82% of Top 100 GenAI SaaS Tools Rated Medium to Critical Risk as Employees Routinely Enter Sensitive Data, Cyberhaven Labs Finds
Source
Cyberhaven LabsWhat happened
Cyberhaven Labs released its 2026 AI Adoption and Risk Report on February 5, 2026, drawing on analysis of billions of real-world data movements across generative AI SaaS platforms, endpoint AI applications, and AI agents used in enterprise environments. The report finds that 82% of the top 100 GenAI SaaS tools are classified as medium to critical risk, and that employees are entering sensitive data into AI tools on average once every three days. A significant shadow IT dimension is documented, with 32.3% of ChatGPT usage and 24.9% of Gemini usage occurring through personal accounts rather than corporate-managed accounts, placing that activity outside enterprise data governance controls. The findings expose a structural gap between the pace of AI adoption and the maturity of data loss prevention, acceptable use policies, and third-party risk management programs. Organizations lacking visibility into AI tool usage at the endpoint level may face exposure under data protection obligations across multiple jurisdictions, including the EU AI Act, various US state privacy laws, and sector-specific regulations governing sensitive data handling.
Why it matters
- ·Regulatory exposure is heightened because personal-account AI usage sits outside corporate data governance controls, creating potential violations of the EU AI Act and US state privacy laws that require organizations to maintain oversight of how sensitive data is processed by third-party AI systems.
- ·Operational impact is substantial given that employees submit sensitive data to AI tools on average once every three days, meaning existing data loss prevention programs are likely failing to intercept a high volume of potentially unauthorized disclosures at scale.
- ·Organizational risk is compounded by the shadow IT dimension of the findings: when more than a quarter to a third of usage on major AI platforms occurs through unmanaged personal accounts, vendor risk assessments and contractual data protections negotiated at the enterprise level offer no practical coverage for that activity.
Governance controls affected
What to do now
- ☐Audit current AI tool inventory to identify all GenAI SaaS platforms in use across the organization, including those accessed through personal accounts, and classify each by risk tier using findings from the Cyberhaven report as a benchmark.
- ☐Deploy endpoint-level monitoring or data loss prevention tooling capable of detecting sensitive data entry into AI SaaS tools, including sessions initiated through personal rather than corporate-managed accounts.
- ☐Update acceptable use policies to explicitly prohibit the use of personal accounts for accessing AI tools in professional contexts and require that all AI tool usage occur through corporate-managed accounts subject to governance controls.
- ☐Conduct a third-party risk assessment for each high-usage GenAI SaaS platform, ensuring vendor contracts include data handling obligations, incident notification requirements, and restrictions on training data use.
- ☐Review and strengthen PII handling procedures within AI pipelines to ensure sensitive data minimization practices are enforced before any data reaches third-party AI endpoints.
What to watch next
Compliance teams should monitor enforcement activity under the EU AI Act as its provisions related to third-party AI system obligations and data governance come into fuller effect, particularly for tools classified at medium to critical risk tiers. Pending guidance from US federal and state regulators on employee AI use and workplace data privacy obligations may also sharpen liability exposure for organizations with unmanaged shadow IT AI usage. Teams should track whether Cyberhaven Labs or peer research organizations publish follow-on data on sector-specific risk concentrations, which could inform more targeted acceptable use and vendor risk frameworks.