A new report from Moody’s Ratings highlights rising concerns about the risks linked to weak controls around artificial intelligence (AI) use at work. The study, based on a survey of nearly 2,000 global organizations rated by Moody’s, shows that many companies lack clear rules to manage how employees use AI tools like chatbots. This gap poses serious threats, including data breaches, loss of intellectual property, and damage to reputations.
Despite AI becoming a common part of daily life and business, the report reveals that about 22% of respondents have no policies stopping staff from sharing sensitive company information with public AI platforms like ChatGPT or Google’s Gemini. This issue is especially pronounced in the Asia Pacific region, where 35% of organizations have yet to set such restrictions, compared to just 20% in North America. Local governments appear most at risk, with only 48% having guidelines in place. On the other hand, non-financial companies lead the pack, with 78% adopting these policies.
Moody’s warns that sharing confidential information with public AI tools can unintentionally expose data to outsiders, possibly breaking internal rules or confidentiality agreements. Since some AI tools learn from user inputs, sensitive information could be retained, increasing vulnerability to leaks. The fallout of these exposures could range from cyberattacks to severe reputational harm.
The report also notes that cyberattacks have been more frequent over the past decade than ever before, though they dipped somewhat after peaking in 2020. So far, victims have generally had the resources to manage these attacks, with only 25 credit rating changes linked to cyber issues reported across 16 issuers. But Moody’s cautions that as new technologies like generative AI and quantum computing grow, cyber threats will become stronger, and the costs of dealing with attacks will rise.
Another major concern is the risk coming from third-party software suppliers. Many companies rely on a complex web of vendors but often do not properly review their cybersecurity measures. This opens the door for supply chain attacks, where hackers compromise one vendor and gain access to many organizations within its network. Alarmingly, 14% of survey respondents said they never check their software suppliers’ security, and less than two-thirds perform annual reviews. Certain sectors, such as healthcare and education, show even lower rates of scrutiny.
In response, more organizations now require vendors to carry cyber insurance if they access internal IT systems. Yet, gaps remain in basic defenses. Only 78% of issuers back up data daily, leaving a significant 22% without any backup scanning—a major cyber hygiene flaw. Multi-factor authentication (MFA), praised for blocking 99.9% of account attacks, is enforced in only 75% of cases, often limited to remote access, leaving other systems exposed.
There is some good news on governance. More senior cybersecurity managers now report directly to top executives, improving focus on cyber risks. The percentage of cybersecurity staff reporting to CEOs or CFOs rose to 28% in 2025, up from 15% in 2023.
Moody’s survey covered five sectors: corporate, financial services, infrastructure, healthcare and education, and local governments. It looked at how these groups handle cyber risk in areas like governance, operations, insurance, and AI use. The findings underline that while some progress is happening, many organizations still have a long way to go to protect themselves in a world where cyber threats and AI risks are growing every day.