July 3, 2025

Want to get GenAI right? Start with how your people use it

Your colleagues are using GenAI right now—but probably not in the way your IT team intended. From data leaks to app overload, organizations are learning that enabling GenAI isn’t just about buying a license—it’s about rethinking policy, trust, and productivity. Here’s what we’ve learned.

Understanding GenAI Usage in Organizations: A Framework

Before we dive into the statistics, it's helpful to establish a framework as a backdrop. At NROC Security, we categorize GenAI usage in organizations into three key buckets:

  1. Personal Productivity
    This refers to individual employees using GenAI tools to enhance their personal work efficiency—for example, drafting emails, summarizing documents, or generating ideas (and improving readability of this blog posting)
  2. Business Process Productivity
    Here, AI is embedded into workflows—often via SaaS platforms—to improve operational efficiency. Think of AI-powered automation in customer support or CRM assistant.
  3. Strategic AI
    Strategic AI involves organization-wide initiatives where AI is used to gain competitive advantage. This could include proprietary model development, custom agent deployment, or integrating AI deeply into core products and services. This is typically where companies allocate their AI resources.

The Rise of Personal Productivity Use

Of these categories, we’re seeing the biggest momentum right now in personal productivity. Many enterprises are still navigating the early stages of enabling access to GenAI applications for their employees.

As recently as late 2024, the prevailing assumption in many companies was that a single, standardized AI tool would meet everyone’s needs. Organizations often chose one GenAI app—either hosted internally or via an enterprise license—and expected and hoped employees to work within those constraints.

But that thinking is shifting. Narrowly focused apps are emerging with greater accuracy and fewer compliance issues, making them more suitable for specific use cases. Meanwhile, business users continue to invent new GenAI use cases daily—use cases they can’t yet fully define, let alone standardize across a large workforce.

The Data Privacy Barrier

Adoption, however, is not without friction. One major roadblock are still concerns about data leakage. And rightly so—our analysis at NROC Security shows that 37 out of every 100 prompts include personally identifiable information (PII).

Most corporate Acceptable Use Policies (AUPs) prohibit entering PII into public LLMs and require users to stick to vetted apps. This, unfortunately, means someone has to manually approve each app—an administrative burden that slows down innovation. And, as users are not accepting slowing down the innovation they go around the rules and guidance.

As a result, 69% of GenAI chatbot usage still happens via free or personal accounts—not enterprise ones. This is despite the fact that corporate versions often come with privacy assurances like “no prompt data is used for training.”

One interpretation? Users are choosing the right tool for the job, regardless of corporate policy. If a purpose-built AI app provides superior results, it’s hard to argue with the logic of using it—even unofficially.

A Long Road to Skill and Scale

Despite the buzz, only 5% of business users actively use GenAI frequently, and even fewer have developed advanced skills (often referred to as "superprompters"). These power users quietly gain value and get work done quickly, but they rarely broadcast how they do it—making them difficult to identify or replicate across the org.

So while companies are rushing to embed AI into their products and processes, the vast majority of everyday business users are still figuring out how to engage meaningfully with GenAI. Skills are undeveloped, processes are immature, and scale is elusive.

How NROC Security Can Help

NROC Security provides visibility, guardrails and compliance with a unique advantage - we have no endpoint plugins or agents required. That means we can deliver full organizational visibility and insights in just 4 days—not 4 months or more.

Want to know more? Visit our solution page to see how we’re helping enterprises enable GenAI safely and efficiently. In case you are wondering how the enforcement of the GenAI acceptable use policy should be done, you can download our enforcement standard - template.

Get insights on boosting GenAI app adoption safely

Subscribe to NROC security blog

CISO
Governance
Productivity
User behavior risks

AI policy is done, how to go about enforcing it?

Before diving into the how of security and governance tooling, you must first understand the what of enforcement. Evaluating tools based solely on their technical features and implementation details won’t deliver meaningful results. Success in GenAI governance starts with clearly defining what needs to be enforced—only then can you determine how to do it effectively.

User behavior risks
Visibility
Governance
CISO
Productivity

CISO Guide to Securing Employee Use of GenAI

Best Practices for Securing Public GenAI Apps and LLM Apps in the Enterprise

Guardrails
Supported GenAI App

Tricks and treats - privacy and data protection terms of popular GenAI services

It is very positive that the big GenAI vendors, like OpenAI, Microsoft and others, have been granting more transparency into how they treat the content they collect from their end users. It’s only reasonable that you know where your prompt may end up. Will it be used to train the model, or will it even show up in an AI generated response to somebody else?

Guardrails
Productivity
Supported GenAI App
User behavior risks

NROC Security releases support for Grok

Grok3 by xAI was launched on 17 February 2025 and is now supported by NROC Security

Safely allow more GenAI at work and drive continuous learning and change