.svg)
.svg){kind=small}
.png)
Earlier this year, security researchers found more than 1 million records, including user data and API keys, in an exposed DeepSeek database. This massive exposure event tells us that data exfiltration risk and AI proliferation are forever linked together: as AI tools grow in popularity and complexity, exfiltration risk rises in kind.
Nightfall is responding to this challenge with our new insider risk feature to address Shadow AI - the growing challenge of employees using generative AI tools without proper security governance. Nightfall’s all-in-one DLP prevents data loss and exposure in unsanctioned Gen AI platforms like ChatGPT and DeepSeek. We’re also sharing two scenarios of Gen AI usage at work: one where Nightfall guards against Shadow AI, and another that shows how sanctioned AI is safer.
Why shadow AI is not safe — and how DLP saves the day
A law firm’s data/IT department encourages use of AI and has a signed non-data sharing security agreement with Anthropic Claude. A member of the firm’s marketing team needs to create a two-sentence summary of a long pitch deck. They turn to ChatGPT, upload the deck to their personal account, and ask the AI tool to summarize it. They don’t realize that the personal account license enables OpenAI to use the shared data to train and generate future responses.
Nightfall DLP takes the following steps to prevent shadow AI use:
- Automatically scans for sensitive information like intellectual property and confidential financial reports in the deck.
- Recognizes the use of an unsanctioned Gen AI tool: in this case, ChatGPT.
- Blocks the upload and notifies the user in real-time and in Slack.
- Provides information in Slack about why the upload was blocked, offers guidance on how to use their approved Gen AI tool Anthropic Claude, and provides a channel for the user to request an exception to use ChatGPT.
In the short term, DLP helped prevent a potential exfiltration event by using an unsanctioned Gen AI tool while educating the user about a secure way to get their task done. Over the long term, employees can be pivotal in helping the security team identify and secure emerging AI-powered tools that enhance workflows.
How data stays safe in sanctioned Gen AI platforms
A customer service team wants to craft more personal responses to incoming support tickets. They try uploading a specific support request to Claude, a conversational AI chatbot. Claude Claude generates the perfect email response for the customer: comprehensive, polite, and concise.
The email from Claude contains PII (personally identifiable information) from the support ticket: a social security number and the client’s name and address. Since the team member used their corporate Claude account, this data remains secure. The security team has agreed with Claude’s maker, Anthropic, not to use their data to retrain their models.
Understanding the difference between Shadow AI and sanctioned AI is crucial. Shadow AI tools, often tied to personal accounts, typically lack robust data security and sharing safeguards. In contrast, a corporate agreement with an AI provider ensures stronger protection—much like the secure collaboration between this customer service team and Claude under a thoughtful security policy.
DLP helps teams understand shadow AI risk
Whatever AI tools you’re using at work, remember that knowledge is power. Knowing where your data is going and who has access to it is essential. Securing data is the first job you must do when implementing any new system into a tech stack. And with Nightfall DLP, it’s easy to enforce policies to combat shadow AI and keep critical data safe.
Learn how Nightfall can get you up and running in just minutes to help manage Insider Risk scenarios like Shadow AI by booking a demo with us.
.svg)
.svg)
.svg)
.svg){kind=small}
