A new report from browser security vendor LayerX Security argues that most enterprises are looking for AI risk in the wrong places. Rather than being spread uniformly across an organisation's workforce, exposure to generative AI tools is heavily concentrated among a small subset of high-frequency users — a finding that challenges the prevailing approach of blanket AI usage policies.
The State of AI Usage Report 2026, published by LayerX and reported by The Hacker News on 28 May, identifies what it calls a "dual concentration" pattern. Risk clusters around both a narrow group of power users who interact with AI platforms far more than their colleagues and a small number of dominant platforms that absorb the bulk of sensitive data submissions.
LayerX describes these power users as individuals whose volume of interactions with generative AI services is dramatically higher than the organisational average. The scale of potential exposure is notable: the report found that more than 6% of enterprise AI conversations contain sensitive data, with DeepSeek alone reaching 12.63%. While the company positions its own browser-based monitoring tools as part of the solution, the underlying observation resonates with a broader challenge facing security teams: standard acceptable-use policies may inadvertently catch casual users while missing the employees generating the greatest exposure.
A Visibility Problem
The report's central argument is that enterprises suffer from a significant AI visibility gap. Most organisations lack granular insight into how, how often, and through which tools their employees are submitting potentially sensitive corporate data to external AI services. Without that visibility, LayerX contends, governance frameworks are built on assumptions rather than evidence.
This is where the concentration thesis becomes operationally significant. If a disproportionate share of risky interactions — prompts containing proprietary code, customer data, or financial information — originates from a small user cohort, then security teams can achieve a greater risk reduction by focusing monitoring and training efforts on that group rather than deploying uniform restrictions company-wide.
Governance in a Data-Regulated World
Editor's note: The following section offers regional context not contained in the original LayerX report or The Hacker News coverage.
For Hong Kong-based organisations, the findings carry added weight in the context of existing and evolving regulatory expectations. The Hong Kong Monetary Authority's ongoing supervisory guidance on technology risk management and the Privacy Commissioner for Personal Data's published guidance on the use of AI and personal data both emphasise the importance of understanding data flows and applying proportionate controls.
While neither regulator has issued AI-specific mandates equivalent to the EU's AI Act, the general principle of data minimisation and purpose limitation under the Personal Data (Privacy) Ordinance means that organisations remain accountable for how employee actions expose personal data to third-party AI platforms. A concentrated risk profile suggests that targeted oversight of high-volume users could serve as a pragmatic compliance measure — provided it is implemented with appropriate transparency and proportionality.
Vendor Context and Broader Trends
It is worth noting that LayerX has a commercial interest in promoting browser-level AI monitoring solutions, and the report's findings should be read with that lens in mind. Nonetheless, the concentration pattern it describes aligns with observations from other industry research suggesting that generative AI adoption within enterprises follows a long-tail distribution — a small number of enthusiastic adopters drive the majority of usage and, by extension, the majority of potential data leakage.
As regulatory scrutiny of AI governance intensifies globally, the report's findings are relevant to a practical challenge facing CISOs and compliance teams: not whether to monitor AI usage, but how to allocate limited resources effectively. If the risk really is concentrated among an identifiable minority, the case for behavioural analytics and targeted interventions grows stronger — both as a security measure and as a defensible governance posture.
The full report is available through LayerX's website and includes further detail on platform distribution and usage patterns across surveyed enterprises.
瀏覽器安全供應商 LayerX Security 一份新報告指出,多數企業正在錯誤的地方尋找 AI 風險。與其在組織內全體員工中均勻分佈,使用生成式 AI 工具所產生的風險暴露程度,其實高度集中於一小群高頻使用者中——這項發現挑戰了現時普遍採用的「一刀切」AI 使用政策。
這份由 LayerX 發表、並於5月28日經 The Hacker News 報道的《2026年AI使用狀況報告》,識別出其所謂的「雙重集中」模式。風險聚集在兩個方面:一是與AI平台互動頻率遠高於同事的少數「重度使用者」;二是吸收了絕大部分敏感數據提交的少數主導平台。
LayerX 將這些「重度使用者」描述為與生成式 AI 服務互動量遠超組織平均水平的個人。潛在暴露規模值得注意:報告發現超過 6% 的企業 AI 對話涉及敏感數據,其中 DeepSeek 更高達 12.63%。雖然該公司將自身基於瀏覽器的監測工具定位為解決方案的一部分,但此項觀察與安全團隊面臨的更廣泛挑戰產生共鳴:標準的「可接受使用」政策可能意外地約束了偶爾使用者,卻錯過了造成最大風險暴露的員工。
可見性問題
報告的核心論點是,企業存在顯著的 AI 可見性缺口。大多數組織缺乏精細的洞察,以了解其員工如何、多頻繁地、以及透過哪些工具,將可能敏感的企業數據提交予外部 AI 服務。LayerX 認為,在缺乏這種可見性的情況下,治理框架是基於假設而非證據建立的。
這正是「集中論」在操作層面上的意義所在。如果不成比例的高風險互動——包含專有代碼、客戶數據或財務信息的提示——源自一小群使用者,那麼安全團隊將資源集中用於監測和培訓這部分群體,而非在全公司範圍內部署統一限制,就能實現更大的風險降低。
數據監管時代下的治理
編者按:以下章節提供地區背景資訊,並非來自原始 LayerX 報告或 The Hacker News 報道。
對於香港的組織而言,這些發現在現行及不斷演變的監管預期背景下具有重要意義。香港金融管理局持續就科技風險管理發出監管指引,個人資料私隱專員公署亦已就使用人工智能及個人資料發出指引,兩者均強調了解數據流動及施加相稱管控措施的重要性。
儘管目前並無任何監管機構發出類似歐盟《人工智能法案》的AI特定強制規定,但根據《個人資料(私隱)條例》,數據最小化及目的限制的基本原則意味著,組織仍需對員工行為如何導致個人資料暴露予第三方AI平台承擔責任。一份集中的風險概況表明,對高用量使用者進行針對性監督,可作為一項務實的合規措施——前提是實施時具備適當的透明度與相稱性。
供應商背景與更廣泛趨勢
值得注意的是,LayerX 在推廣瀏覽器層級AI監測解決方案方面存在商業利益,閱讀報告時應考慮這一因素。然而,報告所描述的集中模式與其他行業研究的觀察結果一致,即企業內的生成式AI應用遵循長尾分佈模式——少數熱情採用者驅動了大部分使用量,並因此帶來了大部分潛在的數據洩漏風險。
隨著全球對AI治理的監管審查力度加大,報告的發現與首席信息安全官及合規團隊面臨的實際挑戰相關:問題不在於是否監測AI使用,而在於如何有效分配有限資源。如果風險真的集中於可識別的少數群體,那麼採用行為分析及針對性干預措施的理據就更為充分——這既是一項安全措施,也是一種可防禦的治理姿態。
完整報告可在LayerX官方網站查閱,當中進一步詳述受調查企業的平台分佈及使用模式。