Most organizations believe they have an AI strategy. Far fewer have an accurate picture of how AI is truly being used inside their business.
For the past two years, enterprise AI conversations have focused largely on governance policies, approved tools, and concerns about sensitive data leaking into public large language models. But as AI adoption accelerates, security leaders are discovering that policies alone provide little visibility into what employees are really doing.
The result is that many organizations are trying to govern AI without understanding how it's being used in the first place.
"We're trying to understand who's using AI at all," said Alastair Paterson, CEO of Harmonic Security, during a recent CYBR.SEC.CAST appearance. "Most companies have no idea."
Full podcast and related article/infographic:
, and CYBR.SEC.Media
Bill Brenner
The shadow AI problem is already here
For years, security teams battled shadow IT: employees adopting unsanctioned cloud services because official tools couldn't meet their needs. AI is proving no different.
Employees are using ChatGPT, Claude, Perplexity, coding assistants, browser-based AI tools, embedded AI features inside SaaS applications, and a rapidly growing ecosystem of agents and automation platforms. In many organizations, those tools appeared long before formal governance programs did.
Some companies attempted to control adoption through restrictive policies. Others simply trusted employees to use AI responsibly. Neither approach has solved the visibility problem. As Paterson notes, many organizations are still trying to answer basic questions:
- Which AI tools are employees using?
- What data is being shared?
- What business problems are people solving?
- Which teams are adopting AI fastest?
- Which tools are actually delivering value?
Without answers, security leaders are forced to make decisions based on assumptions.
Measuring the wrong things
Part of the problem is that many organizations are using flawed metrics to evaluate AI adoption.
Paterson described situations where companies track prompt volume or token consumption as indicators of AI success. In some cases, employees are even being evaluated on whether they're using AI tools as part of performance reviews.
The metric sounds logical until you think about it.
A high prompt count doesn't necessarily indicate productivity. It may simply indicate experimentation, inefficient workflows, or employees trying to demonstrate activity.
Meanwhile, teams generating meaningful business outcomes may be using fewer prompts but producing significantly greater value.
This reflects a familiar challenge in security: counting alerts has never been a reliable measure of effectiveness, and counting prompts is no better for measuring AI impact. Organizations need visibility into outcomes, not activity.
Security teams are becoming AI enablement teams
The pressure on security leaders is also changing. Historically, security teams were expected to identify risks and prevent bad outcomes. Today, many CISOs are being asked to accelerate AI adoption while simultaneously managing risk. That's a fundamentally different role.
Boards and executive teams increasingly view AI as a business imperative. Security teams that simply block tools risk becoming obstacles to innovation. Security teams that enable safe adoption are becoming strategic partners.
Paterson believes that shift creates an opportunity for security leaders to become more influential inside their organizations.
Rather than serving as gatekeepers, they can help business leaders understand which AI tools are creating value, where adoption is succeeding, and what controls are necessary to scale usage safely.
That requires visibility that extends far beyond traditional governance dashboards.
The rise of AI usage intelligence
This is where a new concept is beginning to emerge: AI usage intelligence.
Instead of simply identifying whether AI is being used, usage intelligence seeks to understand how it's being used.
For example:
- What tasks are employees performing with AI?
- Which departments are adopting AI most effectively?
- Which tools are delivering measurable business value?
- Where are employees bypassing approved solutions?
- Which workflows create risk?
- Which workflows create competitive advantage?
These questions move AI governance beyond compliance and into business strategy.
The answers can help organizations identify internal AI champions, measure return on investment, optimize tool selection, and improve workforce productivity.
Just as importantly, they provide context security teams need to distinguish between legitimate innovation and genuine risk.
Visibility before control
The lesson emerging from enterprise AI adoption is straightforward. Organizations can’t govern what they can’t see.
Before security teams can decide which AI tools to allow, restrict, monitor, or integrate, they need a clear understanding of how employees are already using them.
For many organizations, that discovery process is only beginning.
The AI conversation is no longer just about data leakage or acceptable use policies. It's becoming a conversation about visibility, behavior, business outcomes, and understanding the role AI plays inside the modern enterprise.
The companies that gain that understanding first won't just be better positioned to secure AI. They'll be better positioned to benefit from it.
