One cybersecurity services firm’s 2025 customer platform data uncovers policy violations, shadow AI persistence, cloud malware shifts.

Based on a data analysis of its user base metrics* in 2025 on financial services risk, a cybersecurity services firm has shared some internal findings on generative AI (GenAI) adoption, personal cloud use, malware delivery, and policy-violation exposure with the media.

First, regulated data for 2025 had dominated data-policy violations across both GenAI and personal applications, with compliance-sensitive financial and customer information remaining central to the risk profile.

Second, AI adoption had expanded while organizations in the user base had shifted from personal to managed tools, though overlap between personal and enterprise usage had continued to leave shadow IT/AI risk in place.

Other findings

Third, AI use among the client organizations in the data had become more embedded through direct use and API integrations, which had increased the complexity of enforcing consistent security controls. Also:

  • Data showed that attackers had increasingly used legitimate cloud platforms to distribute malware.
  • Personal applications had continued to create additional paths for data leakage outside controlled environments.
  • The central issue for organizations remains the protection of regulated and sensitive financial data. In data, GitHub was the most abused platform for malware distribution, impacting 11% of organizations in the customer base, followed by Microsoft OneDrive at 8.2%.
  • The 2025 data showed a shift in attacker tactics, where adversaries increasingly relied on trusted cloud infrastructure rather than suspicious domains to host and deliver malicious content. For financial institutions, this makes detection more challenging, as malicious activity can closely resemble legitimate cloud-hosted traffic.

According to the analysis by Netskope, the findings point to general recommendations to review HTTP/HTTPS traffic to prevent malware infiltration; to tighten app access to data via zero trust and privilege access management; to bolster data loss management protocols; and to deploy remote browser isolation to safeguard against browsing websites that fall into categories that can present a higher risk, like newly observed and newly registered domains.

*Disclosed as anonymized usage data collected by the firm’s customer platform relating to a subset of customers in the financial services sector with prior authorization, from the period from 1 February 2025 through 28 February 2026. Stats reflect attacker tactics, user behavior, and organization policy.