Security Report

F5 Insider AI Threat Report 2025

ReportMonitor
F5 Insider AI Threat Report 2025
This report reveals that internal AI usage is accelerating far faster than organizational policy and oversight, creating a growing insider risk where employees at all levels routinely use AI in ways that can expose sensitive data and create compliance gaps. It calls for expanded AI security that covers people, behaviors, and technical controls and highlights urgent needs for clear policy, industry-specific risk modeling, and guardrails across SaaS, cloud, edge, and self-hosted environments. #F5 #InsiderAI

Keypoints

  • Typical annual cybersecurity report structure: executive summary and key findings, an introduction framing the threat landscape, role- and industry-specific analyses, data visualizations and statistics, methodology, and a conclusion with actionable recommendations and next steps.
  • Executive summary and introduction sections generally explain the central thesis—here, that AI adoption outpaces governance—and set the tone for urgency and organizational risk prioritization.
  • Role-based chapters (C-suite, mid-level, entry-level, security, IT) describe adoption behaviors, awareness gaps, and governance implications for different employee cohorts and usually include targeted recommendations for each audience.
  • Industry-focused sections (finance, healthcare, IT/telecom, security) analyze sector-specific use cases, regulatory exposures, and compliance risks, often with tailored mitigation guidance for highly regulated environments.
  • Methodology and data sections specify sample size, demographics, and survey dates to establish the rigor and representativeness of findings; this report surveyed 1,002 full-time U.S. office workers, ages 25–65, June 11–17, 2025.
  • Key statistics: 45% of employees say they trust AI more than co‑workers, 38% would prefer an AI manager, and 34% would quit if denied AI at work—indicating AI’s influence on morale and retention.
  • Insider risk metrics: 52% of employees are willing to use AI against company policy, 28% have used AI to access sensitive data or documents, and over half of finance workers report knowingly bypassing AI rules—showing concrete policy violations are occurring.
  • C-suite findings: 67% of executives would use AI if it made their job easier even against policy, 66% are very confident IT would detect an AI-led breach, and 58% trust AI more than co-workers—highlighting a leadership confidence-to-fluency gap that risks poor governance choices.
  • Entry-level findings: 37% wouldn’t feel guilty breaking AI protocol, 33% don’t know what an AI agent is, and 30% don’t care about AI policy—underscoring low awareness, high reliance, and a vulnerable cohort for inadvertent data exposure.
  • Sector highlights—Finance: 60% of finance/banking employees use AI even when it violates policy and 36% feel no guilt, creating acute compliance and audit risks in tightly regulated workflows.
  • Sector highlights—Healthcare: only 55% say they know and follow AI policy (the lowest among regulated industries), and many use AI for documentation and admin tasks, raising privacy and HIPAA-style exposure concerns when patient data intersects with generative models.
  • Sector highlights—Security teams: 58% of security workers trust AI more than colleagues, 48% say AI policy is unclear, and 42% would break policy if AI made work easier—indicating defenders are also participants in risky behavior and policy drift.
  • Sector highlights—IT and telecom: very high confidence and adoption (92% believe a leak would be detected by IT, 78% say they can distinguish AI agents from virtual employees), but this confidence may mask normalization of risky prompt behavior and overreliance on informal controls.
  • Notable trends: AI is transitioning from a tool to a trusted workplace actor, adoption is driving behavior change faster than policy updates, and misaligned incentives (productivity vs. security) are pushing employees to bypass controls.
  • Major threats and evolving techniques: internal misuse of generative AI prompts with proprietary or sensitive data, automated exfiltration or summarization of sensitive documents, and policy-evading workflows that create persistent blind spots for detection.
  • Shifts in the landscape: insider-driven incidents are emerging as a primary vector in the AI era, leadership misunderstanding increases governance risk, and sector-specific regulatory exposure amplifies potential legal and reputational harm.
  • Recurring themes: misplaced confidence in detection capabilities, low policy awareness among younger/entry-level staff, a governance gap at the executive level, and the need for policies that reflect real employee behavior rather than prohibitive or outdated rules.
  • Impactful takeaways: organizations must treat AI security as people + process + technology; technical controls alone are insufficient—effective mitigation requires clear policies, role-based training, industry-specific risk modeling, behavioral guardrails, and monitoring across SaaS, cloud, edge, and self-hosted environments.
  • Actionable recommendations typically emphasized: update and communicate clear AI use policies, invest in detection and auditing for AI-driven data flows, conduct role- and industry-tailored training, model regulatory risk per sector, and deploy runtime protections that secure generative AI interactions wherever they run.
F5-Insider-AI-Threat-Report-2025 
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)

Download Report from Github