Blog Data Security

Data Security Report Reveals 99% of Orgs Have Sensitive Information Exposed to AI

Varonis' 2025 State of Data Security Report shares findings from 1,000 real-world IT environments to uncover the dark side of the AI boom and what proactive steps orgs can take to secure critical information.
Lexi Croisdale
1 min read
Last updated May 20, 2025
AI is a ticking time bomb for data

Contents

    AI is everywhere. Copilots help employees boost productivity and agents provide front-line customer support. LLMs enable businesses to extract deep insights from their data.

    Once unleashed, however, AI acts like a hungry Pac-Man, scanning and analyzing all the data it can grab. If AI surfaces critical data where it doesn’t belong, it’s game over. Data can’t be unbreached. 

    And AI isn’t alone — sprawling cloud complexities, unsanctioned apps, missing MFA, and more risks are creating a ticking time bomb for enterprise data. Organizations that lack proper data security measures risk a catastrophic breach of their sensitive information.

    To quantify AI’s impact on data risk, Varonis produced the 2025 State of Data Security Report: Quantifying AI’s Impact on Data Risk. Download the full report and continue reading to learn about the latest risks to data in 2025.

    Download the Varonis 2025 State of Data Security Report
    Download now
    AI-Security

    About the report 

    Our team analyzed data from 1,000 real-world IT environments and found that no organization was breach proof. In fact, 99% of organizations have exposed sensitive data that can easily be surfaced by AI.

    The 2025 State of Data Security Report examines nearly 10 billion — yes, billion — files and deep dives into the data risks associated with AI, cloud environments, and some of the most popular SaaS apps and services, such as Microsoft 365, AWS, Box, Salesforce, and many others. 

    Below are just a few key findings from our research: 

    • We found that 98% of organizations have unverified apps, including unsanctioned AI, also known as shadow AI, which increases the risk of exposure and data breaches.
    • The largest breach of 2024 was attributed to missing MFA. We discovered that 1 in 7 orgs do not use or enforce MFA across their SaaS and multi-cloud environments. 
    • Stale accounts remain dangerous after a user’s last login, and 88% of the orgs have stale but enabled ghost users in their environments.
    • Despite the importance of labeling, only 1 out of 10 companies had labeled files
    • 66% of companies have cloud data exposed to anonymous users.

    Alongside these alarming stats, our experts share proactive steps to help secure your critical data throughout the report.

    Ready to learn more?

    Download the Varonis 2025 State of Data Security Report today. 

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Lexi Croisdale
    Lexi Croisdale Lexi Croisdale joined the Varonis team in 2023 as a Content Marketing Manager. She enjoys writing about the latest cybersecurity trends and insights to help companies keep their data protected. She also loves DIY crafts, the outdoors, and reading.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    exploring-infrastructure-as-code:-a-technical-deep-dive 
    Exploring Infrastructure as Code: A Technical Deep Dive 
    exploring-infrastructure-as-code:-a-technical-deep-dive 
    Daniel Miller
    May 13, 2025
    See how Infrastructure as Code (IaC) enhances security, streamlines operations, and optimizes infrastructure management.
    dlp-solutions-need-a-zero-trust-renaissance
    DLP Solutions Need a Zero-Trust Renaissance
    dlp-solutions-need-a-zero-trust-renaissance
    Shawn Hays
    May 7, 2025
    Adoption of AI applications has transformed how data flows in and out of the organization. DLP needs a zero-trust renaissance in a post-AI world.
    enhancing-proactive-security-across-saas-applications 
    Enhancing Proactive Security Across SaaS Applications 
    enhancing-proactive-security-across-saas-applications 
    Daniel Miller
    May 7, 2025
    Discover powerful strategies to secure SaaS apps, Microsoft 365, and AI tools like Copilot. Uncover how to safeguard your data and elevate cloud security.