AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-04-19

82% of Top 100 GenAI SaaS Tools Rated Medium to Critical Risk as Employees Routinely Enter Sensitive Data, Cyberhaven Labs Finds

What happened

Cyberhaven Labs released its 2026 AI Adoption and Risk Report on February 5, 2026, drawing on analysis of billions of real-world data movements across generative AI SaaS platforms, endpoint AI applications, and AI agents used in enterprise environments. The report finds that 82% of the top 100 GenAI SaaS tools are classified as medium to critical risk, and that employees are entering sensitive data into AI tools on average once every three days. A significant shadow IT dimension is documented, with 32.3% of ChatGPT usage and 24.9% of Gemini usage occurring through personal accounts rather than corporate-managed accounts, placing that activity outside enterprise data governance controls. The findings expose a structural gap between the pace of AI adoption and the maturity of data loss prevention, acceptable use policies, and third-party risk management programs. Organizations lacking visibility into AI tool usage at the endpoint level may face exposure under data protection obligations across multiple jurisdictions, including the EU AI Act, various US state privacy laws, and sector-specific regulations governing sensitive data handling.

Why it matters

  • ·Regulatory exposure is heightened because personal-account AI usage sits outside corporate data governance controls, creating potential violations of the EU AI Act and US state privacy laws that require organizations to maintain oversight of how sensitive data is processed by third-party AI systems.
  • ·Operational impact is substantial given that employees submit sensitive data to AI tools on average once every three days, meaning existing data loss prevention programs are likely failing to intercept a high volume of potentially unauthorized disclosures at scale.
  • ·Organizational risk is compounded by the shadow IT dimension of the findings: when more than a quarter to a third of usage on major AI platforms occurs through unmanaged personal accounts, vendor risk assessments and contractual data protections negotiated at the enterprise level offer no practical coverage for that activity.

Governance controls affected

What to do now

  • Audit current AI tool inventory to identify all GenAI SaaS platforms in use across the organization, including those accessed through personal accounts, and classify each by risk tier using findings from the Cyberhaven report as a benchmark.
  • Deploy endpoint-level monitoring or data loss prevention tooling capable of detecting sensitive data entry into AI SaaS tools, including sessions initiated through personal rather than corporate-managed accounts.
  • Update acceptable use policies to explicitly prohibit the use of personal accounts for accessing AI tools in professional contexts and require that all AI tool usage occur through corporate-managed accounts subject to governance controls.
  • Conduct a third-party risk assessment for each high-usage GenAI SaaS platform, ensuring vendor contracts include data handling obligations, incident notification requirements, and restrictions on training data use.
  • Review and strengthen PII handling procedures within AI pipelines to ensure sensitive data minimization practices are enforced before any data reaches third-party AI endpoints.

What to watch next

Compliance teams should monitor enforcement activity under the EU AI Act as its provisions related to third-party AI system obligations and data governance come into fuller effect, particularly for tools classified at medium to critical risk tiers. Pending guidance from US federal and state regulators on employee AI use and workplace data privacy obligations may also sharpen liability exposure for organizations with unmanaged shadow IT AI usage. Teams should track whether Cyberhaven Labs or peer research organizations publish follow-on data on sector-specific risk concentrations, which could inform more targeted acceptable use and vendor risk frameworks.

Related Coverage

Corporate Policy2026-07-01

Snowflake's Agentic Enterprise Framework Puts Data Governance at the Center of Marketing AI Accountability

Snowflake published a governance framework titled 'The Agentic Enterprise: AI Governance for Marketing Leaders (2026),' aimed at organizations deploying AI agents in marketing workflows. The framework argues that no AI strategy is viable without unified data governance and access controls, and it sets out privacy and accountability requirements for agents operating on enterprise data. Marketing organizations and the compliance functions that support them are the primary audience.

Research2026-07-10

NSW Government Contractor Uploads Flood Victim Data to ChatGPT, Exposing Critical Gap in Shadow AI Controls

A contractor working for a New South Wales government department uploaded a spreadsheet containing thousands of rows of sensitive flood victim data directly into ChatGPT, triggering a significant privacy breach. The incident exposed the absence of controls preventing uncontrolled data leakage through AI prompts and a failure to govern where sensitive data resides when processed by external AI systems. Organizations handling personal or government data must enforce strict data classification and acceptable-use policies covering public AI tools.

Research2026-07-08

Eight-Step ITSM Deployment Framework from GSDCouncil Puts Hallucination Detection and Data Privacy Controls at the Center of AI Governance

The GSDCouncil has published a research report outlining an eight-step framework for deploying generative AI in IT service management, with explicit governance requirements covering access controls, data privacy, hallucination detection, and regulatory compliance. The report includes named case studies and positions structured risk controls as prerequisites for AI-driven automation in ITSM. Compliance teams at organizations using AI in service desk and IT operations functions should treat the framework as a benchmark against which their existing controls can be assessed.