Netskope outlines gaps in enforcing generative AI data protection
A newly published vendor post argues that enterprises are deploying Artificial Intelligence (AI) at scale while lacking enforceable governance controls for Generative AI (GenAI) applications, creating compliance and security exposure for regulated and sensitive data. The update matters to IT and security leaders because it ties governance gaps to observed policy violations and rising incident volumes.
Research Overview
The post defines data governance as a framework for managing, protecting, and responsibly using data through policies and processes that address quality, security, and personal privacy. It says governance is typically measured through compliance with legislation and regulation.
It cites survey and reporting figures indicating broad enterprise adoption of AI tooling, including GenAI apps and GenAI features in third-party applications. It also states that 100 AI models are built using data, and that models ingest and produce data.
Key Findings
The blog states that 50% of organizations lack enforceable data protection policies for GenAI applications. It links this to an inability to provably comply with requirements under laws such as General Data Protection Regulation (GDPR), and mentions that GDPR fines can reach millions or billions.
It further describes security and governance maturity gaps, including that 68% of organizations rate AI governance as reactive or developing. The post also reports that just 7% have advanced governance with real-time enforcement capabilities.
Threat Analysis and Operational Impact
The post describes “shadowy risks” as a collision between compliance and security as more employees use AI tools in day-to-day work. It cites concerns that sensitive information such as customer records, proprietary intellectual property, and source code can be shared with public AI models.
It states that source code exposure appears in nearly 50% of AI-related policy violations, and that incidents involving users sending sensitive data to AI apps have doubled over the past year. The blog says the average organization sees 223 incidents per month.
It attributes visibility gaps to shadow AI usage, citing that 39% of employees use free AI tools at work and another 17% use AI tools they privately pay for. It also reports that 31% of organizations rely on written policies and employee compliance as their primary enforcement mechanism, and describes fragmented AI adoption where teams use AI without shared standards or security policies.
Governance Focus and Product Update
The post recommends establishing acceptable-use policies for AI and data, including specifying which data can be used for AI training, which datasets are off-limits, which third-party AI tools are managed, and what approval processes apply. It also calls for visibility into where data resides and how it interacts with AI to close compliance gaps.
On enforcement approach, it says granular policy enforcement should be the goal rather than broad blocking that users may bypass. It also describes an approach that extends existing data protection practices and zero trust principles into the AI environment.
For its own offering, the blog describes a capability to discover and classify sensitive information across the data lifecycle, including ingestion for model training and real-time prompts and responses. It also states it covers both pre- and post-production AI security with pre-deployment red teaming using automated adversarial simulations, and it references an end-to-end “AI Security Playbook” as a practical guide.
This vendor post centers on reported enterprise gaps in enforceable governance for GenAI, along with rising sensitive-data incident volumes and limited real-time enforcement adoption. Blog Signals brief is a fact-based summary of the vendor blog.