The retail industry has embraced generative AI faster than most sectors, but a new report warns that the race to integrate these tools is creating significant cybersecurity risks.
According to cybersecurity firm Netskope, 95% of retail organizations now use generative AI applications—a sharp rise from 73% just a year ago. The surge reflects the industry’s determination to keep pace with competitors, but it also comes with growing exposure to cyber threats and data leaks.
From Shadow AI to Enterprise Tools
The report highlights a notable shift in how retailers are managing generative AI use. Early adoption was often chaotic, with employees turning to personal AI accounts without oversight. That trend is fading: staff use of personal AI accounts dropped from 74% to 36% this year, while company-approved tools more than doubled, from 21% to 52%. This move suggests retailers are beginning to clamp down on so-called “shadow AI” in favor of controlled, enterprise-grade platforms.
ChatGPT remains the most widely used tool, with 81% of retailers relying on it. Still, competition is heating up. Google Gemini has secured a 60% adoption rate, and Microsoft Copilot tools are close behind, driven by seamless integration into everyday productivity software. Notably, ChatGPT saw its first dip in usage this year, coinciding with Microsoft 365 Copilot’s surge.
Sensitive Data at Risk
Generative AI’s usefulness lies in processing information, but this also makes it a liability. Netskope’s data shows that source code is the most exposed category, accounting for 47% of policy violations in AI apps. Regulated data—such as customer records and confidential business information—follows closely at 39%.
To curb risks, many retailers are banning apps that pose data security concerns. ZeroGPT tops the blocklist, with 47% of organizations forbidding its use due to data storage issues and reports of third-party redirection. Instead, more companies are turning to secure enterprise solutions from cloud providers like Amazon Bedrock and OpenAI via Microsoft Azure, both adopted by 16% of retailers. These platforms offer private hosting and custom model building, but even minor misconfigurations could expose critical company systems.
Cyber Threats Beyond AI
The risks extend beyond generative AI. The report found 63% of retail organizations directly connect to OpenAI’s API, embedding AI into backend systems and workflows. Combined with poor cloud security practices, this creates opportunities for attackers who exploit trusted platforms to deliver malware. Microsoft OneDrive was linked to 11% of malware incidents in retail each month, while GitHub accounted for 9.7%.
Ryan Daws
Adding to the challenge, employees continue to use personal apps at work. Nearly all retailers report activity on social networks like Facebook (96%) and LinkedIn (94%), as well as personal storage accounts. These services often trigger the worst breaches: when employees upload files to personal apps, 76% of resulting policy violations involve sensitive, regulated data.
A Turning Point for Retail Security
The findings point to a turning point for the industry. Generative AI is no longer an experiment—it is deeply embedded in retail operations. But with adoption comes responsibility. Netskope warns that retailers must act quickly to establish stronger governance, gain full visibility over web traffic, and enforce strict policies around sensitive data.
Without these safeguards, the sector risks trading innovation for vulnerability—and the next AI breakthrough could just as easily lead to the next major data breach.
