Ninety percent of organizations are running enterprise generative AI at scale, yet nearly two-thirds of CISOs are not confident their controls can stop unsafe or inappropriate AI data access.
According to a survey of 100+ security leaders by the CISO Executive Network and data loss prevention firm MIND, companies that have deployed AI into core operations are finding out the hard way that speed is easy, but governing the data underneath it is not.
The study, “The Impact of Data Trust on AI Success” (registration gate), points out many companies have moved quickly to adopt AI, only to hit unforeseen speed bumps.
“Organizations with bad processes will be exposed by the high velocity of AI,” said Nick Vigier, CISO at Oscar Health. “Without strong fundamentals, organizations risk being destroyed by the velocity of these things.”
Those risks include longstanding security gaps — weak data classification, poor identity governance and overly broad access — now amplified by AI’s speed and scale. “Without strong data security, AI is an accelerant toward potentially business-ending events,” the report warns.
While many organizations have formal AI policies, such as governance frameworks, acceptable-use guidelines and AI councils, they struggle to enforce them at the pace AI demands. The report says AI has exposed “data debt” that organizations long ignored.
“Security by obscurity is eliminated the moment AI systems connect to data sources,” said Tim Kropp, CISO at SS&C Technologies.
Data security challenges predate AI. What has changed is scale. AI operates faster than any human, requiring governance frameworks designed for AI agents — not people.
Adoption continues to surge. Ninety percent of organizations use enterprise GenAI tools such as Copilot, Glean or Gemini. Another 74% have approved tools like ChatGPT, 68% rely on third-party agents and 59% have built their own. At the same time, 41% report shadow GenAI tools, and 32% say unknown third-party agents are in use.
Control has not kept pace. Seven in 10 organizations struggle to enforce policies on GenAI tools. Sixty-eight percent do not know what data AI agents can access, 66% cannot enforce policies on those agents and 65% do not know what data enters GenAI systems.
The tools are widespread. The guardrails are not.
The report also highlights a measurement gap. Many organizations track prompts, tokens and usage but not accuracy, data protection or business value. That helps explain why adoption is high while performance lags: only 20% of AI projects meet their KPIs.
The report’s conclusion: AI is no longer experimental. It is embedded in core operations, often before underlying data is secure or well governed. As deployment accelerates, the gap between adoption and control continues to widen.
In MIND’s survey, nearly two-thirds of CISOs said they lack confidence that their controls can prevent unsafe AI data access.
Photo by Claudio Schwarz on Unsplash
