Historically, file uploads and transfers have been the weakest link when it comes to enterprise data loss. However, according to new research, the clipboard has become the presiding risk—and it’s largely thanks to GenAI.
These findings come from LayerX’s Browser Security Report 2025, which was published earlier this week. Based on an analysis of real-world, browser-related trends and breaches, the report explores the top risks and security blind spots associated with browsers, and outlines how organizations can secure this new frontier.
According to the report, nearly half of all employees now use GenAI tools. But despite GenAI becoming one of the fastest-growing business tools, it remains the least-governed, says LayerX CEO, Or Eshed.
“Unlike traditional browsers, these AI-driven ones operate outside enterprise visibility and DLP controls, turning session memory, auto-prompting, and cookie sharing into new exfiltration paths. And because employees adopt them alongside Chrome or Edge, most security tools never see them,” Eshed explains.
So how exactly are these tools exfiltrating data? It’s quite simple: 77% of users paste data into prompts, and 62% of chat pastes contain Personally Identifiable Information (PII) or Payment Card Information (PCI).
With the majority of this activity (82%) being conducted through unmanaged personal accounts, copy/paste has become a huge blind spot for enterprise data exfiltration.
However, the severity of this risk lies not only in the volume of data being leaked, but the nature of it; with so many users inputting PPI and PCI into GenAI tools, organizations could not only find themselves facing severe data breaches, but also significant compliance violations.
But AI tools are not the only means through which copy/paste data is leaving organizations. According to the report, 38% of employees upload files to file storage or sharing tools, and 41% of that data contains PII or PCI. Another 15% paste data into chat/instant messaging apps and CRM tools.
While these tools see less data in terms of volume, they carry the most amount of risk; 62% of pastes into instant messaging apps contain PII or PCI, and 87% of that data is pasted from unmanaged personal accounts.
Key Takeaways And Mitigation
From these statistics, it’s clear to see that security teams need better visibility into how users are moving data across the enterprise—particularly when it comes to unsanctioned or shadow applications. By allowing users to log into business-critical SaaS systems and GenAI platforms without oversight, organizations are putting sensitive customer and financial data at risk.
To tackle this risk, organizations should establish allow- and blocklists for AI tools and extensions, monitor for shadow IT and unapproved browser usage, activity, and monitor real-time data movements using in-browser Data Loss Prevention (DLP), says LayerX.
“For CISOs, the path forward is clear: data protection must evolve from app-based coverage to browser-native visibility, where every action, file upload, paste, or prompt is continuously monitored, classified, and controlled in real-time to stop data exfiltration before it happens,” the company explains.
