Most enterprise AI security risk does not come from the many — it comes from the few. A new report from LayerX Security finds that data exposure and policy violations tied to artificial intelligence tools are heavily concentrated within a small cohort of so-called "power users," raising difficult questions about whether blanket governance policies are fit for purpose.
The visibility gap
The "State of AI Usage Report 2026," published by browser security firm LayerX, highlights just how poorly most organisations understand AI usage within their own walls. According to the report, the majority of enterprises lack adequate tooling to monitor which AI services employees access, what data flows into those services, and how individual users interact with them.
The scale of the problem is quantifiable. The report found that more than 6% of enterprise AI conversations contain sensitive data — and that figure climbs sharply on certain platforms, with DeepSeek reaching 12.63%. These numbers underscore how readily confidential information enters AI workflows, often without any organisational oversight.
This blind spot is particularly dangerous because AI-related risk is not evenly spread. A relatively small group of power users — those who engage with AI tools most frequently and in the most complex workflows — accounts for a disproportionate share of overall enterprise exposure. These are the employees most likely to experiment with unsanctioned or third-party AI services, feed sensitive documents into external models, and operate outside the boundaries of corporate security policies.
Why blanket policies fall short
The findings challenge the prevailing approach many organisations have adopted: broad, uniform AI usage restrictions applied across the entire workforce. Such policies may frustrate the majority of employees who use AI tools in low-risk, routine ways, while doing little to address the outsized risk generated by a handful of intensive users operating in the shadows.
This dynamic mirrors the broader "shadow AI" problem — the use of AI tools and services that have not been vetted, approved, or monitored by an organisation's security or IT teams. When power users turn to unapproved platforms such as DeepSeek to accelerate their work, sensitive data can easily leave the corporate perimeter without anyone noticing.
Compliance stakes are rising
The concentration of risk among a small user group carries serious regulatory implications. Data protection frameworks worldwide — from the EU's GDPR to sector-specific regulations — impose obligations to safeguard personal and confidential information. When employees feed customer records, financial data, or personally identifiable information into external AI models without oversight, those obligations are potentially compromised, often without the organisation's knowledge.
A data breach or compliance failure triggered by shadow AI activity could involve substantial volumes of sensitive information, even though only a handful of individuals are responsible. As the LayerX data shows, even routine AI conversations carry a meaningful probability of involving sensitive content, making the cumulative exposure from high-frequency power users significant.
Toward targeted, user-tiered governance
Rather than relying solely on restrictive blanket policies, the report's findings suggest organisations should consider more targeted approaches. Key recommendations include:
- User-tiered monitoring: Identify power users through behavioural analytics and subject their AI interactions to heightened scrutiny, rather than imposing uniform restrictions that hamper productivity across the board.
- Targeted audits: Conduct focused reviews of the AI platforms and data flows associated with high-frequency users, rather than broad audits that may miss the concentrated points of exposure.
- Data classification: Ensure that sensitive data is clearly labelled and that controls are in place to prevent classified information from being entered into external AI tools.
The core lesson from LayerX's research is that visibility must come before policy. Organisations cannot govern what they cannot see, and until they close the AI visibility gap, their security measures are likely to be misdirected — protecting broadly while the real risk hides in plain sight among a few.
大多數企業人工智能安全風險並非來自多數人,而是來自少數人。LayerX Security 的一份新報告發現,與人工智能工具相關的數據暴露及違規政策行為高度集中於一小群所謂的「高頻用戶」中,這引發了關於一刀切式治理政策是否適用的棘手問題。
可見性差距
由瀏覽器安全公司 LayerX 發佈的《2026 年人工智能使用狀況報告》凸顯了大多數機構對自身內部人工智能使用情況的了解程度有多差。根據報告,大多數企業缺乏足夠的工具來監控員工使用了哪些人工智能服務、何種數據流入這些服務,以及個別用戶如何與之互動。
問題的規模是可以量化的。報告發現,超過 6% 的企業人工智能對話包含敏感數據——而在某些平台上,這一數字急劇攀升,其中 DeepSeek 更達到 12.63%。這些數據凸顯了機密資訊何等輕易地進入人工智能工作流程,而且往往在完全缺乏機構監督的情況下發生。
這一盲點尤其危險,因為與人工智能相關的風險並非均勻分佈。一小部分高頻用戶——即最頻繁使用人工智能工具且應用於最複雜工作流程的群體——佔據了整體企業暴露風險中不成比例的巨大份額。這些員工最有可能嘗試使用未經批准或第三方的人工智能服務,將敏感文件輸入外部模型,並在公司安全政策界限之外運作。
為何一刀切政策成效不彰
這項發現挑戰了許多機構所採取的主流做法:將廣泛、統一的人工智能使用限制應用於全體員工。此類政策可能會讓大多數以低風險、常規方式使用人工智能工具的員工感到沮喪,但對於解決少數在隱蔽環境中運作的深度用戶所產生的巨大風險作用甚微。
這種動態反映了更廣泛的「影子人工智能」問題——即使用未經組織安全或資訊科技團隊審查、批准或監控的人工智能工具和服務。當高頻用戶為加速工作而轉向 DeepSeek 等未經批准的平台時,敏感數據便可能輕易地離開企業防線,而無人察覺。
合規風險日益上升
風險集中於少數用戶群體帶來嚴峻的監管影響。全球的數據保護框架——從歐盟的《通用數據保護條例》(GDPR)到各行業特定法規——均規定有義務保障個人及機密資訊。當員工在未經監督的情況下將客戶記錄、財務數據或個人可識別資訊輸入外部人工智能模型時,這些義務便可能受到潛在損害,而機構往往對此一無所知。
由影子人工智能活動引發的數據洩露或合規失敗,可能涉及大量敏感資訊,即使責任僅在於少數個人。正如 LayerX 的數據所示,即使是日常的人工智能對話也有相當大的概率涉及敏感內容,這使得高頻用戶的累積暴露風險極為顯著。
邁向針對性、用戶分層的治理
報告的發現建議,機構不應僅依賴限制性的全面政策,而應考慮更具針對性的方法。主要建議包括:
- 用戶分層監控: 通過行為分析識別高頻用戶,並對其人工智能互動進行更嚴格的審查,而非實施統一的限制,阻礙整體生產力。
- 針對性審計: 對高頻用戶相關的人工智能平台和數據流進行集中審查,而非進行可能錯失集中暴露點的廣泛審計。
- 數據分類: 確保敏感數據得到清晰標記,並設置控制措施以防止受限制資訊被輸入外部人工智能工具。
LayerX 研究的核心啟示是:可見性必須先於政策。機構無法治理其看不見的問題,在其彌合人工智能可見性差距之前,其安全措施很可能被錯誤引導——在廣泛層面提供保護的同時,真正的風險卻在少數人中顯而易見地潛藏。