Enterprise AI and SaaS Data Security Report 2025 Summary

Core Content Overview

This report provides a comprehensive analysis of the current state of enterprise AI and SaaS usage, highlighting significant security risks and blind spots. It emphasizes the rapid adoption of AI tools and SaaS applications, the shift in data transfer methods, and the lack of governance and visibility in these areas. The data underscores the need for a new approach to data loss prevention (DLP) that extends beyond traditional file-based monitoring.

Main Findings

1. AI and SaaS Usage in the Enterprise

• AI Adoption: 45% of employees actively use AI tools, with ChatGPT being the dominant platform, accounting for 92% of all AI usage.
• SaaS Dominance: Email and online meetings are still the most used SaaS categories, with 80% of employees relying on them. However, Generative AI (GenAI) is growing rapidly, now representing 11% of enterprise application usage.
• AI as a Core Tool: GenAI has become a foundational category, with ChatGPT being the de facto standard, and other tools like Google Gemini, Claude, and Microsoft Copilot remaining niche.

2. Data Leakage Risks

• File Uploads: 40% of file uploads to GenAI tools and 41% to file-sharing platforms contain PII (Personally Identifiable Information) or PCI (Payment Card Information).
• Copy/Paste Activity:
• 77% of employees paste data into GenAI tools.
• 82% of this paste activity comes from unmanaged personal accounts.
• 32% of corporate-to-personal data exfiltration occurs via GenAI tools, making them the #1 vector for data leakage.
• 62% of enterprise users paste PII/PCI into chat/IM apps, which are also dominated by non-corporate accounts (87%).

3. Identity and Access Management (IAM) Gaps

• Shadow IT and AI: A large percentage of usage in critical SaaS categories occurs through non-corporate accounts:
• 67% of AI usage is via personal accounts.
• 83% of ERP logins and 71% of CRM logins are done without SSO (Single Sign-On).
• Corporate Accounts Are Not Safer: Even when corporate accounts are used, password-based logins often bypass SSO, leaving them functionally equivalent to personal accounts in terms of security.
• High-Risk Apps: Apps like Zoom, Salesforce, Microsoft Online, and Dropbox are frequently accessed through non-federated accounts, exposing sensitive data to potential breaches.

4. Data Flow and Exfiltration

• Non-Corporate Uploads:
• 38% of employees upload files to file storage/sharing platforms.
• 25% upload to GenAI tools.
• 39% of GenAI uploads and 38% of file storage uploads are via personal accounts.
• Pasting as a Major Risk: Employees make an average of 46 pastes/day, with non-corporate accounts contributing more risk, averaging 15 pastes/day containing PII/PCI.
• Top Exfiltration Channels:
• GenAI tools (ChatGPT, Claude, etc.)
• Chat/IM apps (Slack, WhatsApp, etc.)
• File storage platforms (Google Drive, Dropbox, etc.)
• CRM and ERP systems (Salesforce, Netsuite, etc.)

Key Recommendations for CISOs

1. Audit Beyond Sanctioned Tools

• Extend security audits to shadow SaaS and AI-enabled platforms.
• Identify BYOAI (Bring Your Own AI) usage and understand which tools are being used and how data flows through them.

2. Shift DLP Strategy to Action-Centric

• Move from file-centric DLP to action-centric monitoring.
• Implement policies around copy/paste and prompt inputs to prevent file-less data transfers.
• Monitor all data flows, including those that bypass traditional DLP mechanisms.

3. Enforce SSO on All Corporate Logins

• Ensure SSO is enforced across all business-critical applications.
• Restrict personal account usage for high-risk SaaS and AI platforms.
• Treat non-federated logins as equally risky as shadow IT.

Conclusion

The report highlights that AI and SaaS tools are now central to enterprise operations, but the lack of governance and visibility has created massive blind spots for data leakage. Employees are increasingly using personal accounts and copy/paste to move sensitive data, often bypassing enterprise security controls. Traditional DLP solutions are no longer sufficient, and browser-level enforcement is essential to monitor and control data flows. CISOs must act urgently to address these gaps and ensure that AI and SaaS usage is secure, visible, and governed.

✨ 核心功能
? 海量报告：覆盖全行业，AI搜索+全文检索
? AI翻译：多语言互译，保留原排版
? AI对话：智能研报助手，深度解读文档
? 实时推送：订阅关键词，更新主动通知
? 全平台：网页、APP、小程序数据同步

? AI能力
? 智能检索：快速理解问题意图，提供精准信息
? 多源整合：综合多个可靠来源，给出全面答案
? 语境理解：不只是字面翻译，更能理解上下文和文化差异
? 专业领域：适应技术、文学、商务等不同领域的翻译需求
? 自然交流：理解复杂对话上下文，保持连贯性
? 研报专家：深度理解文档，进行专业回复
⚡ 实时性：能够获取最新信息，主动推送更新

? 适用场景
? 投资分析：券商研报、市场分析、投资策略
? 市场调研：行业分析、市场趋势、竞争格局
? 行业研究：深度行业报告、产业链分析
? 趋势预测：未来趋势、技术发展、政策解读

? 访问方式
? 网页版：pc.yanbaoke.cn
? APP下载：各大手机商店搜索「研报客」
?️ 软件版：pc.yanbaoke.cn/pc2.html
? 小程序：微信搜索「研报客」