The biggest AI-related security threat inside large enterprises isn't coming from the average employee casually experimenting with ChatGPT. It is coming from a small, identifiable group of intensive "power users" — and most organisations have no idea who those people are.
That is the central finding of the State of AI Usage Report 2026, published by browser security firm LayerX Security. The research, covered by The Hacker News in May 2026, analysed enterprise AI adoption patterns and found that AI-related risk is heavily concentrated among a small segment of the workforce. These power users interact with AI tools far more frequently than their colleagues, often uploading substantially larger volumes of corporate data — including source code, financial records, and customer personally identifiable information — into third-party AI platforms. The report found that more than six percent of enterprise AI conversations contain sensitive data, underscoring the scale of the exposure.
The research also highlights shifting platform dynamics. DeepSeek, for example, reached a 12.63 percent share of enterprise AI usage — a notable figure that illustrates how quickly new entrants can gain traction inside organisations, often without formal approval from security or IT teams.
The Visibility Gap
What makes this finding particularly consequential is not the concentration itself but the fact that most enterprises lack the tooling to see it. LayerX describes a pervasive "visibility gap" in which security and IT teams have little or no granular insight into which employees are using which AI services, how often, and — critically — what kind of data is being fed into them.
This gap has regulatory implications. Data protection frameworks in jurisdictions ranging from Hong Kong's Personal Data (Privacy) Ordinance to the EU's GDPR require organisations to safeguard personal data against unauthorised processing. If power users are routinely pasting customer records into external AI tools without oversight, that exposure may fall squarely within regulatory scope — yet remain invisible to the compliance team.
Rethinking the Blanket Approach
The report's findings challenge the default posture many enterprises have adopted: broad, organisation-wide restrictions on AI tool usage. LayerX argues that such policies are both too blunt and too easy to circumvent, since the actual risk is concentrated in a tiny user segment. A more effective strategy, the firm contends, involves identifying high-frequency users, classifying the sensitivity of the data they handle, and applying targeted guardrails rather than sweeping bans.
This user-centric and data-centric model of AI governance aligns with a growing body of industry thinking that visibility into actual usage patterns matters far more than policy documents alone.
The Productivity Tension
The findings also speak to a challenge familiar to IT managers across many sectors: the tension between enabling AI-driven productivity and preventing data leakage. Power users, by definition, tend to be among the most technically adept and productivity-oriented employees. Blanket shutdowns risk alienating high performers and driving usage underground onto personal accounts — a worse outcome from a security standpoint.
LayerX recommends that organisations invest in monitoring capabilities that can surface shadow AI usage without impeding legitimate workflows. For enterprises where AI adoption is accelerating and regulatory expectations around data handling continue to tighten, the report is a timely reminder that governance frameworks need to keep pace with how employees actually use these tools — not how policy assumes they do.
The full State of AI Usage Report 2026 is available from LayerX Security.
大型企業內部最大的人工智能相關安全威脅,並非來自普通員工隨意試用ChatGPT。真正的威脅來自一個小型且可識別的「重度使用者」群體——而大多數機構對這些人的身份一無所知。
這是瀏覽器安全公司LayerX Security所發表《2026年人工智能使用狀況報告》的核心發現。這項由The Hacker News於2026年5月報導的研究,分析了企業採用人工智能的模式,發現相關風險急劇集中於一小部分員工身上。這些重度使用者與人工智能工具的互動頻率遠高於同事,且往往將數量龐大的企業資料——包括原始碼、財務記錄及客戶個人身份資訊——上傳至第三方人工智能平台。報告發現,超過6%的企業人工智能對話包含敏感數據,凸顯了暴露問題的規模。
研究亦突顯了平台格局的轉變。例如,DeepSeek達到了12.63%的企業人工智能使用份額——這一顯著數字說明了新進入者能多快在機構內部獲得認可,且往往未經保安或資訊科技團隊的正式批准。
可見性缺口
這項發現之所以意義重大,並非風險集中本身,而是大多數企業缺乏偵測此現象的工具。LayerX指出存在一個普遍的「可見性缺口」,即保安與資訊科技團隊對於哪些員工正在使用哪些人工智能服務、使用頻率如何,以及至關重要的是哪些類型的資料正被輸入其中,幾乎沒有或完全缺乏細緻的洞察力。
此缺口具有法規層面的影響。從香港的《個人資料(私隱)條例》到歐盟的《通用資料保障條例》(GDPR),各地司法管轄區的資料保障框架均要求機構保護個人資料免受未經授權的處理。若重度使用者持續在未受監督的情況下將客戶記錄貼入外部人工智能工具,此種暴露情況可能完全落入法規規管範圍——但對合規團隊而言卻依然隱而不見。
重新思考一刀切策略
報告的發現挑戰了許多企業所採取的預設立場:對人工智能工具使用實施廣泛的全機構性限制。LayerX認為這類政策既過於粗放又容易被規避,因為實際風險集中於極少數的用戶群體。該公司主張,更有效的策略應包括識別高頻使用者、對其處理的資料進行敏感度分類,並採取針對性的防護措施,而非實施全面禁止。
這種以使用者為中心及以數據為中心的人工智能管治模式,與業界日益增長的觀點不謀而合——即對實際使用模式的可見性,遠比單靠政策文件更為重要。
生產力張力
調查結果亦反映了一個令許多行業的資訊科技管理者深感熟悉的挑戰:在推動人工智能驅動的生產力與防止資料洩漏之間取得平衡。顧名思義,重度使用者往往屬於技術最為嫻熟、最重視生產力的員工。全面封殺可能疏遠高效能員工,並驅使他們轉用個人帳戶暗中使用——從安全角度而言,這將導致更糟糕的後果。
LayerX建議機構投資於監測能力,以便在不妨礙合法工作流程的情況下,揭示影子人工智能的使用情況。對於人工智能應用正在加速普及、數據處理方面的法規期望持續收緊的企業而言,這份報告適時地提醒我們,管治框架需要與員工實際使用這些工具的方式同步發展——而非僅依據政策假設他們如何使用。
完整的《2026年人工智能使用狀況報告》可向LayerX Security獲取。