In 2025, businesses worldwide sent nearly one trillion AI-related transactions through their networks—a 91% increase over the previous year—and security teams were forced to block 39% of that traffic to stop sensitive data from leaking out. The numbers come from Zscaler’s ThreatLabz 2026 AI Security Report, released January 27, which paints a picture of AI adoption that has far outpaced the security controls designed to protect it.
A Trillion Transactions, 18,000 TB of Data, and a Block Button Stuck at 39%
Zscaler’s researchers examined telemetry from approximately 9,000 organizations using the company’s Zero Trust Exchange, covering more than 3,400 distinct AI applications. The sheer volume is staggering: nearly one trillion AI/ML transactions flowed through enterprise networks in 2025. That traffic carried over 18,000 terabytes of corporate data into third-party AI services—a 93% jump from the year before. And it wasn’t just a few power users; AI has become embedded in daily workflows across engineering, marketing, operations, and IT.
The most popular applications were the ones you’d expect: ChatGPT, Grammarly, GitHub Copilot, and Codeium. OpenAI alone generated three times more enterprise traffic than its next closest competitor. But familiarity bred risk: ChatGPT triggered more than 410 million data loss prevention (DLP) policy violations, as employees inadvertently—or carelessly—pasted source code, personally identifiable information, and regulated content into prompt windows.
Faced with that torrent, security teams threw up barriers. Thirty-nine percent of all AI/ML transactions were blocked outright due to privacy, compliance, or data-sharing concerns. The irony is that the most-blocked apps are the same tools employees rely on every day. Grammarly, for example, processes everything you type into nearly any text field; a single misconfigured policy can turn a writing assistant into an unmonitored data pipe.
What It Means for You—Depending on Your Day Job
The report’s findings translate into different risks for different people. For the everyday Windows user working in a corporate environment, it means that the AI tools baked into your familiar applications—Microsoft 365 Copilot, the “Smart Compose” in your email, the grammar checker in your browser—might be siphoning data you never intended to share. These embedded features often inherit your existing permissions, so they can access files, messages, and calendar items without triggering the usual security alerts. If you paste a customer’s credit card number into a grammar checker, your company’s DLP might catch it—but only if it’s configured to inspect AI traffic inline.
For IT administrators and security teams, the report surfaces a visibility crisis. Many organizations still cannot answer a basic question: “Which AI models and embedded features are touching our regulated data?” The traditional perimeter—firewalls, secure web gateways, even endpoint DLP—often misses AI interactions because they ride atop existing TLS-encrypted connections to legitimate SaaS platforms. Zscaler’s data suggests that without AI-specific decryption and inspection, up to 39% of traffic containing sensitive data would sail right through.
Developers face a different flavor of risk: supply chain compromise. The report warns that attackers will increasingly target AI pipelines—pre-trained models, datasets, connectors, and orchestration tools—as high-leverage entry points. A poisoned model hosted on a public repository could generate malicious code, exfiltrate environment variables, or create backdoors that survive future updates. And because tools like GitHub Copilot inject code directly into development environments, a compromised suggestion could introduce vulnerabilities at the pull-request stage, well before any human review catches it.
How We Got Here: From Pilot Projects to Invisible Infrastructure
The AI boom of 2025 didn’t happen in a vacuum. Throughout 2024 and into 2025, enterprises raced to adopt generative AI for productivity gains. What started as experimental pilots—a marketing team trying ChatGPT for ad copy, a developer using Copilot to speed up boilerplate code—quickly became standard operating procedure. Software vendors, smelling opportunity, rushed to embed AI features into every application: Microsoft added Copilot across Office 365, Salesforce launched Einstein GPT, and even niche tools like Grammarly gained an AI layer.
This “embedded AI” problem is perhaps the most insidious. Because these features are built into existing, trusted applications, they inherit the user’s permissions and bypass traditional security controls that look for new, standalone network connections to unknown domains. A Microsoft 365 Copilot response might pull from a confidential internal document and then, in a follow-up interaction, send a summary to a public model for refinement—all without the user or the security operations center noticing. Zscaler’s report found that this inheritance of permissions is a primary reason AI data leakage goes undetected.
Meanwhile, the red-team results show how quickly things go wrong. In controlled testing, Zscaler’s team achieved a median time of just 16 minutes to achieve a critical failure—defined as a significant data leak, prompt manipulation success, or safety bypass—across every AI system assessed. Some systems were compromised in seconds, and 90% fell within 90 minutes. Simple adversarial prompts, the kind a moderately skilled attacker might craft, were enough to break policy guardrails. The combination of widespread adoption, invisible embedded AI, and machine-speed vulnerabilities has created a perfect storm.
Five Steps to Get AI Data Flows Under Control
The Zscaler report doesn’t just sound an alarm; it offers a pragmatic path forward. For organizations that haven’t yet addressed AI security, here are five concrete, prioritized actions.
1. Discover everything that’s touching AI. Your first job is to build a living inventory. Identify every AI application in use, every SaaS tool with embedded AI features, every browser extension that calls a model, and every API connector. Classify each by risk: What data can it access? Is it sanctioned by IT? Keep this inventory updated; manual audits won’t scale.
2. Apply Zero Trust to every AI interaction. Adopt least-privilege access: users and systems should only be able to query models with the minimum necessary data scope. Segment AI traffic from the rest of the network, enforce authentication for model calls, and never embed long-lived secrets in code or notebooks. If a model needs to access a database, grant it read-only access to a specific table, not broad credentials.
3. Upgrade DLP to be AI-aware. Traditional DLP policies that scan email attachments and USB drives won’t cut it. You need inline inspection that understands the context of a prompt and the semantics of the data being transmitted. Modern AI-aware DLP can block or redact sensitive tokens (like Social Security numbers or API keys) in real time, before they leave your network. Make sure to decrypt and inspect traffic to known AI services; otherwise, you’re flying blind.
4. Lock down embedded AI features. Review your SaaS subscriptions and disable risky AI features by default until security and legal sign off. For tools like Microsoft 365 Copilot, restrict inherited permissions—don’t let it access everything a user can. Require vendors to provide contractual guarantees on data handling, retention, and whether your inputs are used to train their models.
5. Test, test, and test again—adversarially. Incorporate prompt-injection, hallucination, and data-leakage tests into your development pipelines. Run red-team exercises that simulate agentic attacks: automated scripts that probe AI connectors, manipulate prompts, and try to exfiltrate data. Monitor model outputs and logs for anomalies. Treat AI security testing with the same rigor you apply to web application penetration tests.
These steps aren’t theoretical. They map to the timeline Zscaler recommends: an inventory sprint in the first 30 days, baseline policy enforcement within 60 days, and full inline inspection deployment by 120 days. By 180 days, supply-chain hardening and adversarial testing should be routine.
Outlook: What to Watch for Next
The report also forecasts a wave of more sophisticated threats. Agentic AI attacks—where autonomous agents chain together reconnaissance, exploitation, and exfiltration—will compress attack timelines from days to minutes. Supply-chain poisoning will emerge as a favored vector: why break into a hardened enterprise when you can slip malicious code into a popular open-source model or dataset? And embedded AI features, already a blind spot, will become the “zero-click” attack vector of the AI era.
For Microsoft-centric environments, the implications are immediate. With Copilot deeply integrated into Windows, Office, and Azure, security teams need to ask whether their existing controls can see and govern those interactions. The window to act is now, before the first major breach at machine speed makes headlines. By treating AI not as a novelty but as critical infrastructure—with the same governance, monitoring, and resilience investments—organizations can harness the productivity gains without becoming the next cautionary tale.