Cyberhaven report: Surge in 'Shadow AI' accounts poses fresh risks to corporate data
SAN FRANCISCO, May 21, 2024 -- Today, Cyberhaven released a new report shedding light on AI adoption trends and their correlation to heightened risk. The analysis from Cyberhaven Labs draws on a robust dataset derived from the actual usage patterns of 3 million workers, providing a lens through which we can examine the adoption and implications of AI in the corporate environment.
"The fast rise of AI mirrors past transformative shifts like the internet and cloud computing. But just as early cloud adopters navigated new challenges, today's companies must contend with the complexities introduced by widespread AI adoption," Howard Ting, CEO of Cyberhaven. Our research on AI usage and risks not only highlights the impact of these technologies but also underscores the emerging risks that could parallel those encountered during significant technological upheavals in the past."
Click here to download the report.
Key findings:
AI usage in the workplace is accelerating
- The amount of corporate data workers put into AI tools increased 485% from March 2023 to March 2024, and it is increasing exponentially.
- In March 2024, 23.6% of tech workers put corporate data into an AI tool (the highest of any industry).
- We're still early in the adoption curve. Just 4.7% of employees at financial firms, 2.8% in pharma and life sciences, and 0.6% at manufacturing firms are using AI tools.
End users are outpacing corporate IT, fueling use of risky "shadow AI" accounts
- 73.8% of ChatGPT usage at work is through non-corporate accounts, that unlike enterprise versions incorporate whatever you share in public models.
- The percentage of non-corporate accounts is even higher for Gemini (94.4%) and Bard (95.9%) usage.
- AI usage is dominated by products from the big 3: OpenAI, Google, and Microsoft AI products account for 96.0% of AI usage at work.
Broadening usage of AI encompasses more types of sensitive company data
- AI adoption is reaching new departments and use cases involving sensitive data: 27.4% of data employees put into AI tools is sensitive, up from 10.7% a year ago.
- The top sensitive data type put into AI tools is customer support (16.3% of sensitive data), which includes confidential information customers share in support tickets.
- Other forms of sensitive data include source code (12.7%), research and development materials (10.8%), HR and employees records (3.9%), and financial documents (2.3%).
A large volume of sensitive company data is going to "shadow AI" accounts
- Workers are putting company data into personal "shadow AI" accounts that, unlike enterprise versions, incorporate whatever you share with them in public models.
- 82.8% of legal documents employees put into AI tools are going to non-corporate accounts, potentially exposing the information publicly.
- Roughly half of source code (50.8%), research and development materials (55.3%), and HR and employees records (49.0%) put into AI are sent to non-corporate accounts.
AI-generated content is being used in potentially risky ways
- 3.4% of research and development materials created in March 2024 originated from AI tools, potentially creating risk if patented material was introduced.
- 3.2% of source code insertions are generated by AI outside of coding tools (which have enterprise approved coding copilots), potentially creating the risk of vulnerabilities.
- 3.0% of graphics and design content originated from AI, which can be a problem since AI tools can output trademarked material.