89% of enterprise AI usage is invisible to the users organisation

Organizations have zero visibility into 89% of AI usage, despite security policies according to a new LayerX Security report.

71% of connections to GenAI tools are done using personal non-corporate accounts. Among logins using corporate accounts, 58% of connections are done without Single-Sign On (SSO). These interactions bypass organizational identity and access management (IAM) systems, leaving security teams blind to how GenAI tools are used and what data is being shared.

Casual GenAI users unaware of data exposure risks

Most GenAI users are casual and may not be aware of the risks of GenAI data exposure. Only 15% of enterprise employees use it every week, and while a small percentage of users use it extensively, most users are casual users.

Software developers are the largest constituency of active users. Among enterprise users, 39% of users who use GenAI tools belong to research and development, 28% belong to sales and marketing. IT, HR, and finance users make up single digits only.

The research shows that 20.63% of all users have installed an AI-enabled browser extension. Of those who have such an extension installed, 45% have more than one such extension. 58% of GenAI browser extensions have a permission scope classified as ‘high’ or ‘critical,’ compared to 66.6% of all extensions.

Finally, 5.6% of AI extensions are classified as ‘malicious’ and can be used to steal data.

90% AI usage is concentrated in large, well-known apps, but there is a long tail of shadow AI applications. ChatGPT alone accounts for 50% of enterprise usage, and the top 5 AI SaaS apps for 85% of AI usage.

However, outside of the handful of well-known apps there is a long tail of lesser-used AI tools that fly under the radar. As a result, security manages don’t know which other AI apps are used, and where to put controls.

A small number of users expose large volumes of data

While text input is the standard form of interaction with GenAI tools, copy/paste and file upload are the channels through which data can leak at scale. Approximately 18% of users paste data to GenAI tools, and about 50% of that is company information.

“As enterprises embrace GenAI, security teams face a growing challenge, protecting against the threats they can’t see,” says Or Eshed , CEO of LayerX.

The report’s findings highlight the need for a proactive, risk-based approach to securing the hidden threats of GenAI adoption within organizations. CISOs and security managers should implement a comprehensive framework to mitigate AI-related risks. This includes mapping GenAI usage in the organization to understand the company risk profile and build an effective remediation strategy.

Read the rest of the article at: https://easysam.co.uk/news/89-of-enterprise-ai-usage-is-invisible-to-the-users-organisation/