As organizations race to exploit generative AI and broaden their third‑party ecosystems, a startling pattern is emerging: mass adoption without adequate visibility is creating a cascade of security, compliance, and financial risks that many firms are poorly equipped to handle. New survey data from Kiteworks — confirmed across multiple industry reports and picked up by enterprise press — shows large swaths of companies lack a reliable inventory of who accesses their most sensitive data, are slow to detect breaches when they occur, and have yet to implement meaningful AI governance or privacy‑enhancing technologies. The consequences are concrete: longer detection windows, larger litigation bills, regulatory exposure, and a higher probability of repeated supply‑chain incidents. (itpro.com) (worldwealthjournal.com)
The findings come from a Kiteworks survey of 461 IT, security, risk and compliance professionals across North America, Europe, APAC and the Middle East. The research paints a consistent picture of under‑visibility and overconfidence: nearly half of respondents cannot say how many third parties have access to sensitive content, many lack automated controls to prevent data from flowing into public AI tools, and a sizable share admit to long breach detection times that compound financial and regulatory harms. Kiteworks frames the problem as a “visibility‑risk cascade”: unknown third‑party relationships → missed breaches → inability to demonstrate compliance → big costs. (itpro.com) (todayinbanking.com)
Kiteworks itself is an established player in secure content exchange and has attracted significant investment, which underscores both the market demand for better data control and the commercial incentives driving vendors in this space. That context matters: companies selling visibility and content controls are gaining traction because organizational practices have not kept pace with evolving threats. (wsj.com)
Several outlets echo the same worry: governance frameworks and tooling lag behind actual usage. The disconnect is not just theoretical — more than a quarter of organizations acknowledge that over 30% of data employees attempt to ingest into public AI tools is private/sensitive, which magnifies risk when those interactions are unmonitored or unblocked. (smartindustry.com)
Windows and enterprise communities are already sounding the alarm: real admins and security teams see these gaps in daily operations and are demanding a combination of policy, tooling and contractual changes. The evidence across industry reporting is consistent — organizations that act now by codifying visibility, enforcing technical controls, and investing in detection will materially reduce risk and protect the value of their most sensitive data. (itpro.com) (worldwealthjournal.com) (smartindustry.com) (computerweekly.com)
Bold, immediate action — centered on inventory, technical enforcement for AI, and faster detection — will determine which organizations convert AI and supplier scale into competitive advantage, and which will pay the price for operating blind.
Source: Petri IT Knowledgebase AI and Third-Party Growth Expose Firms to Security Risks
The findings come from a Kiteworks survey of 461 IT, security, risk and compliance professionals across North America, Europe, APAC and the Middle East. The research paints a consistent picture of under‑visibility and overconfidence: nearly half of respondents cannot say how many third parties have access to sensitive content, many lack automated controls to prevent data from flowing into public AI tools, and a sizable share admit to long breach detection times that compound financial and regulatory harms. Kiteworks frames the problem as a “visibility‑risk cascade”: unknown third‑party relationships → missed breaches → inability to demonstrate compliance → big costs. (itpro.com) (todayinbanking.com)Kiteworks itself is an established player in secure content exchange and has attracted significant investment, which underscores both the market demand for better data control and the commercial incentives driving vendors in this space. That context matters: companies selling visibility and content controls are gaining traction because organizational practices have not kept pace with evolving threats. (wsj.com)
Why the visibility gap matters
Unknown relationships are a material risk
When organizations cannot reliably inventory who accesses sensitive data, governance and incident response break down. The survey found that organizations lacking good third‑party visibility are also more likely to:- Be uncertain about the number and frequency of breaches they experience.
- Be unable to quantify potential litigation costs tied to breaches.
- Report longer detection times (commonly 31–90 days for many respondents). (itpro.com)
The “danger zone”: scale of third‑party networks
Kiteworks’ analysis highlights a clear inflection point: organizations managing between 1,001 and 5,000 third‑party vendors sit in the highest‑risk band. In that cohort:- A meaningful share reported seven or more breaches per year.
- Many report the worst supply‑chain risk metrics and slowest detection times. (itpro.com)
AI adoption without governance: a separate, compounding blind spot
Low adoption of technical AI controls
One of the most striking survey findings is that only 17% of organizations report implementing technical controls that block sensitive data from being sent to public AI tools combined with DLP scanning. Instead, many rely on training, warnings, or nothing at all. That gap creates direct exposure because employees routinely leverage public AI to accelerate work and often feed it private content. (smartindustry.com) (techbullion.com)Several outlets echo the same worry: governance frameworks and tooling lag behind actual usage. The disconnect is not just theoretical — more than a quarter of organizations acknowledge that over 30% of data employees attempt to ingest into public AI tools is private/sensitive, which magnifies risk when those interactions are unmonitored or unblocked. (smartindustry.com)
Why AI amplifies visibility problems
AI systems create novel and opaque data flows. When employees paste proprietary text, customer data, or legal documents into public or unmanaged AI agents, tracking that movement is often impossible with legacy DLP and supplier controls. The result is twofold:- Data leakage via AI becomes an invisible channel that bypasses standard audit trails.
- AI outputs can re‑expose aggregated or derived sensitive facts, compounding leakage risk.
Industry and regional patterns
Sector exposure
According to the survey and corroborating reports, energy and utilities, technology, and life sciences / pharma report the highest exposure profiles. These sectors handle highly sensitive operational, intellectual property and regulated data that make poor visibility especially dangerous. (itpro.com)Regional wrinkles
Regional differences are relevant for compliance posture and detection performance. Kiteworks’ results suggest the Middle East and parts of EMEA show particular weaknesses in rapid breach detection or readiness for data regulation, despite some regions enforcing strict supplier certification requirements. The overall commonality remains: irrespective of region, organizations that lack visibility face worse outcomes. (bizpreneurme.com)What the community is already saying
Windows and enterprise operator forums have been discussing these themes in real time: practitioners flagged how AI features and expanded cloud integrations increase the attack surface and complicate forensic trails. Community threads emphasize the need to treat AI agents and modern collaboration services as privileged assets requiring the same rigor as network and endpoint protections. The lived experience in these communities mirrors Kiteworks’ conclusions: the pace of innovation has outstripped many organisations’ ability to govern it.Recommendations — practical, prioritized steps
The Kiteworks report and enterprise practitioners converge on several concrete measures organizations should adopt immediately. These recommendations are arranged by urgency and impact.1. Establish full visibility into third‑party access (urgent)
- Create a single, authoritative inventory of third parties and what data each handles.
- Map data flows that span vendors, contractors, cloud services and ephemeral collaboration links.
- Enforce contractual telemetry: require vendors to provide logs or to integrate with centralized monitoring.
2. Harden breach detection and response
- Shorten mean time to detection (MTTD) targets to under 30 days where possible; measure and report MTTD to the board.
- Invest in centralized SIEM/EDR with vendor telemetry ingestion and analytics tuned for content movement, not just network events.
- Run tabletop exercises that include third‑party compromise scenarios and AI data‑leakage incidents.
3. Implement technical controls for AI usage
- Deploy DLP rules and inline blocking for known AI endpoints and public model APIs.
- Maintain an allowlist for approved AI tools and enforce access via network controls or secure gateways.
- Use privacy‑enhancing technologies (PETs) like tokenization, redaction and on‑device transformations to minimize exposure where feasible.
4. Limit third‑party surface via segmentation and least privilege
- Segregate data by sensitivity and class; never give broad access to large supplier sets.
- Use ephemeral credentials, just‑in‑time access and time‑bound sessions for third‑party users.
- Require suppliers to adopt mutual TLS, SSO, and continuous posture attestation.
5. Align governance with regulation and frameworks
- Map data flows to GDPR, sectoral rules, and emerging frameworks such as the EU Data Act to ensure contractual and technical alignment.
- Require standardized breach notification SLAs and forensic access clauses in vendor contracts.
- Adopt an auditable AI governance policy: define permitted use cases, data classes, and mandatory technical controls.
Tools and technologies that help — and their limits
- Automated DLP with API interception — effective at preventing sensitive text from leaving managed endpoints, but requires careful tuning to avoid false positives and business interruptions.
- Privacy‑Enhancing Technologies (PETs) — tokenization, format‑preserving encryption and synthetic datasets reduce exposure in many workflows; adoption is still uneven.
- Continuous vendor posture monitoring — emerging vendor risk platforms can ingest telemetry, but they depend on vendor cooperation and interoperability.
- AI‑aware auditing — logging and tracking of model inputs/outputs is nascent; organizations must version and store AI prompts and outputs to support forensics when required.
Risks and caveats: what to watch for
- Overconfidence bias: The survey highlights a dangerous paradox — organizations that self‑report high confidence in governance can still test as high risk. Confidence is not a substitute for measurement. (todayinbanking.com)
- Delegation fallacy: Relying solely on supplier certifications or attestations without telemetry often produces a false sense of security; certifications are necessary but insufficient.
- Tool sprawl: Many organisations use multiple tracking and exchange tools; without centralized policy enforcement, controls are ineffective. The research indicates a broad need for consolidation and policy harmonization. (computerweekly.com)
- Unverifiable claims: Vendor‑published metrics and some press summaries quote complex correlations (e.g., exact litigation reductions tied to visibility) that are sensitive to methodology. These findings should be treated as directional unless the underlying raw data and methodology are made available for independent audit.
A realistic roadmap for IT leaders (90‑day sprint)
- Inventory sprint (Days 0–30)
- Compile a canonical third‑party registry.
- Tag data classes and criticality per vendor relationship.
- Tactical controls (Days 30–60)
- Implement inline DLP rules for known AI endpoints and enforce network blocks for unapproved public models.
- Shorten privileged access windows and apply MFA/JIT controls to supplier logins.
- Detection and response (Days 60–90)
- Integrate supplier telemetry into SIEM/EDR.
- Run a full breach tabletop that includes AI data leakage and third‑party compromise scenarios.
Conclusion
The Kiteworks data delivers an unambiguous warning: growth in AI use and third‑party ecosystems — if unmanaged — is not merely an operational headache, it is a strategic vulnerability. Organizations that continue to treat AI as a user productivity feature rather than a governed, auditable data pathway leave themselves open to regulatory penalties, costly litigation, and repeat supply‑chain incidents. Rapid improvements in visibility, automated AI controls, faster detection, and rigorous vendor governance are not optional; they are the baseline required to operate safely at scale.Windows and enterprise communities are already sounding the alarm: real admins and security teams see these gaps in daily operations and are demanding a combination of policy, tooling and contractual changes. The evidence across industry reporting is consistent — organizations that act now by codifying visibility, enforcing technical controls, and investing in detection will materially reduce risk and protect the value of their most sensitive data. (itpro.com) (worldwealthjournal.com) (smartindustry.com) (computerweekly.com)
Bold, immediate action — centered on inventory, technical enforcement for AI, and faster detection — will determine which organizations convert AI and supplier scale into competitive advantage, and which will pay the price for operating blind.
Source: Petri IT Knowledgebase AI and Third-Party Growth Expose Firms to Security Risks