Enterprise AI Risk Concentrated Among Small Group of 'Power Users,' Report Finds
Most enterprises lack a clear picture of how AI tools are being used across their workforce — and the risk is not spread evenly. According to a new report published by cybersecurity firm LayerX Security, the bulk of enterprise AI exposure stems from a small subset of habitual, high-volume users rather than from broad, company-wide adoption patterns.
The finding challenges a common assumption among IT and security teams: that mitigating AI-related data risk requires sweeping, blanket restrictions. In reality, the report suggests, organisations would get far more mileage from targeted, behaviour-based controls aimed at the employees generating the most exposure.
The Scale of the Problem
LayerX's research quantifies the risk in stark terms. More than 6% of enterprise AI conversations contain sensitive data — a figure that underscores how routinely confidential information enters external AI platforms. The problem is particularly acute on certain services: DeepSeek, for example, accounted for a sensitive-data rate of 12.63%, the highest among platforms analysed.
These numbers point to a significant blind spot in how enterprises monitor AI tool usage. While many organisations have implemented policies governing generative AI — such as acceptable-use guidelines or outright bans on certain platforms — far fewer have the technical visibility to know which employees are actually using AI tools, how frequently, and what kind of data is being fed into them.
That gap matters because the risk profile is unevenly distributed. A relatively small cohort of "power users" accounts for a disproportionate share of prompts, data uploads, and interactions with AI platforms. These users are far more likely to paste sensitive business information, source code, or customer data into external AI services — whether sanctioned or not — creating concentrated vectors for data leakage.
Shadow AI Remains a Core Challenge
The report's findings reinforce the persistent challenge of "shadow AI" — the use of unsanctioned AI tools outside the purview of IT and security teams. Even in organisations with explicit AI usage policies, enforcement without technical monitoring mechanisms often falls short. Power users, by virtue of their high engagement, are the ones most likely to skirt restrictions or find workarounds.
For security teams, this means policy alone is insufficient. LayerX's analysis points to the need for real-time monitoring and classification of AI interactions, enabling teams to identify high-risk behaviours as they occur rather than relying on periodic audits or self-reported compliance.
Practical Takeaways for IT and Security Leaders
The report suggests several actionable steps for enterprises looking to close the AI visibility gap without stifling productivity:
- Implement granular monitoring of AI tool usage at the browser and application level, tracking not just access but the types of data being submitted.
- Classify data at the point of use, so that sensitive information — financial records, PII, proprietary code — can be flagged before it reaches an external AI service.
- Focus training and policy efforts on power users, who represent the highest-risk segment. Tailored awareness programmes for these individuals are likely to yield better risk reduction than blanket communications.
- Reassess the toolset, ensuring that sanctioned AI platforms meet the organisation's data-handling requirements, so employees have a viable, secure alternative to shadow tools.
Broader Context
The LayerX report arrives at a time when enterprises worldwide are grappling with the tension between enabling AI-driven productivity and managing the security and compliance risks that come with it. Regulatory frameworks around AI governance are evolving rapidly, and organisations that cannot demonstrate meaningful oversight of AI usage may face increased scrutiny.
For IT professionals, the core message is pragmatic: rather than treating all AI usage as equally risky, focus resources where the exposure is greatest. Understanding who your power users are — and what they are doing with AI — is the first step toward a more effective and proportionate security posture.
報告指出企業AI風險集中於少數『高頻使用者』
大多數企業對於AI工具在其員工間的使用情況缺乏清晰認知——且相關風險並非均勻分佈。根據網絡安全公司LayerX Security發布的一份新報告,企業的主要AI暴露風險源自一小部分習慣性、高用量的使用者,而非廣泛的、全公司範圍的採用模式。
此發現挑戰了IT和安全團隊的一個普遍假設:即緩解AI相關數據風險需要採取大規模的、一刀切的限制措施。報告實際表明,組織若將針對性的、基於行為的控制措施瞄準那些產生最多暴露的員工,將能獲得更大成效。
問題的嚴重程度
LayerX的研究以鮮明的數據量化了相關風險。超過6%的企業AI對話包含敏感數據——這一數字凸顯了機密資訊進入外部AI平台的頻繁程度。問題在某些服務上尤為突出:以DeepSeek為例,其敏感數據比率達12.63%,在所分析的平台中高居首位。
這些數據揭示了企業在監控AI工具使用方面存在的一個重大盲點。儘管許多組織已實施管理生成式AI的政策——例如可接受使用指引或對特定平台的全面禁令——但擁有技術手段來準確知曉哪些員工正在使用AI工具、使用頻率以及輸入了何類數據的組織則少得多。
此差距至關重要,因為風險概況分佈不均。相對較小的一群「高頻使用者」佔據了提示詞、數據上傳及與AI平台互動的絕大多數。這些使用者更可能將敏感商業資訊、原始碼或客戶數據貼入外部AI服務——無論是否經過批准——從而形成數據洩漏的集中渠道。
Shadow AI仍是核心挑戰
報告的發現強化了「Shadow AI」持續帶來的挑戰——即在IT和安全團隊監管範圍之外使用未經批准的AI工具。即使在有明確AI使用政策的組織中,若缺乏技術監控機制,政策的執行往往力有不逮。高頻使用者因其高度投入,最有可能規避限制或尋找變通方法。
對安全團隊而言,這意味著僅有政策是不夠的。LayerX的分析指出,需要對AI互動進行實時監控和分類,使團隊能夠在高風險行為發生時即時識別,而非依賴定期審計或自我報告的合規情況。
給予IT及安全主管的實用建議
報告為希望彌合AI可見性差距同時不扼殺生產力的企業提出若干可行步驟:
- 實施細粒度監控,在瀏覽器和應用層面追蹤AI工具使用情況,不僅追蹤存取,還要追蹤提交的數據類型。
- 在數據使用時進行分類,以便在敏感資訊(如財務記錄、PII(個人身份資料)、專有代碼)到達外部AI服務之前進行標記。
- 將培訓和政策重點放在高頻使用者身上,他們代表風險最高的群體。為這些個人量身定制的意識提升計劃,可能比全員通訊更能有效降低風險。
- 重新評估工具集,確保已批准的AI平台符合組織的數據處理要求,從而為員工提供一個可行、安全的替代方案,取代Shadow工具。
更廣泛背景
LayerX報告發布之際,正值全球企業在推動AI驅動的生產力與管理隨之而來的安全合規風險之間尋求平衡。圍繞AI治理的監管框架正在快速發展,無法展示對AI使用進行有效監督的組織可能面臨更多審查。
對IT專業人士而言,核心信息是務實的:與其將所有AI使用視為同等風險,不如將資源集中在暴露風險最大的地方。了解誰是你的高頻使用者——以及他們如何使用AI——是邁向更有效且成比例的安全態勢的第一步。