TLDR: A recent report by Concentric AI reveals that generative AI technologies, such as Microsoft Copilot, are inadvertently facilitating the large-scale exposure of sensitive data. In the first half of 2025, Copilot alone accessed nearly three million sensitive data records per organization, with over 3,000 user interactions, significantly increasing data risk. This issue is compounded by existing vulnerabilities like excessive data sharing, poor data hygiene, and the rise of ‘shadow GenAI’ usage, leading to billions of records being compromised globally.
A new report from Concentric AI highlights a concerning trend in the first half of 2025: generative AI (GenAI) tools are inadvertently exposing sensitive data at an alarming rate. The study indicates that generative AI tools, including Microsoft Copilot, accessed an average of nearly three million sensitive data records per organization during this period. This extensive access is further exacerbated by over 3,000 user interactions with Copilot per organization, creating numerous opportunities for sensitive data to be modified or shared without adequate controls.
The report underscores that this widespread exposure isn’t solely a new problem introduced by AI, but rather an amplification of existing data security challenges. Factors such as unstructured data, duplicate files, and risky sharing practices continue to plague security teams. Excessive sharing remains a critical issue, with an average of three million sensitive data records per organization being shared externally, accounting for more than half of all shared files. Financial services firms, for instance, showed the highest percentage of external sharing involving sensitive data, reaching 73 percent. A particular vulnerability highlighted is the use of ‘Anyone links,’ which grant unrestricted access without requiring sign-in.
Beyond direct access, the rise of ‘shadow GenAI’ usage—where employees utilize unsanctioned AI tools—introduces additional risks, as organizations may be unaware of where their sensitive data is being processed or stored. This concern is echoed by other cybersecurity analyses, with Trend Micro’s H1 2025 report noting a high-severity vulnerability (CVE-2025-32711) in Microsoft 365 Copilot, which could have allowed attackers to steal sensitive data through AI command injection.
The broader cyber threat landscape in the first half of 2025 further illustrates the scale of the problem. Globally, over 6.9 billion records were compromised, with one significant breach exposing more than 410 million user records from a single social media platform. Healthcare data continues to be the most frequently compromised, accounting for 28% of breaches, while government agencies faced over 300 significant breaches. The average time to detect a data breach in 2025 was 172 days. Misconfigured cloud databases were responsible for 34% of these breaches.
Adversaries are also leveraging GenAI to enhance their malicious activities. Reports indicate that AI is being used to ‘supercharge insider threats and social engineering,’ making phishing campaigns more convincing. Studies show that LLM-generated phishing emails achieve significantly higher click-through rates (54%) compared to human-composed emails (12%). Voice phishing (vishing) attacks have also seen a dramatic increase, surpassing the total volume of 2024 within the first half of 2025, as threat actors exploit human vulnerabilities and compromised credentials.
Also Read:
- Indeed Index Reveals Jobs Most and Least Susceptible to Generative AI Transformation
- Cloudflare Launches AI Confidence Scorecards to Bolster Internet Security
Furthermore, cloud intrusions have surged, with CrowdStrike OverWatch identifying a 136% increase in the first half of 2025 compared to all of 2024, indicating growing adversary proficiency in exploiting cloud environments. The combination of these factors paints a clear picture: while generative AI offers immense potential, its integration into business operations without robust security measures is creating unprecedented levels of sensitive data exposure and escalating cyber risks.
