Employees aren’t waiting for IT’s permission to use AI. They’re connecting ChatGPT plugins, Grammarly, Notion AI, and dozens of other tools directly to work accounts. In many cases, they are uploading sensitive company data to third-party servers that nobody in the security stack has reviewed. For MSPs, this quiet data leakage has become a rapidly growing risk.
“ChatGPT, Grammarly, Notion AI, Copilot, Gemini, and other services are already well embedded in the workplace through personal accounts,” says Kadan Stadelmann, Chief Technology Officer and Co-Founder of Compance.AI. “As a result, they are expanding the organization’s attack surface. It is not uncommon for employees to paste sensitive data directly into these apps, routing proprietary information to third-party servers.”
What makes the problem so difficult to police is that it doesn’t look like an attack. In fact, it isn’t an attack at all.
Al Tristan, Founder and CEO of T-Tech Inc., describes the pattern plainly: “An employee pastes a client contract into ChatGPT for a quick summary. Someone runs quarterly numbers through an AI plugin. A salesperson connects an AI notetaker to their email. Nobody approved any of it, and all of it is sending company data to servers the business has no control over.”
For a law firm or medical office, he notes, “that’s a breach nobody has noticed yet” — and potentially a HIPAA violation waiting to happen.
The hidden growth of AI tool sprawl
As a result, multiply those habits across an entire organization and the scale becomes clear.
For example, Stadelmann describes what a typical day looks like: “ChatGPT, Outlook, Notion—or a similar workspace tool with AI features enabled—Zapier, Make.com, and other automation tools can gain access to sensitive information as employees incorporate them into personal workflows. Imagine this effect spread across an entire organization.”
Nirwan Dogra, a Senior Software Engineer at Microsoft Security, describes the shift in supply-chain terms that MSPs have managed for years.
“The supply-chain security problem has shifted from ‘what packages are in your code’ to ‘what AI services are in your workflow?’
“Every AI plugin an employee connects becomes a new third-party dependency. API keys, OAuth tokens, and sensitive data may then flow to servers you’ve never audited.”
He sketches out a typical SMB employee’s morning: an email drafted in Grammarly, meeting notes summarized in Notion AI, client names and strategy documents processed externally, code pasted into ChatGPT with proprietary logic and API keys exposed, and a scheduling plugin sharing an entire calendar and contact list.
“By 10 AM,” Dogra says, “employees have sent sensitive data to four third-party AI backends that security teams never included in any security assessment.”
Why visibility is the biggest challenge
Sai Joshitha Kathari, a Senior Site Reliability Engineer working across cloud infrastructure and cybersecurity-focused operational workflows, says the visibility problem goes far beyond the obvious tools.
“The risk is not only that employees use ChatGPT, Grammarly, Notion AI, or browser extensions,” she says. “The bigger issue is that sensitive context can move quietly through prompts, plugins, copied logs, tickets, documents, screenshots, and integrations. In some cases, this happens before security teams even know the tool exists.”
Meanwhile, as AI adoption grows, organizations often struggle to understand where data is flowing and which applications have access to it. That makes risk management significantly more difficult than with traditional software deployments.
How MSPs can help clients govern AI use
So how should MSPs combat this growing threat? The consensus among these experts starts with the same word: inventory.
“For MSPs and security teams, the first step is inventory—browser extensions, OAuth-connected apps, SaaS integrations, endpoint telemetry, and unusual data movement,” Kathari says.
“The next step is classification: Which tools touch customer data, source code, credentials, internal tickets, or regulated information?”
Additionally, she recommends maintaining approved AI tool lists, establishing data-handling rules, enabling logging, conducting access reviews, and providing employee training that clearly explains what should never be pasted into AI tools.
Her summary is one worth using in client conversations: “AI tool sprawl should be treated like SaaS sprawl. It also creates significant data-loss risk.”
Dogra offers MSPs a practical starting checklist:
- First, maintain a living inventory of AI integrations. Track what data flows where, what permissions have been granted, and which OAuth scopes are active.
- Second, audit the Microsoft 365 or Google Workspace admin console for third-party app consents on a weekly basis. “A single plugin with ‘read all emails’ scope is a data exfiltration vector hiding in plain sight,” he says.
- Third, monitor network-level DNS traffic for AI API endpoints such as OpenAI, Anthropic, and similar services. Use the same approach you would for suspicious command-and-control traffic.
- Finally, establish a clear list of approved AI tools. “The goal isn’t zero AI,” Dogra says. “It’s governed AI.”
Governance, not bans
Stadelmann says MSPs need to “govern, map, measure, and manage” their clients’ AI tools. He recommends building risk matrices that weigh data leakage potential against business impact.
For organizations just getting started, he recommends AI sandboxes for safe experimentation. He also suggests decentralized or federated AI models for clients that need to keep sensitive data local.
However, the hardest lesson for MSPs to deliver may be about enforcement.
According to Tristan, outright bans simply don’t work.
“Tell people to stop and they just do it on their phone instead.”
His advice is straightforward:
“What actually works is giving them a safe tool that does the same job without shipping data outside. Then you can set a rule people will follow.”
Photo: nampix / Shutterstock
This post originally appeared on Smarter MSP.