AI is already embedded in daily work across most business. Employees are using it to summarize meetings, review contracts, research competitors, analyze documents, draft presentations, and automate routine tasks – not to mention its use in specialized tools and software across difference business teams. The question is no longer whether AI is being used at work – that answer is a resounding yes – but whether organizations have an accurate picture of where that use is happening, what kind of work is flowing through it, and how much of it sits outside normal governance controls.
Harmonic Security’s 2026 AI Usage Index, based on 1.9 million classified AI-session minutes across six major AI applications, suggests many companies still do not – and that’s a problem. Companies cannot effectively govern, secure, or retain ownership of work-related AI activity they don’t fully see or understand.
The most notable finding isn’t surprising. A large share of work-related AI activity is happening on personal and free-tier accounts. Harmonic found that 65% of activity on personal accounts was classified as business use, including 80% on Copilot Free, 76% on Claude Pro, 71% on ChatGPT Plus, and 61% on ChatGPT Free. In other words, when employees open consumer AI tools during the workday, they are often not planning vacations or asking trivia questions. They are doing real business work. That’s the good news.
The bad news is personal AI accounts fall outside the visibility, retention, and control structures companies usually assume apply to corporate work. If an employee pastes a contract, proposal draft, pricing strategy, or customer context into a personal AI account, that information may live in a conversation history the employer does not own and cannot recover later. That creates a governance problem, but it also creates an ownership problem because business context is being generated and stored in places the organization doesn’t control and most likely hasn’t approved.
At the same time, the report complicates the simple narrative that free accounts are the risk. The flip side is that employees also use enterprise plans for their own tasks – those plans account for 46% of all personal AI activity, compared to 30% on paid consumer plans and 16% on free and guest accounts.
So, the governance issue cuts both ways: Employees are using personal tools for work, but they are also using enterprise AI for personal tasks. The real takeaway is not that one plan tier is safe and another is dangerous, but that plan type alone does not tell companies enough about what is actually happening.
Harmonic’s report also suggests workers are not choosing AI tools primarily by task category. Across the six applications in the survey, the business-work mix is broadly similar.
- 47% of time goes to efficiency and automation,
- 20% goes to risk and compliance,
- 20% goes to decision support,
- 7% goes to revenue and growth, and
- 6% goes to innovation and creation.
There are nuanced differences, of course. For example, Claude skews more toward decision support, while Microsoft Copilot leans more heavily into efficiency work. Still, the overall pattern is consistent. Employees appear to be using whichever tool is most available to them, not carefully segmenting tools by business function.
For companies believing that paying for enterprise licenses solves the problem, that’s not the case. Companies may be paying for governed AI environments, but employees may still be doing similar work in personal accounts sitting in the next browser tab. The implication is that governance has to follow user behavior and content exposure, not just procurement decisions.
Taking a look at departmental breakdowns in terms of share of AI hours provides a little more insight.
- Legal and Governance –19.5% hours
- Go-to-Market – 17.7% hours,
- Design and Development – 13.3%, hours, and
- Strategy – 11.9% hours.
But, don’t be fooled into thinking this means AI is a legal risk issue. In some ways, it is, of course, since legal work often involves contracts, litigation strategy, regulatory analysis, and intellectual property review. But, legal teams are disproportionately using enterprise plans, where governance should be stronger and more visible. Go-to-Market teams, on the other hand, account for 29% of free-account AI hours and only 10% of enterprise plan usage. Sales and marketing teams are doing significant business work in environments into which their companies don’t have visibility.
Here’s the lesson from the data: Governance coverage does not always line up with exposure because the biggest users are not necessarily the least governed and, conversely, the most-governed environments are not necessarily where the biggest blind spots sit. Legal may involve sensitive material, but GTM teams are generating proposals, competitive intelligence, messaging, and customer-facing content at scale in unmanaged contexts. For many organizations, that is where the gap between policy and reality is at its widest.
There’s another important variable, though. Average time spent per AI task may be a more useful behavioral signal than raw event counts. That’s because deeper sessions tend to involve more context-sharing, more iteration, and more business material being pasted into the model.
The differences are meaningful between AI models when it comes to average session time.
- Claude Enterprise – 10.4 minutes,
- Claude Pro – 10.1 minutes,
- ChatGPT Enterprise – 7.1 minutes, and
- ChatGPT Free – 4.8 minutes.
A departmental breakdown of average time per AI task is probably not surprising.
- Design and Development – 9.6 minutes,
- Strategy – 8.6 minutes
- Finance – 7.6 minutes, and
- Legal – 6.4 minutes.
But, because of the high volume, total data exposure is probably higher for legal.
Perhaps the question, then, is not “Which tool are people using?” but “How embedded is AI in the workflow, and how much context is being shared?” A two-minute query for a synonym is not the same risk event as a twelve-minute iterative session reviewing a contract, modeling a financial scenario, or synthesizing a strategy memo.
To be clear, nobody is arguing against AI adoption. AI is clearly functioning as a work tool, not a novelty. Employees are using it because it helps them move faster, handle complexity, and automate low-value tasks. That’s why governance can’t be built around ideology or simple restrictions. If companies try to pretend the AI genie can be put back in the bottle, even partially, they are going to lose much of its value.
Instead, businesses should build governance around behavior, not assumptions. In other words, don’t look at whether an account is free or enterprise, but what kind of work is being done, which departments are operating most outside managed environments, and thinking of session depth as the real exposure risk.
AI is here to stay – it’s that simple. Many employers have embraced it, and those that haven’t better do it quickly. But, the enterprise AI story is messier than expected. Employees aren’t using AI only where companies provision it and they are often using it for far more than was anticipated. Indeed, they are using it wherever it is convenient. That shouldn’t be surprising, nor is it necessarily bad
The solution is not to buy enterprise licenses and publish stricter rules. Rather, the businesses that excel at the AI transition will gain a clearer view of what’s actually happening and build governance around that – around the way AI is actually being used, letting the employees that are actually using AI help define governance. Otherwise, the risk is that uninformed governance will actually work against productivity and growth.
Edited by
Erik Linask
