-optimized.jpg){kind=avatar}
AI model exfiltration is letting your company’s brain walk out the door, says Leslie Nielsen, CISO at the email and data governance platform Mimecast.
Organisations have spent years building intellectual capital, from customer insights and operational processes to competitive strategy. Now, they are feeding all of it into AI. Internally trained models are rapidly becoming the most concentrated store of corporate knowledge many businesses have ever created, and arguably the least protected asset on the network.
Forty-two per cent of organisations have reported a rise in insider threats over the past year, both malicious and negligent, yet most security approaches are still built around a traditional view of loss: files copied, databases exported, emails forwarded. That model no longer reflects how work actually happens. Today, knowledge is fluid, cumulative, and shaped through everyday interactions with AI systems. The result is a new kind of exposure, one that is harder to detect, harder to measure, and far quicker to exploit.
You cannot govern what you cannot see
Before organisations can address AI model exfiltration, they need to confront a more fundamental problem: most cannot see what is happening. Fifty-nine per cent of organisations say they cannot quickly locate or retrieve their own communications data, and that is a serious problem when you consider what is actually being put into those tools. Four per cent of prompts entered into AI tools contain personally identifiable information, and 20 per cent of uploaded files include sensitive data. Most security teams are monitoring what goes into AI systems. Very few are tracking what comes out, where it travels, or what form it takes by the time it leaves. Without that visibility, governance is guesswork.
The instinct to respond by banning unapproved tools is understandable, but it does not work. Employees route around controls when security makes legitimate tools inaccessible, and the organisation loses visibility entirely. The better approach is to see first, allow legitimate use cases, and stop the genuinely risky ones, in that order. Visibility into what tools are in use and what data is flowing into them. Guardrails built into the workflow, not bolted on after the fact. Friction applied at the point of actual risk, not in a quarterly training session employees have already forgotten.
A new kind of asset requires a new kind of protection
When an employee builds or fine-tunes an AI model on internal data, that model becomes a vessel for everything the business knows. It is institutional knowledge in exportable form, packaged into a single artefact that can be copied, transferred, or reverse-engineered in seconds. Yet model governance rarely appears in data classification frameworks. Eighty per cent of businesses are concerned about sensitive data leaks via generative AI, but most security teams monitor only the data going in, not the model that results. Organisations need to extend data loss prevention policies to cover the models themselves. By the time one is built and deployed, it contains everything proprietary the business knows, packaged and ready to walk.
That is what makes AI model exfiltration so dangerous. It does not look like traditional theft. There is no file transfer to flag, no database query to audit. The loss is silent, and by the time it surfaces, the competitive damage may already be irreversible.
The communications blind spot
The platforms where most organisational knowledge now lives are precisely the ones hardest to monitor. Collaboration platforms like Microsoft Teams and Slack have become primary spaces where decisions are made and expertise is shared, and also among the most active exfiltration channels, with 71pc of organisations expecting negative business impact from attacks through them. Copy-pasting proprietary content into generative AI tools has become one of the most common ways corporate data leaves enterprise control, and it is one that legacy DLP tools were never built to catch. Centralised archiving and real-time behavioural monitoring across these platforms are no longer optional.
Governance that reflects how knowledge actually works
Sixty-six per cent of organisations believe employees struggle to use data safely while remaining compliant, not out of malice, but because the gap between policy and day-to-day behaviour has grown too wide. Off-boarding processes and data classification frameworks were built for a different era. They rarely account for how AI models are trained or who holds access to them. When someone leaves, that knowledge does not just walk out in their head. It can leave embedded in a model they built on company time. Human risk needs to be embedded into AI governance from the outset. Static policies written once and revisited annually will not close this gap. The controls have to live in the workflow, present at the point of risk.
The stakes
The corporate brain has always walked out the door in the heads of departing employees. The difference now is that it can be packaged, compressed, and exfiltrated in seconds. And the organisation may never know it happened.
Treating AI models as IT artefacts rather than strategic assets is a bet most businesses cannot afford to make. The exposure is real. The detection gap is significant. The window to act is narrowing. The silent heist is already under way. The question is whether your security strategy is built to see it and stop it.
