The pharmaceutical industry is rapidly embracing artificial intelligence (AI) for tasks ranging from drug discovery to clinical data analysis. But according to a new study by Kiteworks, this adoption is happening without adequate safeguards. Only 17% of pharmaceutical companies have implemented automated controls to prevent sensitive data from leaking into AI tools. That leaves a staggering 83% operating with minimal or no technical defenses.

Instead of using robust security technologies, many firms still rely on human-led approaches. Forty percent depend on employee training and occasional audits. Another 20% issue warning emails without follow-up. Worse still, 13% have no policies on AI usage at all. This reliance on human memory and good intentions is risky, especially in a high-pressure environment where researchers are increasingly turning to tools like ChatGPT or Claude to accelerate their work.

What's Really Being Exposed

The nature of data being fed into AI tools makes the risk especially acute. Twenty-seven percent of life sciences organizations report that over 30% of their AI-handled data includes sensitive or private content. For pharmaceutical companies, this means proprietary molecular structures, unpublished clinical trial results, trade-secret manufacturing protocols, and even protected patient health information are potentially being exposed.

These exposures are not easily reversible. Once data is fed into an AI model — especially a publicly available one — it may become part of that model’s memory, resurfacing later in unpredictable ways. Even anonymized data can leave digital footprints that risk violating privacy laws or revealing intellectual property.

The Compliance Challenge

Despite these risks, most pharmaceutical companies remain unaware of the regulatory danger. Only 12% of organizations list compliance violations among their top AI concerns. But regulatory scrutiny is rising fast. In 2024 alone, U.S. agencies issued 59 AI-related regulations — more than double the number from the previous year. Stanford’s AI Index highlights the tightening of rules worldwide.

Pharmaceutical firms that use public AI platforms to process protected data may already be breaching HIPAA, FDA regulations, and GDPR. Shadow AI usage — where employees use unsanctioned tools without company oversight — compounds the issue. Many organizations lack visibility into which applications their staff use or what data is shared.

Why Pharmaceutical Companies Are Particularly Vulnerable

The pharmaceutical ecosystem is deeply interconnected, relying on CDMOs, CROs, universities, and vendors. Every partnership adds potential AI exposure points. Verizon’s recent report found third-party breaches have doubled in frequency.

Pharma data is also uniquely valuable. A proprietary molecule, clinical dataset, or manufacturing protocol can be worth billions. Yet, researchers often use consumer AI tools for tasks like literature review or adverse event analysis, unintentionally uploading trade secrets to platforms outside company control.

Path Forward: Building Real Protection

The solution lies in automating AI security. Companies must implement systems that classify and block sensitive data in real time before it leaves the corporate environment. Continuous monitoring across all AI interactions — including cloud and shadow IT — is essential.

AI data gateways, for example, can scan outgoing information for risks and prevent unauthorized sharing. Governance platforms can track AI usage across teams and vendors, closing visibility gaps and reinforcing compliance.

Pharmaceutical companies face a growing AI security crisis. With 83% lacking fundamental protections and incidents rising 56% in one year, the current model of policies and training is no longer enough. Without immediate action, companies risk losing intellectual property, facing regulatory fines, and eroding public trust. The industry must act now — not after the next AI-driven data leak hits the headlines.

（Sources: Kiteworks）