← ALL POSTS

We Watched 5 Laptops for 5 Days. Leadership Had Estimated Zero AI Usage.

Field notes from a real deployment: a 30-person company, five work devices, and 2,888 AI requests that nobody in the leadership meeting saw coming.

Before we switched anything on, we asked the leadership team a simple question: how much AI do your people use at work?

The answer was quick and confident. "We don't really have AI usage here."

Fair enough. It's a 30-person services company. No engineering org, no data science team, nobody whose job title has the word "prompt" in it. If you were going to bet on a company having no AI traffic, this would be the one.

We put Themisto on five work devices and let it run.

Five days later

2,888 AI requests. From five laptops. In five days.

Not one of them went to an approved tool, because there was no approved list. Two vendors showed up in the traffic, and both were consumer products running in a browser tab, signed into who knows whose account.

And here's the detail that made the room go quiet: one device produced 77% of all of it. One seat. Nobody in the meeting guessed which one, and the guesses they did make were wrong.

We published the anonymized version of this report here if you want to see the full breakdown, day by day and device by device.

Why smart leaders get this so wrong

Nobody was lying in that meeting. That's the uncomfortable part.

Leadership sees what surfaces: the tools in the budget, the software requests in the IT queue, the vendors in the security review. Consumer AI surfaces through none of those channels. It's a browser tab. It costs nothing. It never files a ticket. A KPMG global study found that 57% of employees who use AI at work hide it from their employer, and honestly, "hide" is generous. Most of them just never thought it was worth mentioning.

So the org chart says zero and the network says 2,888, and both are telling the truth about what they can see.

The gap is the risk

The problem was never that employees use AI. Some of that usage was probably making them faster. The problem is that every one of those 2,888 requests was a judgment call made alone, by one person, in the moment, about what company and client information was fine to paste into a consumer chatbot.

Some of those calls were fine. Statistically, some weren't. Cyberhaven's research puts sensitive content at roughly a quarter of everything employees feed into AI tools. Nobody at this company could say which quarter, because until that week, nobody could see any of it.

That's the actual state of AI governance at most small and mid-size companies right now: a policy that doesn't exist, enforced by nobody, over traffic that leadership sincerely believes isn't happening.

What to do with this

If you take one thing from this post, take the method, not the moral. Don't argue about estimates in a meeting. Measure. Five devices and five days was enough to replace a belief with a number, and the number changed the whole conversation.

We run that exact measurement as a free 7 day audit. Up to ten machines, no workflow changes, full report at the end. If your number really is zero, you'll have the receipt. So far, nobody's number has been zero.

THEMISTO LABS

See it. Control it. Protect it.

If anything in this post resonated, tell us what you're seeing. A founder reads every request and reaches out personally within 24 hours.

REQUEST ACCESS →