In the under-monitored corners of modern enterprises, a new digital habit is quietly taking root, and it’s coming straight out of China.
Chinese-made Generative AI tools like DeepSeek and Moonshot Kimi are quietly gaining traction inside US and UK enterprise environments. The practice often comes without the knowledge or approval of security teams, which raises alarm.
Chinese platforms offer little transparency about what happens to the data users submit. Questions around data storage, retention, and how that information might be repurposed for model training are fueling growing concerns about surveillance, intellectual property theft, and corporate espionage.
A new 30-day study by cybersecurity firm Harmonic Security analyzed behavior across roughly 14,000 end users and found that 7.95% of employees in the average enterprise had interacted with at least one Chinese-developed GenAI tool, including platforms like DeepSeek, Moonshot Kimi, Manus, Baidu Chat, and Qwen. This translates to approximately 1 in 12 employees.
Each company uploaded an average of 1.2MB of data to these GenAI apps, more than enough to contain code snippets, internal documents, or structured business data.
“All data submitted to these platforms should be considered property of the Chinese Communist Party, given a total lack of transparency around data retention, input reuse, and model training policies, exposing organizations to potentially serious legal and compliance liabilities,”
said Alastair Paterson, CEO and co-founder of Harmonic Security.
If you’re using Generative AI, you might leak data
Among the 1,059 employees using Chinese GenAI tools, the researchers uncovered 535 instances of sensitive data leaks. DeepSeek emerged as the prime offender, responsible for roughly 85% of these breaches, with Moonshot Kimi, Qwen, Baidu Chat, and Manus trailing behind.
Code and development artifacts made up the largest chunk of leaked data (nearly 33%), including proprietary code, internal logic, and access keys. Other sensitive content that found its way into the wild included:
- Mergers & Acquisitions data (18.2%)
- PII (personally identifiable information) (17.8%)
- Financial records (14.4%)
- Customer data (12.0%)
- Legal documents (4.9%)
The risk is especially high for engineering-heavy companies. Developers, in particular, are embracing GenAI tools to speed up coding tasks. However, this kind of practice might have serious security implications of feeding their internal code, API keys, and system architecture into foreign-hosted models.
GenAI apps of Chinese origin aren't just popular but also powerful. In some cases, depending on the task, they even outperform their US counterparts. That performance edge is exactly why employees keep turning to them despite the risks.
For most enterprise security teams, however, these tools remain invisible blind spots, operating well outside traditional monitoring systems.
“Blocking alone is rarely effective and often misaligned with business priorities. Even in companies willing to take a hardline stance, users frequently circumvent controls,” commented Peterson.
“A more effective approach is to focus on education and train employees on the risks of using unsanctioned GenAI tools, especially Chinese-hosted platforms,” he adds.
AI tools are causing concern for security
Big tech's power over data is constantly under discussion, as companies have access to it, which might lead to governments and intelligence agencies using the data for multiple strategic purposes. For this reason, feeding rival powers with data causes concerns among Western think tanks.
A bipartisan group of US lawmakers made a push in June to introduce a bill that bars US executive agencies from using artificial intelligence models developed in China, including those from DeepSeek.
In June, Germany took steps to block Chinese AI startup DeepSeek from the Apple and Google app stores due to concerns about data protection. Previously, Australia banned the use of the app on Government devices, saying that it was an “unacceptable risk.”
Australia's decision to ban DeepSeek follows similar action in Italy, while Taiwan also banned government departments from using the app earlier this week.
As reported by Reuters, previous estimations concluded that DeepSeek is aiding China's military and intelligence operations and has had access to "large volumes" of Nvidia's chips.
Your email address will not be published. Required fields are markedmarked