Kiteworks survey reveals organizations are failing to implement strong technical controls for AI data security

Kiteworks recently released findings from its AI Data Security and Compliance Risk Survey of 461 cybersecurity, IT, risk management, and compliance professionals. The survey, which was conducted by Centiment, reveals critical implementation failures: only 17% of organizations have technical controls that block access to public AI tools combined with DLP scanning, while 26% report over 30% of data employees ingest in public AI tools is private data.

These findings emerge amid a documented surge in AI-related incidents. Stanford's 2025 AI Index Report records a 56.4% year-over-year increase in AI privacy incidents, reaching 233 incidents last year. The Kiteworks survey exposes how organizations remain unprepared: 40% restrict AI tool usage through training and audits, 20% rely solely on warnings without monitoring, and 13% lack any specific policies for public AI tool usage—leaving the vast majority vulnerable to emerging threats.

"Our research reveals a fundamental disconnect between AI adoption and security implementation," said Tim Freestone, Chief Marketing Officer at Kiteworks. "When only 17% have technical blocking controls with DLP scanning, we're witnessing systemic governance failure. The fact that Google reports 44% of zero-day attacks target data exchange systems undermines the very systems organizations rely on for protection."

Industry Benchmarks Reveal Dangerous Overconfidence Gap

The Kiteworks survey exposes a critical overconfidence crisis in AI governance readiness. While 40% of survey respondents report having fully implemented an AI governance framework to manage AI-related cybersecurity risks, this contrasts starkly with Gartner's finding that only 12% of organizations have dedicated AI governance structures, with 55% lacking any framework whatsoever. This dramatic gap between perception and reality creates unprecedented risk exposure.

Deloitte's research provides even more sobering context: only 9% of organizations achieve "Ready" level AI governance maturity, despite 23% claiming to be "highly prepared"—a 14-point overconfidence gap. This misalignment is particularly concerning given that 86% of organizations lack visibility into AI data flows, according to industry research.

The rush to adopt AI without proper controls is accelerating. A recent EY survey found 48% of technology companies are already deploying AI agents, with 92% planning to increase AI spending—a 10% jump from March 2024. Yet this enthusiasm comes with what EY calls 'tremendous pressure' to demonstrate ROI, creating incentives to prioritize speed over security.

"The gap between self-reported capabilities and measured maturity represents a dangerous form of organizational blindness," explained Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks. "When organizations claiming governance discover their tracking reveals significantly more risks than anticipated, according to Deloitte, and when 91% have only basic or in-progress AI governance capabilities, this overconfidence multiplies risk exposure precisely when threats are escalating."

Legal Sector Exemplifies Implementation-Awareness Gap

The Kiteworks survey found legal professionals report the highest concern about data leakage at 31%, yet implementation remains weak: 15% have no specific policies or controls regarding the use of public AI tools with company data, while 19% rely on unmonitored warnings.

This implementation gap becomes more pronounced in privacy investment strategies. While 23% of all organizations maintain comprehensive privacy controls with regular audits before any AI system deployment, only 15% of legal firms have fallen into the trap of having no formal privacy controls while prioritizing rapid AI adoption—an 8-point improvement over the 23% average across all sectors yet still concerning given their fiduciary duties.

The disconnect aligns with Thomson Reuters data showing only 41% of law firms have AI policies despite 95% expecting AI to become central within five years. This gap between current readiness and future expectations in the legal sector—an industry built on precedent and risk mitigation—exemplifies the broader organizational tendency to defer critical security implementations while embracing transformative technologies.

The survey's finding that only 17% have implemented technical controls that block access to public AI tools combined with DLP scanning becomes more concerning given the evolving threat landscape. Google's research reveals 44% of zero-day vulnerabilities target data exchange systems, with 60% of enterprise-targeted zero-days exploiting security and networking tools—the very systems meant to protect sensitive data.

Despite awareness of risks, the Kiteworks survey found organizations remain deeply divided on addressing vulnerabilities:

• 34% report using a balanced approach with data minimization and selective privacy-enhancing technologies

• 23% maintain comprehensive privacy controls with regular audits

• 10% have basic privacy policies but prioritize AI innovation

• 10% address privacy concerns reactively, focusing on compliance only when legally required

• 23% have no formal privacy controls and prioritize rapid AI adoption

Based on the convergence of weak controls, limited visibility, and escalating threats, organizations must:

1. Acknowledge Reality: Recognize that self-assessed governance may significantly overstate actual maturity based on industry benchmarks

2. Deploy Verifiable Controls: Implement automated governance tracking and controls that can demonstrate compliance, not just claim it

3. Prepare for Regulatory Scrutiny: Quantify exposure gaps and implement measurable improvements

"The data reveals organizations significantly overestimate their AI governance maturity," concluded Freestone. "With incidents surging, zero-day attacks targeting the security infrastructure itself, and the vast majority lacking real visibility or control, the window for implementing meaningful protections is rapidly closing."