A landmark study from Heimdal Security has dropped a bombshell on the enterprise IT world: artificial intelligence assistants have achieved near-ubiquitous infiltration, yet the security frameworks to control them are woefully absent. The firm’s 2026 AI risk research, drawing on telemetry from thousands of organizations, reveals that ChatGPT is active in 71% of IT environments in the United Kingdom, while Microsoft Copilot trails just behind at 68%. Across the Atlantic, the picture is similarly stark, with adoption rates for both tools climbing month over month.

The numbers are staggering, but they tell only part of the story. Beneath the surface, a more dangerous undercurrent is forming. These AI assistants are not just passive tools; they are deeply integrated into the fabric of corporate identity systems via OAuth permissions, often granted without proper oversight. The result is a sprawling, unmanageable web of privileged access that IT and security teams are only beginning to understand—and one that attackers are already probing.

Heimdal’s report, titled “AI Risk 2026: The Permissions Audit IT Can’t Ignore,” paints a picture of an industry at a crossroads. While business leaders champion AI-powered productivity, the very permissions that enable that productivity expose organizations to unprecedented levels of data exfiltration, lateral movement, and compliance failures. And as governments on both sides of the Atlantic scramble to draft AI regulations, security practitioners are increasingly convinced that the horse has already bolted.

The Ubiquity of AI Assistants

The numbers don’t lie. In the UK, 71% of monitored IT environments had at least one instance of ChatGPT accessing corporate data through a sanctioned OAuth integration. Microsoft Copilot was close behind at 68%, a figure that jumps to 81% when examining organizations with 500 or more Microsoft 365 seats. These aren’t isolated installations; Copilot is now a standard component of the Windows and Microsoft 365 ecosystem, deeply wired into applications like Word, Excel, Teams, and the Edge browser. ChatGPT, meanwhile, has evolved from a standalone chatbot into a platform powering hundreds of enterprise plugins and custom GPTs.

Heimdal’s telemetry indicates that the average mid-sized firm now has 14 distinct AI-related OAuth applications registered in its Microsoft Entra ID (formerly Azure AD) tenant. A worrying 37% of those request permissions classified as “high-impact”—capable of reading mail, accessing files, sending messages on behalf of users, or even managing calendar entries. And because these applications are often brought in by individual departments without central IT approval, security teams frequently do not know they exist.

The speed of adoption has far outstripped the speed of governance. “We saw a 210% increase in AI-app registrations between Q4 2024 and Q2 2025,” said Heimdal’s research lead, Sarah Voss, in a briefing accompanying the report. “That’s faster than any other category of cloud app in the last decade. The difference is that these apps aren’t just niche productivity tools—they are becoming the primary interface for how employees interact with business data.”

The Permissions Problem

What makes the AI assault on enterprise perimeters so concerning is the nature of the permissions these tools require. To deliver contextual responses, tools like Copilot need broad access to Microsoft Graph APIs—the very APIs that underpin all of Microsoft 365. Copilot does not simply index documents; it reads emails, analyses Teams chats, scans SharePoint libraries, and evaluates calendar metadata. To achieve this, it demands a constellation of delegated permissions such as Mail.Read, Files.Read.All, and Calendars.Read, often granted with the consent of a single, non-technical employee who simply wants the AI to “work better.”

ChatGPT’s plugin architecture introduces similar risks. Third-party plugins can request equally invasive scopes, and because OpenAI’s platform operates on a user-consent model, there is often no centralized review. The report details a case from a London-based financial services firm where a rogue ChatGPT plugin—masquerading as a PDF summarizer—was granted Mail.ReadWrite permissions on the first day it appeared. It went undetected for three months, quietly scraping thousands of confidential client emails until a routine audit flagged it.

That case is not an outlier. Heimdal’s data shows that 29% of AI-related OAuth grants are classified as “over-permissioned,” meaning they request more access than the declared functionality requires. A plugin that only needs to read file names might request full Files.Read; a Copilot extension that summarizes documents might also request the ability to delete them. The principle of least privilege, a cornerstone of cybersecurity, has dissolved in the face of user convenience.

OAuth and the Copilot Ingestion Engine

Microsoft Copilot presents a unique challenge because of its deep integration with the Microsoft 365 substrate. When an organization enables Copilot, it automatically begins indexing all content that a user has access to, building a semantic index that powers the AI’s responses. This indexing process respects existing access controls, but the moment a user interacts with Copilot, the AI can surface secrets that were previously hidden in plain sight.

Consider a scenario where a misconfigured SharePoint folder contains legacy passwords, or a long-forgotten Teams chat includes confidential merger talks. Because Copilot can compose answers by drawing on the entirety of a user’s accessible Microsoft 365 graph, it may inadvertently expose this information in a query response. The Heimdal report warns that without a comprehensive permissions audit, organizations are essentially handing an AI a flashlight and a map to their most sensitive data.

Furthermore, Copilot’s ability to generate new content—executive summaries, reports, analytics—creates fresh data that itself may contain sensitive aggregations. That data is then stored in SharePoint or OneDrive with default permissions that inherit from the user’s profile. Should that user have overly broad sharing settings, the AI-generated file could become accessible to external parties or the entire organization. The report documents an incident at a US healthcare provider where a Copilot-generated strategic plan, based on confidential patient outcome data, was accidentally shared to an all-company Teams channel because the auto-save location had “Everyone” permissions.

The Governance Gap

For IT and security teams on both sides of the Atlantic, the real anxiety stems not from the existence of these AI tools, but from the absence of effective governance. Traditional security tooling—data loss prevention (DLP) policies, conditional access rules, cloud access security broker (CASB) filters—were not designed to handle the speed and vector of AI interactions. A standard DLP rule scanning emails for credit card numbers is useless when Copilot can summarize a document containing that number and present it in a Teams chat without ever triggering an alert.

Heimdal’s survey of 500 IT security professionals reveals that 78% do not have a dedicated AI governance policy. Even among those that do, 62% admit they have not performed an audit of AI-related OAuth permissions in the last six months. Only 12% have implemented continuous monitoring for new AI app registrations in Entra ID. The majority still rely on periodic, manual reviews that cannot keep pace with the daily flood of new integrations.

The report highlights an alarming disconnect: while 89% of security leaders agree that “AI presents a significant new attack surface,” only 34% have allocated budget to address it. This underinvestment leaves organizations blind to what Heimdal dubs “permission sprawl”—a growing constellation of dormant but privileged OAuth tokens that represent a goldmine for threat actors.

What Security Teams Must Do

The situation is dire but not hopeless. Heimdal’s report lays out a five-step action plan for IT and security leaders to regain control:

  1. Perform an immediate, forensic OAuth audit. Start with a full inventory of all AI-related app registrations in Entra ID (and Google Workspace, if applicable). Tools like Microsoft’s own Entra Permissions Management or third-party solutions can speed this up. Identify every application that requests Mail.Read, Files.Read, or higher- tier scopes.

  2. Enforce least privilege. Revoke any permission not strictly necessary. For Copilot, this means auditing existing SharePoint and Teams permissions first, because Copilot’s output is only as secure as the underlying data access controls. The mantra: don’t let Copilot see what a user shouldn’t see.

  3. Implement an AI app approval workflow. Disable the default user consent flow for OAuth apps in Entra ID. Require admin pre-approval for any application that requests high-risk permissions. This simple change blocks the shadow-IT vector.

  4. Monitor continuously. Set up alerts for any new OAuth grant involving AI-related services. Use Microsoft Defender for Cloud Apps or a CASB to track unusual activity—for example, a new Copilot extension accessing volumes of data outside normal business hours.

  5. Educate users. Employees are the primary vector for risky integrations. Teach them why blindly clicking “Accept” on an OAuth consent screen can open the floodgates. Gamify the reporting process; reward staff who flag suspicious permissions.

Heimdal recommends a 90-day sprint to baseline the AI permission landscape, followed by ongoing audits every 30 days. Firms that followed a similar cadence in a pilot program saw a 76% reduction in over-permissioned AI apps within the first quarter.

The Regulatory Laggards

Even as security teams scramble, governments are proving unable to keep up. The report notes that while the EU’s AI Act and the UK’s AI Safety Institute have made headlines, the practical enforcement mechanisms remain years away. In the United States, a patchwork of sector-specific rules—from the SEC’s proposed AI disclosure rules to Colorado’s AI consumer law—does little to address the OAuth permissions crisis. The UK’s approach, though more centralized, has yet to issue binding guidance on enterprise AI governance.

“Regulation is still thinking about AI as a product to be tested and certified, not as a set of digital credentials that can be exploited in real time,” the report states. “By the time a law is passed requiring a permissions audit, the adversary will have already exfiltrated the data.”

This regulatory vacuum forces the burden onto internal security teams. And while Microsoft has introduced some controls—such as Copilot’s ability to respect sensitivity labels and the recently-added “scope mode” that limits indexing to specific sites—the report argues that these are optional features that many organizations leave disabled. Without a mandate, good governance remains a choice, not a requirement.

A Call to Action

Heimdal’s research closes with a stark warning: the current trajectory is unsustainable. As AI becomes more embedded in Windows and Microsoft 365, the attack surface will only expand. Microsoft’s upcoming Copilot+ PCs, which embed AI directly into the operating system kernel, will introduce new permission models that security teams do not yet understand. And with every Windows 11 update, the integration between the desktop and cloud-based AI deepens.

The report calls on organizations to treat AI-related OAuth permissions as they would treat administrator passwords—with extreme care, constant auditing, and zero trust. It also urges Microsoft to more aggressively nudge customers toward secure configurations, perhaps by making mandatory permission audits part of the Copilot setup process.

For now, the message is clear: the permissions audit is not a nice-to-have; it is the single most important security exercise an IT team can undertake in 2026. The attack surface is real, it is growing, and it is already being exploited. The question is not whether threat actors will use AI apps to move laterally across your environment—it’s when, and whether you’ll be prepared to see it.