Generative AI (GenAI) is no longer a futuristic concept—it’s a daily engine for productivity. From software engineers writing code to financial analysts synthesizing market trends, GenAI is helping employees move faster than ever.
However, this rapid adoption often outpaces security protocols, leading to shadow AI. When employees use unapproved AI tools or feed sensitive corporate data into public large language models (LLMs), they inadvertently put their organizations at risk. Even when using sanctioned tools, firms face significant internal data leakage risks if permissions are not strictly governed. For example, a tool such as Microsoft Copilot might surface sensitive files, such as HR records, to any employee due to SharePoint misconfigurations.
We recently spoke with security leaders from two financial services firms—a cutting-edge Fintech firm and a high-stakes hedge fund—to discuss how they are balancing the drive for innovation with the urgent need for data security. Both organizations are leveraging Proofpoint Data Security to secure their journey into the world of GenAI.
The productivity engine: how GenAI is transforming finance
For both firms, GenAI has moved from the experimental phase to a core operational tool.
At the Fintech firm, the impact is felt most heavily in engineering and security. "Our developers are using GenAI for secure code development," says their Security Manager. "They aren’t just writing code; they are researching vulnerabilities to harden our applications from the start." The security team has even trained Copilot on internal documentation to troubleshoot faster without opening support cases.
At the hedge fund, where information is the primary currency, GenAI is a force multiplier for research. "Our researchers generate and vet investment ideas by synthesizing information from dozens of sources," explains their CISO. "A financial analyst who used to spend a week collecting data can now do it in a day. Creation of internal apps used to take a month but take only a week now with AI."
The dark side: GenAI and data loss risks
The same tools that drive efficiency also create significant "blind spots." Both firms identified Shadow AI—the use of unauthorized AI applications— and data exposure by sanctioned AI such as Copilot as top security risks.
"In our initial testing, we found that if OneDrive isn’t perfectly configured, Copilot can expose sensitive projects that were meant to be confidential. We also found 13,000 third-party applications connected to our M365 tenant, including AI-enabled apps like Alexa," noted the Fintech Security Manager. "The risk of a 'careless insider' oversharing confidential data is our biggest concern."
The hedge fund faces a similar supplier risk with AI-enabled tools and applications. "We see AI being 'baked in' to everything—from Grammarly to command-line research tools," says their CISO. "Application integrations can pull data out of our environment into the supplier environment for processing. If access controls aren't independent and strict, AI can expose data that it should not."
Balancing innovation with security: the Proofpoint Data Security solution
Both firms realized that a "total block" on AI was unsustainable. Instead, they turned to Proofpoint to create a "safe space" for innovation.
1. Visibility and governance
The hedge fund established an AI oversight committee—comprising legal, IT, security, and data science teams—to review AI risk holistically. They leveraged frameworks from NIST and OWASP to set the standard, but they relied on Proofpoint for the visibility needed to enforce those standards.
2. Adaptive data controls
The Fintech firm initially blocked public AI tools at the network layer but soon moved to a more nuanced approach. "For employees who need exceptions, we use Proofpoint Endpoint DLP and ITM," says the Security Manager. "We can actually redact sensitive data within prompts in real-time and monitor for risky behaviors using screen capture."
The hedge fund uses Proofpoint Managed Services to help with the heavy lifting. Proofpoint analysts escalate DLP incidents to the fund’s internal team based on specific business requirements, ensuring that the security team focuses only on the highest-risk data movements.
3. Human-centric security
Both organizations agree that technology alone isn't the answer.
- The Fintech firm is rolling out Proofpoint ZenGuide for security awareness training, specifically targeting users who receive exceptions to use public GenAI tools like Gemini and Grok.
- The hedge fund is educating business units on how their specific processes fit into security frameworks, changing behaviors before they become security incidents.
The bottom line: security comes first
While the benefits of AI are undeniable—shorter development cycles, faster incident response, and more informed investment strategies—both firms remain clear-eyed about the stakes.
"Security comes first," concludes the Fintech Security Manager. "Cutting-edge applications do no good if we fall prey to ransomware because we exposed our source code online."
By partnering with Proofpoint, these financial leaders are ensuring that their move toward GenAI is not a leap into the dark, but a calculated, secure and highly productive step forward.
Learn more
Want to learn more about how to secure GenAI in your organization? Explore Proofpoint’s AI-Ready Data Security solutions here.
