AI and Third-Party Growth Leave Companies Exposed to Security Risks

As organizations rush to adopt AI and expand their third-party ecosystems, many are losing track of who can access their most sensitive data. Kiteworks’ 2025 report warns that this lack of visibility and growing overconfidence are leaving nearly half of companies exposed to severe security, compliance, and financial risks.

Kiteworks has recently conducted a survey of 461 organizations across North America, Europe, APAC, and the Middle East. This research found that 46% of organizations lack visibility into how many third parties access their sensitive data.

Delayed breach detection amplifies legal and financial risks

This study also found that 49% of organizations that are uncertain about security breaches fail to quantify litigation costs, and 36% of those unaware of AI usage use zero privacy technologies. Moreover, 42% of organizations take between 31 to 90 days to detect a data breach, which significantly increases the risk of regulatory penalties, financial loss, and reputational damage due to delayed response.

“Organizations operating blind face dramatically worse outcomes across every metric we measured. The cascade effect is undeniable: unknown third-party relationships lead to missed breaches, which prevent compliance demonstration, which results in massive costs,” explained Tim Freestone, CMO of Kiteworks.

Additionally, organizations with 1,001 to 5,000 third-party vendors are in the highest-risk category. The research indicates that 24% of them suffer seven or more data breaches annually, 46% report the highest levels of supply chain risk, and 42% take over a month to detect security breaches.

Organizations that detect breaches quickly tend to face much lower litigation costs, while over 75% of those hit by more than 10 hacks end up paying at least $3 million in legal expenses due to delayed response and poor breach management.

AI governance emerges as a major blind spot

According to Kiteworks, AI governance remains a major blind spot for most organizations, with only 17% having implemented technical controls to manage how AI interacts with sensitive data. This lack of oversight increases the risk of data misuse and compliance violations, as well as leaves companies vulnerable to breaches.

The energy and utilities sector faces the highest data security risks, followed by technology and life sciences/pharma. This lack of visibility is a major issue that affects organizations worldwide.

Recommendations for strengthening data protection

Kiteworks recommends that organizations should gain full visibility into who accesses their sensitive data to reduce blind spots that lead to breaches and compliance failures. Moreover, companies must implement robust controls and monitoring systems to manage risk effectively before reaching 1,000+ third-party relationships.

Additionally, it’s advised to establish clear policies and safeguards to ensure responsible AI use and data protection within the organization. IT teams must use PETs to minimize data exposure, comply with regulations, and improve breach detection and response times.

Last but not least, organizations must invest in tools and processes that help to accelerate breach detection capabilities. They should also take steps to proactively align with frameworks like GDPR and the EU Data Act.