Is Your Company’s AI Use A Cybersecurity Gap?

July 15, 2026

AI has been rapidly integrated into the workplace, outpacing many drug, device, digital health, and life sciences companies’ security programs. Employees are using AI to summarize documents, draft emails, analyze data, support coding, answer customer questions, and improve internal workflows. Vendors are also embedding AI into platforms companies already use. The result is a cybersecurity gap: company personnel may not know when it is appropriate to use these tools, what data can be entered, or whether the tools are approved to handle sensitive information. Crucially, governance controls may not exist to address this gap. When it comes to AI use in the workplace, it is a matter of “when," not “if,” so presenting employees with properly managed AI tools subject to strong governance and training is crucial to closing this gap.

According to IBM and Ponemon Institute’s 2025 Cost of a Data Breach Report, 13% of organizations experienced breaches of AI models or applications. Of those organizations, 97% lacked proper AI access controls. Those AI-related breaches had real consequences: 60% led to compromised data and 31% led to operational disruption. n 2026, as AI use broadens, these numbers are likely to increase. While the absence of AI access controls presents significant risk, companies can meaningfully reduce their risk by adopting practical AI governance.

Addressing Cybersecurity, Confidentiality, and Privacy in AI Use

AI, privacy, and cybersecurity governance should be coordinated through rules, contract terms, technical settings, and review processes. These measures should include assigning responsibility for AI cybersecurity oversight, prescribing appropriate uses of AI, determining which AI tools may be used, and confirming which categories of company data may be shared with those tools.

For many companies, this is now an issue with significant privacy, confidentiality, intellectual property, and legal implications. For example:

  • If employees enter sensitive data into public or unapproved AI tools, this could lead to public models training on sensitive or non-public company data, including private information about patients, employees, or other stakeholders. Input data is then not only disclosed without protections or safeguards to the model provider, but even may be discoverable to users of these models. In some cases, intellectual property rights to data inputs may be directly impacted by the terms of service of the public or unapproved AI model.
  • If vendors handle company data without clear contractual limits or careful assessment of planned AI uses, particularly model training or service improvement, the arrangement could result in misuse of personal data subject to privacy-law restrictions and raise other confidentiality concerns. Future-proofing these contracts is important, because AI use may be on the horizon, even if not currently in scope.
  • Some software-as-a-service or other vendor solutions allow business teams or individual personnel to turn on or use AI features that could result in unauthorized use of sensitive company information, thereby bypassing the company’s controls or even the contractual safeguards promised in the vendor agreement, if any. In many cases, the vendor’s standard terms will place liability on the company for these missteps.

What Are Key AI Cybersecurity and Privacy Safeguards?

Cybersecurity and privacy concerns in AI use should not be viewed in isolation. AI-specific controls should be built alongside a comprehensive cybersecurity and privacy program (see also: Are You Prepared for a Cybersecurity Incident? and Cybersecurity and the FCA: Illumina Signals “No Breach” Enforcement Risks). Key AI-specific safeguards include strong contractual protections addressing data protection and AI-specific risks; risk assessments of internal activities and third-party vendors’ AI posture; policies and procedures; training; incident reporting and response plans; ongoing monitoring; and clear internal communication about approved AI use. Before using sensitive company data, including personal data, to train or improve AI models, the company should evaluate privacy risks and legal compliance. 

Why Does This Matter?

Drug, device, digital health, and life sciences companies typically handle sensitive data across many systems, including patient information, consumer health data, employee information, customer data, product files, source code, quality records, intellectual property, and confidential commercial information.

That data environment makes AI access controls especially important. According to IBM and Ponemon, the average cost of a healthcare data breach in the United States was $7.42 million. Even when HIPAA does not apply, the same types of sensitive information may still create privacy, contractual, regulatory, operational, intellectual property, and reputational risk. If an AI tool can access that data, or if employees can place that data into an AI tool, the company should understand and control that access before an incident occurs. 

What Should Companies Do Now?

Companies should treat AI access controls as an integral part of their cybersecurity program. Practical steps include:

  • Inventory approved and unapproved AI tools used by employees, vendors, products, and business teams.
  • Limit AI access based on role, business need, and data sensitivity.
  • Prohibit PHI, sensitive personal information, source code, confidential business information, and regulated product information from being entered into unapproved AI tools.
  • Review vendor contracts for AI use, training rights, data retention, subcontractors, security incidents, and customer data restrictions.
  • Monitor for shadow AI and periodically audit approved AI tools.
  • Implement or update incident response plans to address AI-related events, including unauthorized access and vendor AI incidents.

How Gardner Law Can Help

If you have questions about AI access controls, cybersecurity governance, vendor security terms, incident response planning, HIPAA, state privacy laws, or AI governance programs, contact Gardner Law. Our attorneys help drug, device, digital health, and life sciences companies develop practical privacy, cybersecurity, and AI governance frameworks.