAI, especially browser-based tools. This step could include multi-factor authentication, least-privilege access, data encryption, and real-time monitoring to prevent data loss or unauthorized sharing. The ability to block risky interactions, such as large data uploads, should be enabled.  Finally, the company should conduct regular auditing of all data flows.  

Start Classifying Sensitive Data  

A company should classify sensitive information and implement controls to prevent it from being implemented into GenAI prompts. Similarly, models, datasets, and integration should be monitored to make sure no data poisoning from bad commands being copied from GenAI has taken place.   

Monitor AI Outputs and Mitigate Malware/Phishing Risks 

Requiring  reviews of AI-generated code or content for malware or bad information before the information is used can help mitigate threats.   

Make It a Team Effort 

The best GenAI protection will come from policies and practices developed across IT, security, business, and legal teams. The policies should be rolled out and updated with employee training. 

Scale carefully 

Once a company has a good monitoring and response process in place, it can start to scale GenAI use. This increase should occur with an eye to emerging threats in mind. 

By understanding GenAI third-party tool security risks, monitoring for shadow use, and building a comprehensive usage and policy rule set, a company can be more confident in its use of GenAI. The goal is to stay aware of emerging threats and to make sure your practices are aligned with data safety and governance mandates.