Remember when corporate software misuse meant employees using workplace tools for personal tasks? A little shopping on the company laptop; a private email on a corporate account. AI has flipped that on its head.
According to a new AI usage index from Harmonic Security, 64.5% of activity on personal and free-tier AI accounts is business use. In other words, employees are not mainly using personal AI tools to plan holidays or write wedding speeches. They’re using them to write work emails, summarise meeting notes, debug code, and make decisions faster.
If you’re a CISO, that’s a good reason to take another look at your AI policy – because hidden AI use is hard to govern, and your policy could be one of the reasons people are going underground.
Harmonic analysed 1,935,247 classified AI-session minutes across six applications. The headline finding isn’t that employees are wasting time with chatbots. Quite the opposite, in fact: 74.6% of classified AI minutes were business use, compared with 13.3% personal use.
So AI adoption is driven by productivity. Employees have found something useful, and they’re voting with their prompts.
But this becomes a problem when organisations send the opposite message: AI is suspicious, risky, frowned upon, or only acceptable in very narrowly defined circumstances. Because people still use it – they just stop telling you.
And that’s where the risk comes in. A personal generative AI account may already be logged in. It probably has useful history, and works faster than the approved enterprise tool. But it’s also outside the organisation’s normal visibility, retention, access control and offboarding processes. When an employee leaves, the company then loses not just a person, but a trail of business context sitting in a private AI account.
Importantly, people aren’t just using their personal AI tools for low-risk admin tasks. Harmonic found that business AI activity clusters around:
Those categories can involve contracts, customer information, internal strategy, code, policies, and financial assumptions.
Legal and governance accounted for 19.5% of all AI hours – the highest share of any department. Go-to-market followed at 17.7%. But the split is revealing: Legal activity is concentrated on enterprise plans, while go-to-market dominates free-account usage, accounting for 28.6% of free-account AI hours.
That’s the blind spot. Sales and marketing teams are often closest to customer data, competitive intelligence, pricing, proposals, and pipeline conversations. If they feel the approved AI route is slow or punitive, they’ll reach for the tool that helps them hit the deadline. Security teams might call that non-compliance – but as far as employees are concerned, it’s just about getting the job done.
The answer is to make safe AI use easier than unsafe AI use.
And that starts with tone. Organisations should tell employees, very clearly, that using AI at work is not a shameful shortcut. It’s allowed and expected – within sensible boundaries.
Then give people practical rules they can remember:
Good AI governance should be designed for the way people actually use tools, and should never feel like a surveillance regime. Here are three ways to do that:
AI at work is already embedded in daily behaviour. So to handle it well, you have to make sure you’re not shaming people into silence.
Join the newsletter to receive the latest updates in your inbox.
Software supply chain security is improving through AppSec tool consolidation, but risks from malicious packages, AI models and developer workflow attacks continue to grow.
Read More
More than half of CISOs would consider paying ransomware demands as recovery times remain painfully slow. Here’s why resilience (not prevention alone) is becoming the real test of strength.
Read More
Trina Ford (CISO at iHeartMedia) explains why cybersecurity leaders should manage AI agents like junior employees.
Read More