AI Data Compliance Crisis: 88% of Firms Struggle With Governance and Security

The enterprise AI revolution is creating a data security crisis that most organizations are not equipped to handle. According to Theta Lake’s 2025/26 Digital Communications Governance Report, 99% of organizations are expanding their use of AI, yet 88% are already struggling with AI data governance and data security challenges.

Key Takeaways

1. AI Adoption Has Outpaced Governance Capabilities. Nearly all organizations (99%) are expanding AI use, yet 88% already face governance and data security challenges. This gap between deployment speed and governance readiness creates enterprise-wide exposure that existing frameworks cannot address.
2. Sensitive Data Exposure Through AI Is a Blind Spot. Nearly half of organizations (45%) cannot detect when confidential information appears in AI-generated content. Once AI creates content containing sensitive data, 40% of organizations lose the ability to track where that information spreads.
3. Regulators Hold Organizations Accountable for AI Content. FINRA explicitly states that firms bear responsibility for communications regardless of whether AI or humans generate them. With 47% of organizations unable to ensure AI-generated content meets compliance standards, regulatory exposure is substantial and growing.
4. Infrastructure Guardrails Alone Cannot Protect Sensitive Data. Access controls and usage permissions govern who can use AI tools, but they do not govern what AI generates with that access. Organizations need content inspection and behavior-based governance to identify sensitive data exposure and compliance violations.
5. Governance Must Control Data Flowing Into AI Systems. AI risk exists at both input and output—what employees share with AI and what AI generates from that data. Without controls at the point of data exchange, organizations cannot prevent sensitive content exposure regardless of guardrails within individual AI tools.

This annual survey of 500 senior IT, unified communications, and compliance leaders from U.S. and UK financial services firms reveals a troubling pattern. Organizations are deploying AI capabilities at unprecedented speed while lacking the governance frameworks to protect sensitive data or meet regulatory compliance obligations. The findings arrive against a backdrop of more than $4 billion in global fines for record-keeping and supervision failures in recent years, with regulators now turning attention to AI-generated content.

While the survey focuses on financial services, the implications extend across every regulated industry. Any organization handling sensitive data—healthcare, legal, government, manufacturing—faces similar AI data governance challenges. The rush to deploy AI is exposing confidential information, creating regulatory liability, and outpacing organizations’ ability to maintain control over their most sensitive content.

AI Adoption Is Outpacing Security and Compliance

The Speed of Deployment

The velocity of enterprise AI adoption is staggering. With nearly all participants (99%) planning to implement or expand AI features within their unified communications and collaboration tools, organizations are embedding AI capabilities across virtually every business function.

The specific AI capabilities being deployed reveal the breadth of exposure. Based on data collected, the top AI capabilities firms plan to implement or expand are generative AI assistants (92%), AI-powered meeting notetakers and summarization (81%), and customized Agentic AI (77%). Additionally, 68% of firms predict even higher AI tool usage over the next 12 months.

Each of these deployments creates new pathways for sensitive data exposure. Generative AI assistants process employee queries that may contain confidential information. Meeting summarization tools capture and condense sensitive discussions. Agentic AI systems act autonomously on data they access.

New Category of Risk

The report identifies “aiComms” as a new category of AI-generated communications requiring governance. AI assistants, generative AI tools, and Agentic AI introduce a whole new category of communications and behavior. These aiComms act both as a new type of communication to be captured and supervised, and as a new participant in interactions, creating additional compliance, governance, and security challenges.

This represents a fundamental shift in enterprise data risk. AI no longer simply processes information—it generates new content derived from sensitive inputs. Traditional data security frameworks designed to protect data at rest and in transit cannot address content that AI systems create, transform, and distribute.

The 88% Problem

The gap between AI deployment and governance readiness has reached critical proportions. 88% of participants report that they are already facing challenges with AI data governance and data security, highlighting the urgent need for a comprehensive governance strategy.

This is not a future concern—it is a current crisis affecting nearly nine in ten organizations surveyed. The remaining 12% reporting no challenges likely reflects lack of visibility rather than effective governance.

How AI Creates Data Security Vulnerabilities

Sensitive Data Exposure Through AI Outputs

The most significant AI data security risk involves sensitive information appearing in AI-generated content. The report finds that 45% of organizations struggle with difficulties in detecting whether confidential or sensitive data has been exposed in generative AI output.

This exposure occurs through multiple vectors. AI meeting summaries may capture confidential strategic discussions and distribute them broadly. Generative assistants may incorporate proprietary data into responses shared externally. AI tools trained on enterprise data may surface sensitive information in unexpected contexts.

The challenge is that AI systems aggregate and transform data in ways that can reveal confidential information even when individual inputs appear innocuous. A meeting summary combining multiple participants’ comments may expose competitive intelligence. An AI response drawing on multiple documents may synthesize protected information into shareable form.

Lack of Visibility Into AI Interactions

Organizations cannot govern what they cannot see, and most lack visibility into how employees interact with AI systems. The report indicates that 41% of organizations struggle with identifying risky end-user behavior in interactions with AI tools.

Employees may input sensitive data into AI prompts without understanding the risks. Customer information, financial data, intellectual property, and strategic plans flow into AI systems through casual queries. Without visibility into these interactions, organizations cannot identify exposure until damage occurs.

Shadow AI usage compounds this problem. Employees adopt AI tools outside IT governance, creating data flows that security teams cannot monitor or control. Sensitive content moves into AI systems that may lack enterprise security controls, data residency guarantees, or appropriate access controls.

Inability to Track AI Content Distribution

Once AI generates content containing sensitive data, organizations often lose the ability to track where that information travels. The report reveals that 40% of organizations struggle with finding where and with whom any problematic AI-generated content or communications were shared.

An AI-generated summary containing confidential information may spread through email, chat, file shares, and external communications before anyone recognizes the exposure. Without content-level tracking, organizations cannot contain breaches or assess their scope. The distributed nature of AI-generated content makes traditional DLP approaches inadequate.

Guardrail Validation Failures

Many organizations implement access controls and usage restrictions on AI tools, but these guardrails often fail in practice. The survey finds that 36% of organizations struggle with validating that guardrails around AI tool access to data or end user access to AI tools and models are working as expected.

Additional governance gaps compound the problem. 35% struggle to remove inappropriate AI-generated content from conversations when policies are violated. 33% face challenges remediating AI controls or notifying and retraining users after incidents. The gap between intended AI restrictions and actual behavior remains substantial.

Regulatory Compliance Challenge

Accountability for AI-Generated Content

Regulatory frameworks hold organizations accountable for AI-generated content to the same standard as human-created communications. The top challenge—reported by nearly half (47%) of organizations—is ensuring that AI-generated content is accurate and complies with regulatory standards.

There is no regulatory safe harbor for AI errors or hallucinations. When AI generates inaccurate content that reaches clients or counterparties, the organization bears liability regardless of the content’s origin. This creates substantial exposure given the documented tendency of generative AI to produce plausible but incorrect information.

Recordkeeping Obligations Extend to AI

Regulatory recordkeeping requirements apply to AI-generated communications, creating compliance challenges that most organizations have not solved. The report indicates that 92% of firms are struggling to capture business communications to meet their recordkeeping and supervisory obligations or are forced to disable capabilities due to compliance concerns.

AI-specific compliance challenges are significant. The survey reveals that 41% of organizations identify challenges with generative AI assistants specifically, and another 41% report challenges with AI conversation summaries or notetakers.

Some organizations respond by disabling AI features entirely rather than risk compliance failures. This approach sacrifices productivity benefits to avoid governance challenges, but it is not sustainable as AI becomes embedded in core business tools.

Regulatory Scrutiny Is Intensifying

Regulators are actively examining how organizations govern AI-generated content. The challenges in managing business communications are set against a backdrop of continued regulatory scrutiny. In recent years, global fines have exceeded $4 billion for record-keeping and supervision failures, dominated by the SEC and CFTC’s now-concluded investigations.

Accuracy Problem

AI accuracy failures create distinct regulatory risk when inaccurate content reaches clients, counterparties, or public channels. Generative AI systems may produce confident but incorrect statements about products, services, performance, or regulatory matters. Client-facing AI communications may contain errors or misleading information that triggers disclosure violations or suitability concerns.

Organizations currently lack systematic approaches to verify AI accuracy at scale. Manual review cannot keep pace with AI content generation volume, while automated accuracy validation remains immature.

Why Traditional Governance Approaches Fail

Infrastructure Guardrails Are Insufficient

Many organizations approach AI data governance through infrastructure controls: role-based access, data classification, and usage permissions. These guardrails are necessary but fundamentally insufficient.

The report emphasizes that for financial services firms, the widespread deployment of AI creates new behaviors, interaction types, and a new class of communications with new risk types that cannot be safeguarded with infrastructure guardrails alone.

Infrastructure controls govern who can access AI tools and what data AI can access. They do not govern what AI generates with that access. An employee with appropriate permissions using an appropriately configured AI tool can still generate content that exposes sensitive information or violates compliance requirements. Organizations need behavior-based inspection of AI interactions and the resulting outputs.

Fragmented Systems Create Blind Spots

AI capabilities are being deployed across fragmented technology environments, creating governance blind spots. Consistent with last year’s findings, the modern workplace continues to rely on multiple UCC tools, with 82% of organizations using four or more. The proportion using ten or more tools has tripled to 12%.

AI features embedded across disconnected systems generate content that flows through different channels with inconsistent controls. No unified view exists of AI-generated content across the enterprise. Governance applied to one AI tool may not extend to others, creating gaps that sensitive data can traverse.

Policy-Based Controls Cannot Scale

Organizations relying on policies to govern AI usage face inherent limitations. Where organizations prohibit the use of AI notetakers and assistants, 60% rely on policies and disclaimers noting prohibited use, 56% share a written policy with employees, and 47% actively track that employees and third-party participants are not using their own AI tools in communications.

Policies communicate expectations but cannot prevent sensitive data exposure. Employees may violate policies inadvertently or deliberately. Tracking policy compliance requires technical controls that most organizations lack. As AI becomes ubiquitous, policy-based governance becomes increasingly inadequate.

Data Quality Challenge

Effective AI data governance requires complete, contextual data that most organizations cannot provide. For half of respondents AI has improved supervision effectiveness and efficiency, while the other half face difficulties stemming from fragmented data sources and custom infrastructure. Specifically, 31% are working to improve data quality.

Organizations cannot govern AI interactions they cannot capture. They cannot analyze AI outputs without contextual understanding. They cannot enforce policies without visibility into content. The data foundation required for AI data governance remains absent in most enterprises.

Building AI-Ready Data Governance

The Investment Response

Organizations recognize that current approaches are failing and are responding with increased investment. Firms are significantly increasing investment in communications compliance, reflecting the growing complexity of digital communications including aiComms, and ongoing regulatory scrutiny. 86% are already investing more (up from 65% last year) and a further 12% planning to.

Confidence in existing approaches has collapsed. Confidence in existing approaches remains very low at 2%, down from 8% last year. This near-universal recognition of inadequacy creates urgency for new governance models.

Independent research confirms this trajectory. According to Metrigy’s annual workplace collaboration study, preliminary results show that more than 65% of companies plan to increase their spending on security and compliance to keep up with growing AI threats. More than 90% of organizations have established, or plan to establish, a dedicated security and compliance strategy for AI.

Key Requirements for AI Data Governance

Effective AI data governance requires capabilities that most organizations currently lack.

• Content inspection must examine what AI generates, not just who accesses AI tools. Organizations need visibility into AI outputs to identify sensitive data exposure, compliance violations, and accuracy failures.
• Contextual understanding must analyze AI content against regulatory requirements and organizational policies. Raw capture without contextual analysis cannot support governance decisions.
• Comprehensive capture must retain AI interactions alongside traditional communications. Selective capture creates gaps that regulators and litigators will exploit.
• Behavior detection must identify risky patterns in how employees use AI. Anomalous queries, sensitive data inputs, and policy violations require identification before they cause harm.

Extending Governance Across the AI Data Life Cycle

AI risk exists at both ends of the data life cycle—at input when employees share sensitive data with AI systems, and at output when AI generates content derived from that data. Comprehensive governance must address both vectors.

Controlling data inputs to AI systems is essential to preventing sensitive content from entering environments where it may be exposed. This requires governance that operates at the point of data exchange, tracking what private content flows into AI tools and enforcing policies before exposure occurs.

Solutions like Kiteworks AI Data Gateway and MCP Server address this challenge by providing governance controls over sensitive data flows into and across AI systems. Organizations gain visibility into what private content enters AI environments, can enforce policies on AI data access, and maintain audit trails for compliance. Without this layer of control at the data exchange point, organizations cannot prevent sensitive content from exposure regardless of what guardrails exist within individual AI tools.

Closing the AI Data Compliance Gap

The core challenge facing enterprises today is clear: AI adoption has dramatically outpaced governance capabilities. With 88% of organizations struggling with AI data governance, 45% unable to detect sensitive data exposure in AI outputs, and 47% unable to ensure AI content meets regulatory standards, the gap between deployment and control continues to widen.

The stakes extend beyond regulatory fines. Data breaches originating from AI systems can expose customer information, intellectual property, and strategic plans. Compliance failures can trigger enforcement actions that constrain business operations. Reputational damage from AI-related incidents can erode customer and partner trust.

The path forward requires a fundamental shift from infrastructure guardrails to content inspection and behavior-based governance. Organizations must gain visibility into what data flows into AI systems, what content AI generates, and where that content travels. They must enforce policies at the point of data exchange, not just at system access.

Organizations that implement comprehensive AI data governance now will reduce risk and maintain regulatory confidence while competitors remain exposed. Those that delay will find the governance gap increasingly difficult to close as AI becomes further embedded in business operations.