The pharmaceutical industry is at a dangerous crossroads. While companies are competing to leverage artificial intelligence for drug discovery, clinical trial optimization and manufacturing efficiency, new industrial research by Kiteworks reveals shocking truths. This means that 83% of pharmaceutical companies, including many contract development and manufacturing organizations (CDMOs), operate without basic technical safeguards.
A report examining 461 cybersecurity, IT, risk management and industry-wide compliance experts reveals critical disconnects about what pharmaceutical executives believe in AI security and what happens on the ground. The findings are consistent with Stanford’s 2025 AI Index Report, recording a 56.4% increase in AI-related security incidents in just one year. In an industry where a single leaky molecular structure can destroy billions of research investments, this gap is not just a security concern, but an existential threat to competitive advantage and regulatory compliance.
Pharmaceuticals AI Security Status: Reality Check
The numbers draw a plain picture of pharmaceutical AI security. A study by Kiteworks shows that the majority of organizations rely on dangerously insufficient measures to protect their data from AI exposure. At the top of the security pyramid, only 17% of people with technology that automatically blocks unauthorized AI access scans sensitive data and is the minimum for protection in today’s environment.
The remaining 83% relies on an increasingly unreliable, human-centered approach. 40% rely on employee training sessions and regular audits, essentially wanting staff to remember and follow the rules when working under pressure. Another 20% will send you a warning email regarding your use of AI, but do not check your compliance. 10% simply issue guidelines, while the surprising 13% have no policy at all.
This security breakdown is particularly surprising given the unique pressures facing pharmaceutical researchers. Under constant pressure to accelerate drug development timelines, scientists regularly rely on AI tools to provide rapid analysis, literature reviews, and data interpretation. The Varonis 2025 Data Security Report strengthens this concern, finding that 99% of organizations have sensitive data that is at risk to AI tools, and 90% have sensitive files that are accessible only through Microsoft 365 Copilot. Medicinal chemists can upload their own molecular structures to gain insight into potential drug interactions. Clinical data analysts can paste patient outcomes into an AI platform to identify patterns. Each action creates a permanent risk exposure that is intentional, but irreversible.
What’s really exposed
A Kiteworks survey found that 27% of life organizations admit that more than 30% of AI-processed data contain sensitive or personal information. In the pharmaceutical context, this represents a catastrophic level of exposure, including the industry’s most valuable assets.
Think about what medicine employees share with their AI tools every day. It took millions of dollars for a unique molecular structure to develop, which cost millions of dollars, for rapid structural analysis. Unpublished clinical trial results that could create or break the chance of drug approval will be pasted into a chatbot for summary generation. A manufacturing process where trade secrets are protected so that they flow into AI systems when quality teams are seeking suggestions for process optimization. Patient health information superficially protected under HIPAA enters public AI platforms when researchers request help with adverse event analysis.
The permanence of this exposure cannot be exaggerated. Unlike traditional data breaches, where companies can change passwords or revoke access, information absorbed into AI training models is permanently incorporated. As detailed in research on the risk of AI data leakage, pharmaceutical companies face their own vulnerabilities that allow AI systems to inadvertently retain and expose sensitive information such as patient identifiers, diagnosis, or unique molecular structures, even from models that appear to have properly sterilized sensitive information, such as patient identifiers, diagnosis, or unique molecular structures.
Compliance Challenge
For pharmaceutical companies, the regulatory implications of uncontrolled AI use create a complete storm of compliance. A Kiteworks report found that only 12% of organizations list non-compliance amid AI concerns. This is a dangerous blind spot considering the accelerated enforcement of regulations. Stanford’s AI Index Report confirms this regulatory spike, recording that in 2024, 59 AI-related regulations were issued by US federal agencies, with more than 25 times the number issued in 2023.
Current practices violate several regulatory requirements simultaneously. HIPAA requires a comprehensive audit trail for all electronically protected health information (EPHI) access, but businesses cannot track what flows into shadow AI tools. FDA’s 21 CFR Part 11 requires systems that process clinical data, standard verified systems and digital signatures that public AI platforms cannot meet. GDPR requires the ability to delete personal information on requests, but it cannot retrieve or delete data built into the AI model.
The enforcement environment continues to tighten around the world, with Stanford reporting a 21.3% increase in AI legislative mentions in 75 countries. These are not suggestions. They hold executives substantial penalties and potential criminal liability. When regulators request documents for AI use during an audit, “We didn’t know” is a negligence approval rather than a defense.
Traditional approaches to compliance (policies, training, regular reviews) are fully envisaged in the context of AI. Shadow AI uses are often outside of corporate visibility on personal devices that access consumer AI services. Varonis’ report found that 98% of companies use applications that are not authorized by their employees, with each organization using an average of 1,200 unofficial apps. By the time the compliance team discovers violations, sensitive data has already been permanently absorbed into AI systems.
Why are pharmaceutical companies particularly vulnerable?
Modern drug development includes extensive partnerships with CDMOs, contract research institutions (CROs), academic institutions, and technology vendors. Each partner could potentially introduce new AI tools and security vulnerabilities. Verizon’s latest data breach investigation report found that third-party involvement in data breaches doubled from 15% to 30% in just one year.
Pharmaceutical intellectual property holds extraordinary value and is an attractive target. A single molecular structure can represent a billion dollar drug opportunity. Clinical trial data determines the success or failure of the market. The manufacturing process offers competitive advantages worth protecting. When employees casually share this information with AI tools, they essentially publish trade secrets on a global platform.
Progress: Build real protection
The Kiteworks report reveals human-dependent security measures have failed in all industries, including pharmaceuticals. Stanford’s AI index report enhances this, showing that while organizations are aware of risk, 60% of AI inaccuracy concerns and 60% identify cybersecurity vulnerabilities. Companies need to immediately move to technical management that automatically prevents unauthorized AI access and data exposure.
The key elements of effective pharmaceutical AI governance start with automated data classification and blocking. Systems must recognize and prevent sensitive information such as molecular structure, patient data, and clinical outcomes as they reach fraudulent AI platforms. This requires technology that operates in real-time scanned data flows before leaving the company’s management.
Continuous monitoring of AI interactions with solutions such as AI data gateways provides pharmaceutical companies with currently lacking visibility. Organizations need a unified governance platform that tracks all AI touchpoints across cloud services, on-premises systems, and shadowwinding.
Conclusion
The pharmaceutical industry is facing a shrinking window to address AI data leaks before catastrophic consequences arrive. Stanford research shows that AI incidents have risen 56.4% year-on-year, with 83% of organizations operating without basic technical protections whilst bleeding the most valuable data, the gap between perception and actual security has reached a significant level.
The choice is strict. They are implementing actual technical controls or are facing inevitable consequences. There is a competitive disadvantage as trade secrets leak to rivals, regulatory penalties leaked for violations, and reputational damage when patient data exposure becomes headlines. According to Stanford’s survey, public trust in AI companies has already declined from 50% to 47% in just one year. In an industry built on innovation and trust, both are threatened by failing to ensure AI use. Time for action is now before the next uploaded molecular or clinical dataset becomes tomorrow’s competitive disaster.
Frank Baronis is Kiteworks’ Chief Information Security Officer and Senior Vice President of Operations and Support for Kiteworks with over 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Frank has overseen technical support, customer success, corporate IT, security and compliance, and collaboration with product and engineering teams. He is certified Information Systems Security Professional (CISSP) and serves in the US Navy. He can be contacted at fbalonis@kiteworks.com.
