Why cybersecurity still needs real-world classrooms
Why cybersecurity still needs real-world classrooms
Read More
Remember when corporate software misuse meant employees using workplace tools for personal tasks? A little shopping on the company laptop; a private email on a corporate account. AI has flipped that on its head.
According to a new AI usage index from Harmonic Security, 64.5% of activity on personal and free-tier AI accounts is business use. In other words, employees are not mainly using personal AI tools to plan holidays or write wedding speeches. They’re using them to write work emails, summarise meeting notes, debug code, and make decisions faster.
If you’re a CISO, that’s a good reason to take another look at your AI policy – because hidden AI use is hard to govern, and your policy could be one of the reasons people are going underground.
Harmonic analysed 1,935,247 classified AI-session minutes across six applications. The headline finding isn’t that employees are wasting time with chatbots. Quite the opposite, in fact: 74.6% of classified AI minutes were business use, compared with 13.3% personal use.
So AI adoption is driven by productivity. Employees have found something useful, and they’re voting with their prompts.
But this becomes a problem when organisations send the opposite message: AI is suspicious, risky, frowned upon, or only acceptable in very narrowly defined circumstances. Because people still use it – they just stop telling you.
And that’s where the risk comes in. A personal generative AI account may already be logged in. It probably has useful history, and works faster than the approved enterprise tool. But it’s also outside the organisation’s normal visibility, retention, access control and offboarding processes. When an employee leaves, the company then loses not just a person, but a trail of business context sitting in a private AI account.
Importantly, people aren’t just using their personal AI tools for low-risk admin tasks. Harmonic found that business AI activity clusters around:
Those categories can involve contracts, customer information, internal strategy, code, policies, and financial assumptions.
Legal and governance accounted for 19.5% of all AI hours – the highest share of any department. Go-to-market followed at 17.7%. But the split is revealing: Legal activity is concentrated on enterprise plans, while go-to-market dominates free-account usage, accounting for 28.6% of free-account AI hours.
That’s the blind spot. Sales and marketing teams are often closest to customer data, competitive intelligence, pricing, proposals, and pipeline conversations. If they feel the approved AI route is slow or punitive, they’ll reach for the tool that helps them hit the deadline. Security teams might call that non-compliance – but as far as employees are concerned, it’s just about getting the job done.
The answer is to make safe AI use easier than unsafe AI use.
And that starts with tone. Organisations should tell employees, very clearly, that using AI at work is not a shameful shortcut. It’s allowed and expected – within sensible boundaries.
Then give people practical rules they can remember:
Good AI governance should be designed for the way people actually use tools, and should never feel like a surveillance regime. Here are three ways to do that:
AI at work is already embedded in daily behaviour. So to handle it well, you have to make sure you’re not shaming people into silence.
Join the newsletter to receive the latest updates in your inbox.
Why cybersecurity still needs real-world classrooms
Read More
Research from 687 IT and security leaders shows that deeper AI adoption leads to more incidents, making governance a critical cybersecurity priority.
Read More
Modern cybercrime is powered by specialist providers, from Initial Access Brokers to ransomware affiliates. Explore the Crime-as-a-Service ecosystem and its impact on defenders.
Read More