Every major shadow AI study looks at enterprise. Cyberhaven analyses Fortune 500 banks. Harmonic monitors 14,000 enterprise users. Netskope tracks 3,500 large customers. Nobody publishes what shadow AI actually looks like inside a small business. We do.
Key Findings
- 38% of AI interactions triggered a risk warning over a 60-day monitoring period
- Personal information was the most frequently detected risk category (758 instances)
- The riskiest prompts came from specialist topics, not high-volume ones
- When warned, users responded almost every time. Just 3 bypasses in 60 days
- High-risk prompts dropped from 295 to 12 post-intervention: a 96% reduction
This is what 60 days of AI monitoring looks like at a company with roughly 30 people.
The numbers
We monitored AI usage across a single organisation with around 30 active users (27 of 38 browser extension instances active in the past 14 days) using Vireo Sentinel's browser extension over a 60-day period.
Here is what the data showed.
Volume: More than 3,700 prompts over 60 days. That works out to about 60 prompts per person per month, or around 3 per working day. Consistent, steady usage. Wednesdays were the busiest day. Activity peaked between 9am and 3pm and dropped to near zero on weekends.
Platforms: One platform dominated. Claude accounted for 92.8% of all prompts, with ChatGPT at 4.2%, Perplexity at 2.0%, and Gemini at 1.0%. This is a very different distribution from the consumer data, where ChatGPT holds roughly 60-80% market share depending on the measure. It suggests that workplace AI preferences can look very different from the headline statistics.
Risk detection: 38% of all interactions triggered an intervention, meaning the user was shown a risk warning before their prompt was submitted. 8% were flagged as high likelihood of containing sensitive content. That is more than 300 interactions over two months where someone was about to share something that probably should not have reached an AI platform.
What kind of data triggered warnings?
The risk categories break down like this:
- Personal information: 758 instances (the most common by a wide margin)
- Proprietary content: 393 instances
- Credentials: 262 instances
- Financial data: 234 instances
- Medical information: 172 instances
Personal information was detected nearly twice as often as any other category. Credentials appearing 262 times is notable. These are instances where API keys, passwords, access tokens, or similar authentication data appeared in prompts. In an enterprise with centralised credential management, this might be caught by other controls. In a 30-person company, there are often fewer layers of protection.
The riskiest prompts are not where you would expect
Vireo Sentinel categorises prompts by the topic being worked on. The categories with the highest risk scores were not the highest-volume ones.
The highest-volume topics were general business queries, engineering, and technical work. But the highest risk scores belonged to prompts about industry-specific technical content, research and intelligence queries, and regulated topics like legal and financial content.
Content creation was the single most common usage pattern but only triggered interventions 19% of the time. Safety and compliance queries triggered interventions 43% of the time. Technical maintenance queries, 41%. Software development, 41%.
The pattern is clear. The riskiest AI usage is not where people spend the most time. It is in the specialist, domain-specific queries where proprietary or regulated information is most likely to appear.
What happened when people were warned?
This is the most telling part. When users received an intervention, almost every single one took action. Over 60 days, there were just 3 instances where a user did not engage with the intervention at all.
Of the responses:
- 315 justified overrides where users provided a business reason to proceed. Of these, 53% cited "business justification" and 26% flagged the detection as a false positive.
- 29 protective actions where users edited their prompt to remove sensitive data, cancelled the action entirely, or the system applied automatic redaction.
The intervention system reduced high-risk prompts from 295 to 12 post-intervention. That is a 96% reduction in high-risk data reaching AI platforms.
People are not trying to leak data. They just do not realise what they are sharing until something flags it. Give them information and a choice, and they almost always make the right call.
Why this matters
The IBM 2025 Cost of a Data Breach Report found that shadow AI adds USD $670,000 to average breach costs. For a 30-person company, a breach of that magnitude could be existential.
Roughly 4 in 5 employees at small and medium businesses use AI tools they bring themselves (Microsoft Work Trend Index, 2024). About 77% of small businesses using AI have no written AI policy (Digital Applied Analysis, 2025). Reco found that companies with 11-50 employees face the highest shadow AI density of any company size, at 269 tools per 1,000 employees.
Our data adds something specific to that picture. In a real deployment, 38% of AI interactions contained content worth flagging. 8% were high risk. And a lightweight intervention system reduced high-risk exposure by 96%, not through blocking, but through visibility.
None of the major shadow AI reports provide this level of detail for smaller organisations. Cyberhaven's sample is enterprise. Harmonic monitors enterprise browser extensions. Cisco's AI Readiness Index explicitly excludes organisations under 500 employees.
What to do with this
Three practical steps based on what the data shows.
Find out what is happening first. You cannot write an AI policy if you do not know which tools your team uses or what data they share. Start with visibility.
Do not block. Inform and intervene. The near-total engagement rate in this data shows that people respond to information. They do not respond well to blanket bans. Sixty percent of employees say using unsanctioned tools is worth the security risk to work faster (BlackFog, 2026).
Focus governance on high-risk topics, not high-volume ones. Content creation was the most common usage but lowest risk. Domain-specific queries carried 2-3x the risk score despite lower volume. Prioritise governance where the sensitive data actually flows.
The EU AI Act takes full effect in August 2026. The Australian Privacy Act's automated decision-making transparency obligations commence in December 2026. The window to get visibility over AI usage is narrowing. The data shows it takes about a week to understand what is happening. It takes about two months to have evidence that governance is working.
This article draws on anonymised, aggregated data from a Vireo Sentinel deployment. No individual users, prompts, or organisations are identified. For the full research context, see our report: The State of Shadow AI in SMEs: 2026.