2025年企业级AI与SaaS数据安全报告

EnterpriseAI andSaaSData SecurityReport 2025 Real-world insights into enterprise AI and SaaS usage,blindspots, governance gaps, and data leakage channels The only reportthat offers real-lifeanalysis and datafrom large-scaleenterprises, basedon actual usage Summary SaaS and Generative AI have become the backbone of enterprise productivity. Fromemail and online meetings to ChatGPT and File-Sharing tools, nearly every businessworkflow runs through the browser. Making the browser the main control point whereenterprise data risks are most acute, and most overlooked. But with this rapid adoption comes new blind spots. Employees are increasinglyaccessing critical apps through unmanaged accounts, uploading sensitive files intoGenAI, and moving data via invisible copy/paste channels. Traditional DLP solutions,designed for file-based and sanctioned environments, cannot keep pace with this shift. This report provides data on where employees spend their time, how they log in, andwhere sensitive data flows. The findings are based on real-world enterprise browsingtelemetry and highlight why a new approach to SaaS and AI DLP is urgently needed. What Makes LayerX’s Data Unique LayerX’s data set is unique because of where we collect our data and who wecollect it from. The LayerX Security solution is deployed directly within users’web browsers, meaning that LayerX has full visibility to all user activity and datathat passes through the browser. This allows us to gain comprehensive insightsinto the usage of SaaS apps and AI tools in enterprises and provides visibilityinto the sensitive data that flows into them. Moreover, LayerX’s customer baseis comprised entirely of enterprises, meaning that the insights we collect arespecific to enterprise users and organizations. Executive Summary Even Though AI Is Relatively New, Half of EmployeesAre Already Using It. AI technologies sprung into our lives only in the past 2-3 years, yet already45% of enterprise users are actively using AI platforms with AI representing11% of all enterprise activity, a remarkable adoption rate for such a newtechnology. ChatGPT is far-and-away the leader in AI usage, with 43% ofusers (and 92% of AI users) using it. AI has moved from experimental toessential, rivalling traditional SaaS categories like file-sharing and businessapps. For All The Talk of SaaS Security Governance, Nearly Half ofFile Uploads to AI and File-Sharing Tools Contain SensitiveData. 40% of files uploaded into GenAI tools and 41% of those uploaded into filestorage platforms contain PII or PCI data. It means that nearly half of the dataemployees push into these platforms is highly sensitive, turning these toolsinto major hotspots for potential breaches and compliance risks. Nearly 4 in 10of these uploads happen via non-corporate accounts, making shadow IT andshadow AI the new frontiers of enterprise data leakage. While Enterprises Secure File Uploads, Most SensitiveData Leaks Through Copy/Paste, with GenAI Being the #1Destination. 77% of users paste data into GenAI tools, and 82% of this activity comes fromunmanaged accounts. This means that the majority of data that employeesmove into GenAI tools is happening outside enterprise oversight, turning copy/paste into a massive blind spot for data leakage. On average, employeesmake 14 pastes/day using non-corporate accounts, of which at least 3 containsensitive data. GenAI accounts for 32% of all corporate to personal dataexfiltration, making it the #1 vector for corporate data movement outsidesanctioned environments. Despite Enterprise Identity Controls, Personal and Non-Federated Accounts Have Taken Over Business-Critical Apps. #4 Identity security is one of the hottest segments in cybersecurity today, yet67% of AI usage, 64% of Zoom logins, and 77% of Salesforce logins happenvia unmanaged personal accounts. Even enterprise-heavy apps are riddledwith shadow access, creating blind spots where sensitive data flows beyondenterprise control. Moreover, even when corporate accounts are used, SSOenforcement is dangerously weak. CRM (71% non-federated) and ERP (83%non-federated) are widely accessed without SSO, making corporate logins nosafer than personal ones. AI Everywhere + Rampant Personal Account Usage + Weak SSOEnforcement = Enterprise Blindspots. #5 AI tools like ChatGPT, Claude, and Microsoft Copilot have achieved massiveenterprise penetration, with 45% of all employees already using them in dailyworkflows. Yet governance is almost entirely absent. 67% of ChatGPT accesshappens through unmanaged accounts, and even when using corporatelogins SSO adoption is effectively zero. The result is an enterprise ecosystemwhere AI drives productivity, but every session, upload, or paste exposessensitive data to uncontrolled environments. CISO Recommendations Based on these findings, we suggest CISOs and security managers implement a numberof high-level recommendations to cover their bases: Look Beyond The Top Known Tools and Foc