Skip to main content

AI Usage Dashboard

The AI Usage Dashboard gives administrators a live view of every generative-AI tool touched by your workforce -- ChatGPT, Claude, Copilot, in-house LLMs, and the long tail of "shadow" services that appear without anyone asking. It combines telemetry already collected by the browser extension (genai-guard) with a per-tenant catalog of AI applications you have explicitly sanctioned, blocked, or ignored.

Use it to answer four operational questions:

  1. Coverage -- where is AI traffic flowing in my org?
  2. Risk -- what data are users sending into AI tools?
  3. Discovery -- which new AI services have appeared since I last looked?
  4. People -- who are my heaviest AI users?

Accessing the Dashboard

Open the admin dashboard and choose AI Usage from the left navigation (between Events and Users). The page lives at /dashboard/ai-usage.

Role / PermissionWhat you can do
alerts:readView every panel on the dashboard
settings:updatePromote, block, unblock, or ignore AI domains

If the dashboard renders read-only, your account is missing settings:update. Ask a tenant administrator to grant it via Settings -> Users.

Taxonomy: Sanctioned, Unsanctioned, Shadow, Blocked

Every AI domain we see is placed into one of four states. This taxonomy drives every panel on the dashboard.

StateMeaningHow it appears
SanctionedExplicitly approved for use. Added to genaiApprovedSites so the extension does not warn or interrupt the user.Green badges in Top AI Apps; counted in Sanctioned coverage.
Unsanctioned (known)The domain is in our global AI catalog (a recognised AI app) but you have not approved it. The extension still applies your active enforcement mode.Orange segment in Sanctioned vs Shadow.
ShadowThe domain looks like AI traffic (heuristic match) but is not yet in any catalog. These appear in Shadow AI Discovery awaiting a decision.Red segment in Sanctioned vs Shadow; listed in the Discovery panel.
BlockedA hard navigation block. The extension prevents the page from loading -- regardless of the tenant's GenAI enforcement mode.Surfaced under the Blocked filter on the AI Catalog settings page.

sanctioned, blocked, and ignored are independent flags. A domain can be ignored (suppressed from Discovery) without being either sanctioned or blocked. A blocked domain is always blocked, even if it would otherwise be allowed under your enforcement mode.

Reading the Dashboard

The page is divided into four sections. The timeframe selector at the top (24h / 7d / 30d / 90d) applies to every panel except First-Seen AI Apps, which is always all-time.

Stat cards (top row)

Four high-level KPIs sit above the sections. Clicking a card opens a detail pane directly beneath it.

CardWhat it showsDetail pane
Total AI sessionsDistinct browser sessions on cataloged AI domainsTop AI apps for the window
Active AI usersDistinct users with at least one AI sessionTop users for the window
Sanctioned coveragePercentage of AI sessions on sanctioned domainsSanctioned / unsanctioned-known / shadow split
Open policy eventsWarned or blocked GenAI events in the windowThe most recent policy events

Coverage

  • AI Usage Volume -- daily sessions + active users as a stacked area chart. Click a date to drill into that day in the detail pane.
  • Sanctioned vs Shadow -- donut showing the three-way split (sanctioned / unsanctioned-known / shadow). Click any segment to filter Top AI Apps below.
  • Top AI Apps -- the busiest apps in the window. Each row has a green or amber dot (sanctioned vs not), a session count, and a per-row Block button.
  • AI Category Breakdown -- sessions and users grouped by AI category (chat, code assistant, image generation, etc.).

Risk

  • Files Uploaded to AI -- total file count, total MB, and a by-extension breakdown.
  • Sensitive Data Egress -- PII categories detected in pasted content (email, SSN, etc.) plus content-type breakdowns.
  • First-Seen AI Apps -- the first date each cataloged app was observed in your tenant. Useful for noticing brand-new apps that have just slipped in.
  • Recent AI Policy Events -- the most recent warned / blocked GenAI events. Each row has a checkbox; selecting one or more rows opens the bulk action bar with Block and Ignore buttons.

Discovery

  • Shadow AI Discovery -- domains that look like AI traffic but are not yet in any catalog. Each row offers three actions:
    • Promote -- adds the domain to your sanctioned list (genaiApprovedSites). The extension stops warning on it.
    • Block -- adds a hard navigation block.
    • Ignore -- removes the domain from Discovery without sanctioning or blocking it. Use this for one-off false positives. Selecting multiple rows opens the bulk action bar.

People

  • Top Users by AI Activity -- the heaviest AI users in the window, enriched with email and display name. Each row links to a per-user timeline. Opening a user timeline is audit-logged (see Audit trail).

Taking Action

All actions are confirmation-gated. A modal lists the affected domains and the action to take. Click Confirm to apply.

Promote a shadow domain to sanctioned

From Shadow AI Discovery, click Promote on a row (or select several rows and use the bulk action bar). The domain is appended to genaiApprovedSites in your tenant settings. The extension stops warning on it after the next policy sync.

Block an AI domain (hard block)

From Top AI Apps, Recent AI Policy Events, or Shadow AI Discovery, click Block. The confirmation modal lists every domain that will be blocked and the propagation window (see below).

Blocked domains are stored in a dedicated list (tenant_custom_ai_apps.blocked = true). The extension's GenAI guard checks this list at navigation time in every enforcement mode before any other branching -- explicit per-domain blocks always win.

Unblock a domain

Open Settings -> AI Catalog (the Manage AI catalog -> link in the dashboard header, or /dashboard/settings/ai-catalog). Filter by Blocked, then click Unblock on the row.

Ignore a shadow domain

From Shadow AI Discovery, click Ignore. The domain is suppressed from future Discovery results but stays in the catalog for analytics. It is neither blocked nor sanctioned. Use this for false positives -- e.g. a non-AI domain that happens to match the discovery heuristic.

Block Propagation Latency

Block actions take effect on extension instances as they next sync their policy payload. The default policy sync interval is 60 minutes. Worst-case latency is therefore up to one sync interval after you confirm the block.

If you tune policySyncInterval lower in your extension managed configuration, propagation is proportionally faster; tuning it higher slows propagation. The Block confirmation modal displays the active window so you can calibrate incident-response expectations.

For immediate enforcement (e.g. an active phishing campaign that abuses a chatbot host), pair the dashboard Block with an upstream DNS or firewall rule that you control directly.

AI Catalog Settings Page

/dashboard/settings/ai-catalog is the persistent view of every catalog entry that affects your tenant. It is useful when you need to audit the current state rather than the live activity feed.

  • Filter chips at the top: All, Sanctioned, Blocked, Ignored, each with a count.
  • Sanctioned, blocked, and ignored are independent -- a row can be sanctioned and ignored, etc.
  • Per-row Unblock action on the Blocked filter.
  • Use this page when you want to revert an earlier block or clean up stale ignores.

Audit trail

Every promote, block, unblock, and ignore action is recorded with:

  • The actor (admin user id)
  • The actor's IP and user-agent
  • The request id
  • The domains affected
  • The action verb (promote, block, unblock, ignore)

Opening a per-user activity timeline is similarly audit-logged so you have an after-the-fact record of who looked at which user's AI history. These records live in ai_app_promotion_log and ai_usage_view_log in PostgreSQL and are available via the standard tenant audit-log export.

Common Questions

Why does Sanctioned coverage drop after I block a domain? Blocking a domain prevents new sessions but does not retroactively change historical counts. If the blocked domain was sanctioned in the past, the historical sanctioned share is still computed from the raw data; only future windows will reflect the block.

A domain shows up in Shadow AI Discovery but it is not an AI tool. Click Ignore on the row. The heuristic looks for AI-like patterns (model selectors, prompt boxes, streaming responses) and occasionally surfaces false positives. Ignoring suppresses the domain from future Discovery without affecting other detection.

Can I promote a domain without giving it any other treatment? Yes. Promote only sets sanctioned = true and appends the domain to genaiApprovedSites. It does not block, ignore, or change enforcement mode.

Where do per-app domains come from? Each catalog app maps to one or more domains (e.g. chat.openai.com, chatgpt.com). When you block an app from Top AI Apps, every domain in that mapping is blocked. The confirmation modal lists every domain that will be affected so there is no ambiguity.

Does blocking a domain stop API access from non-browser clients? No. The dashboard's block is a browser extension hard block. It does not affect server-to-server API traffic or native applications. For tenant-wide enforcement use a network-layer control.

  • Security Policies -- the per-group warn/block policy system that the GenAI guard layers on top of
  • Threat Intelligence -- domain reputation signals that feed into AI-related detections
  • Admin API -- the underlying /api/v1/admin/ai-usage/* and /api/v1/admin/settings/ai-catalog/* routes if you want to automate catalog management