Press Release

Organizations rush to adopt AI but fail to have commensurate security and compliance controls in place

Kiteworks, which empowers organizations to effectively manage risk in every send, share, receive, and use of private data, today released findings from its AI Data Security and Compliance Risk Survey of 461 cybersecurity, IT, risk management, and compliance professionals. The survey, which was conducted by Centiment, reveals critical implementation failures: Only 17% of organizations have technical controls that block access to public AI tools combined with DLP scanning, while 26% report over 30% of data employees ingest in public AI tools is private data.

These findings emerge amid a documented surge in AI-related incidents. Stanford’s 2025 AI Index Report records a 56.4% year-over-year increase in AI privacy incidents, reaching 233 incidents last year. The Kiteworks survey exposes how organizations remain unprepared: 40% restrict AI tool usage through training and audits, 20% rely solely on warnings without monitoring, and 13% lack any specific policies for public AI tool usage—leaving the vast majority vulnerable to emerging threats.

“Our research reveals a fundamental disconnect between AI adoption and security implementation,” said Tim Freestone, Chief Marketing Officer at Kiteworks. “When only 17% have technical blocking controls with DLP scanning, we’re witnessing systemic governance failure. The fact that Google reports 44% of zero-day attacks target data exchange systems undermines the very systems organizations rely on for protection.”

Industry Benchmarks Reveal Dangerous Overconfidence Gap

The Kiteworks survey exposes a critical overconfidence crisis in AI governance readiness. While one-third of survey respondents claim they have comprehensive governance controls and tracking in place, this contrasts starkly with Gartner’s finding that only 12% of organizations have dedicated AI governance structures, with 55% lacking any framework whatsoever. This dramatic gap between perception and reality creates unprecedented risk exposure.

Deloitte’s research provides even more sobering context: Only 9% of organizations achieve “Ready” level AI governance maturity, despite 23% claiming to be “highly prepared”—a 14-point overconfidence gap. This misalignment is particularly concerning given that 86% of organizations lack visibility into AI data flows, according to industry research.

The rush to adopt AI without proper controls is accelerating. A recent EY survey found 48% of technology companies are already deploying AI agents, with 92% planning to increase AI spending—a 10% jump from March 2024. Yet this enthusiasm comes with what EY calls “tremendous pressure” to demonstrate ROI, creating incentives to prioritize speed over security.

“The gap between self-reported capabilities and measured maturity represents a dangerous form of organizational blindness,” explained Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks. “When organizations claiming governance discover their tracking reveals significantly more risks than anticipated according to Deloitte, and when 91% have only basic or in-progress AI governance capabilities, this overconfidence multiplies risk exposure precisely when threats are escalating.”

Legal Sector Exemplifies Implementation-Awareness Gap

The Kiteworks survey found legal professionals report the highest concern about data leakage at 31%, yet implementation remains weak: 15% have no specific policies or controls regarding the use of public AI tools with company data, while 19% rely on unmonitored warnings.

This implementation gap becomes more pronounced in privacy investment strategies. While 23% of all organizations maintain comprehensive privacy controls with regular audits before any AI system deployment, only 15% of legal firms have fallen into the trap of having no formal privacy controls while prioritizing rapid AI adoption—an 8-point improvement over the 23% average across all sectors yet still concerning given their fiduciary duties.

The disconnect aligns with Thomson Reuters data showing only 41% of law firms have AI policies despite 95% expecting AI to become central within five years. This gap between current readiness and future expectations in the legal sector—an industry built on precedent and risk mitigation—exemplifies the broader organizational tendency to defer critical security implementations while embracing transformative technologies.

AI Security Gap: When Perception Meets Reality

The survey’s finding that only 17% have implemented technical controls that block access to public AI tools combined with DLP scanning becomes more concerning given the evolving threat landscape. Google’s research reveals 44% of zero-day vulnerabilities target data exchange systems, with 60% of enterprise-targeted zero days exploiting security and networking tools—the very systems meant to protect sensitive data.

Despite awareness of risks, the Kiteworks survey found organizations remain deeply divided on addressing vulnerabilities:

• 34% report using a balanced approach with data minimization and selective privacy-enhancing technologies
• 23% maintain comprehensive privacy controls with regular audits
• 10% have basic privacy policies but prioritize AI innovation
• 10% address privacy concerns reactively, focusing on compliance only when legally required
• 23% have no formal privacy controls and prioritize rapid AI adoption

Based on the convergence of weak controls, limited visibility, and escalating threats, organizations must:

1. Acknowledge Reality: Recognize that self-assessed governance may significantly overstate actual maturity based on industry benchmarks
2. Deploy Verifiable Controls: Implement automated governance tracking and controls that can demonstrate compliance, not just claim it
3. Prepare for Regulatory Scrutiny: Quantify exposure gaps and implement measurable improvements

“The data reveals organizations significantly overestimate their AI governance maturity,” concluded Freestone. “With incidents surging, zero-day attacks targeting the security infrastructure itself, and the vast majority lacking real visibility or control, the window for implementing meaningful protections is rapidly closing.”

For the entire report, download a copy.

About Kiteworks

Kiteworks’ mission is to empower organizations to effectively manage risk in every send, share, receive, and use of private data. The Kiteworks platform provides customers with a Private Data Network that delivers data governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive data moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all private data exchanges. Headquartered in Silicon Valley, Kiteworks protects over 100 million end-users and over 1,500 global enterprises and government agencies.

About Centiment

Centiment is a market research firm specializing in data collection and analysis for the cybersecurity and technology sectors. The company delivers actionable insights through customized survey design, targeted respondent recruitment, and sophisticated analytics. Centiment’s proprietary research platform ensures exceptional data quality through expert human oversight. The company serves Fortune 500 enterprises, technology vendors, and government agencies, providing intelligence for strategic decisions in evolving markets. Headquartered in Denver, Centiment conducts research globally to help organizations understand complex technology landscapes and cybersecurity trends.

PR/Media Contact:
David Schutzman
PR Manager
David.schutzman@kiteworks.com