Organisations are now deploying AI as a routine part of everyday work, far beyond pilot projects and theoretical risk debates, according to a new January snapshot of real-world usage data released by CultureAI this week. The research highlights how AI is being used in ordinary workflows and reveals the emerging patterns that are generating the most significant risks for businesses.
Rather than focusing on speculative threats or technical model flaws, the CultureAI snapshot looks at behavioural signals from actual interactions, such as prompt content, file uploads, and accumulated context, across thousands of enterprise and consumer tools. Crucially, the research reveals that risk in AI isn’t driven by rare, dramatic misuse, but by common workplace behaviour at scale.
One of the most striking results of the January analysis is that more than one in six risky AI interactions involve internal strategy or planning details. This reflects a broader trend in which employees increasingly feed commercial strategy documents, planning context and sensitive reasoning into AI tools to enhance outputs during tasks like summarisation, decision support and brainstorming. As these data types don’t fit traditional “high-risk” categories such as financial numbers or credentials, their exposure often goes unnoticed, yet the potential competitive and regulatory impacts are material. Legacy monitoring systems, built to catch static patterns, struggle to detect this kind of incremental data leakage.
Additionally, the research finds that personal identifiers are found in more than half of sensitive AI interactions. Rather than obscure secrets, it’s everyday data, like names, email addresses and other basic personal context, that pushes otherwise benign prompts into risky territory. Employees often include this information simply to make AI outputs more relevant or actionable. The implication is that risk doesn’t just come from extreme misuse; it arises from normal context added to improve utility. Traditional data loss prevention (DLP) tools and static policy rules are ill-equipped to interpret why that context matters or how risk accumulates over time.
Another significant trend revealed by the snapshot is the rapid growth of AI usage outside enterprise environments. Even where companies have approved and provisioned AI tools for staff, free consumer AI assistants, like the free tier of Google’s Gemini, are growing fastest. This points to an expanding gap between organisational visibility and where adoption is actually occurring. By the time tools are recognised and added to official allow-lists, their usage patterns and the data they handle are often already well-established, raising risks that standard governance frameworks fail to address.
Taken together, these insights suggest a major rethink is needed in how businesses govern AI. Rather than relying on coarse app-level policies or static classifications, CultureAI argues that effective controls must focus on data types and interaction context, understanding what data is shared, why and when. This “AI Usage Control” model treats AI adoption as a managed workflow, not a binary decision of approved versus unapproved tools.
This research sheds light on why many organisations still feel blind to actual AI use and risk, despite deploying enterprise AI platforms. It’s not just the tools that matter, but how people embed them into everyday work. With sensitive data slipping into AI prompts through routine behaviour, the focus is shifting from “blocking AI” to governing how it’s used.
