AI-Focused Data Security Report Identifies Cloud Governance Gaps

• By David Ramel
• 05/27/25

Excessive permissions and AI-driven risks are leaving cloud environments dangerously exposed, according to a new report from Varonis, a data security and analytics specialist.

The company's 2025 State of Data Security Report, based on an analysis of 1,000 real-world IT environments, paints a troubling picture of enterprise cloud security in the age of AI. Among its most alarming findings: 99% of organizations had sensitive data exposed to AI tools, 98% used unverified or unsanctioned apps — including shadow AI — and 88% had stale but still-enabled user accounts that could provide entry points for attackers. Across platforms, weak identity controls, poor policy hygiene, and insufficient enforcement of security baselines like multifactor authentication (MFA) were widespread.

The report surfaces a range of trends across all major cloud platforms, some revealing systemic weaknesses in access control, data hygiene, and AI governance. AI plays a significant role, Varonis pointed out in an accompanying blog post:

"AI is everywhere. Copilots help employees boost productivity and agents provide front-line customer support. LLMs enable businesses to extract deep insights from their data.

"Once unleashed, however, AI acts like a hungry Pac-Man, scanning and analyzing all the data it can grab. If AI surfaces critical data where it doesn't belong, it's game over. Data can't be unbreached.

"And AI isn't alone — sprawling cloud complexities, unsanctioned apps, missing MFA, and more risks are creating a ticking time bomb for enterprise data. Organizations that lack proper data security measures risk a catastrophic breach of their sensitive information."

Additional findings include:

• 99% of organizations have sensitive data exposed to AI tools: The report found that nearly all organizations had data accessible to generative AI systems, with 90% of sensitive cloud data, including AI training data, left open to AI access.
• 98% of organizations have unverified apps, including shadow AI: Employees are using unsanctioned AI tools that bypass security controls and increase the risk of data leaks.
• 88% of organizations have stale but enabled ghost users: These dormant accounts often retain access to systems and data, posing risks for lateral movement and undetected access.
• 66% have cloud data exposed to anonymous users: Buckets and repositories are frequently left unprotected, making them easy targets for threat actors.
• 1 in 7 organizations do not enforce multifactor authentication (MFA): The lack of MFA enforcement spans both SaaS and multi-cloud environments and was linked to the largest breach of 2024.
• Only 1 in 10 organizations had labeled files: Poor file classification undermines data governance, making it difficult to apply access controls, encryption, or compliance policies.
• 52% of employees use high-risk OAuth apps: These apps, often unverified or stale, can retain access to sensitive resources long after their last use.
• 92% of companies allow users to create public sharing links: These links can be exploited to expose internal data to AI tools or unauthorized third parties.
• Stale OAuth applications remain active in many environments: These apps may continue accessing data months after being abandoned, often without triggering alerts.
• Model poisoning remains a major threat: Poorly secured training data and unencrypted storage can allow attackers to inject malicious data into AI models.

The report offers a sobering assessment of how AI adoption is magnifying long-standing issues in cloud security. From excessive access permissions to shadow AI, stale user accounts, and exposed training data, the findings make clear that many organizations are not prepared for the speed and scale of today's risks. The report urges organizations to reduce their data exposure, implement strong access controls, and treat data security as foundational to responsible AI use.

The full report is available on the Varonis site (registration required).