AI Usage Dashboard
The AI Usage dashboard gives you organization-wide visibility into which AI tools your employees actually use — sanctioned assistants, recognized-but-unapproved services, and brand-new "shadow" AI domains nobody has reviewed yet. It answers the questions security teams get asked first when AI adoption accelerates: what are people using, how much, who are the heaviest users, and what data is flowing out?
The dashboard is populated by the same browser extension that provides your credential and phishing protection, so there is nothing extra to deploy. Usage volume is always collected; the deeper risk panels (file uploads, sensitive-data detection, policy events) are populated when GenAI protection is enabled — see GenAI Governance.
[SCREENSHOT PLACEHOLDER: Full AI Usage dashboard at /dashboard/ai-usage showing the four stat cards, the AI Usage Volume chart, and the Sanctioned vs Shadow donut, with the "GenAI protection on" chip visible next to the page title]
How it works
Every AI-related page visit observed by the extension is classified against two catalogs:
- A global catalog of known AI applications (ChatGPT, Claude, Gemini, Copilot, and hundreds more), each with a vendor, category, and default risk level.
- Your tenant catalog of decisions — which apps you have Sanctioned, Blocked, or Ignored. You manage this on the AI Catalog settings page (see GenAI Governance).
Traffic that matches neither catalog but looks like an AI service (heuristic match on the domain) lands in Shadow AI Discovery for your review. Every domain therefore sits in one of three buckets on the dashboard:
| Bucket | Meaning |
|---|---|
| Sanctioned | Explicitly approved. The extension does not warn users on these sites. |
| Unsanctioned (known) | A recognized AI app you have not approved. Your GenAI enforcement settings apply. |
| Shadow | Heuristic match, not yet cataloged. Awaiting an admin decision. |
Usage volume data is retained for 180 days; policy events are retained for 90 days.
Using the page
Open AI Usage from the left navigation. The header shows:
- A GenAI protection status chip. GenAI protection on (green) means content inspection is active. GenAI protection off (amber, with an Enable link) means the risk panels are not being fed — click it to open the GenAI settings page.
- A Manage AI catalog link to the AI Catalog settings page.
- A timeframe selector: Last 24h, Last 7 days, Last 30 days, Last 90 days. It applies to every panel except First-Seen AI Apps.
Stat cards
Four clickable cards summarize the window. Clicking a card opens a detail pane beneath it.
| Card | Shows |
|---|---|
| Total AI sessions | Browser sessions on cataloged AI domains |
| Active AI users | Distinct users with at least one AI session |
| Sanctioned coverage | Percentage of AI sessions on sanctioned domains |
| Open policy events | Warned or blocked GenAI events in the window |
Coverage section
- AI Usage Volume — daily Sessions and Active users as an area chart.
- Sanctioned vs Shadow — the three-way split. Click Sanctioned, Unsanctioned (known), or Shadow to filter the Top AI Apps panel; click Clear filter to reset.
- Top AI Apps — the busiest apps, each with a sanctioned/unsanctioned indicator, category, session count, and a per-row Block button. Click an app name to open its drill-down page (below).
- AI Category Breakdown — sessions grouped by category (chat, code assistant, image generation, and so on).
Risk section
- Files Uploaded to AI — file count, total megabytes, and how many file extensions were involved.
- Sensitive Data Egress — counts of sensitive-data categories (email addresses, SSNs, credit cards, API keys, and so on) detected in content sent to AI tools.
- First-Seen AI Apps — when each cataloged app first appeared in your organization. Apps first seen today are highlighted.
- Recent AI Policy Events — a table of warned/blocked/logged GenAI events with When, User, App, Type, and Action columns. Each row has a checkbox and a Block button; selecting rows opens a bulk action bar with Promote, Block, and Ignore.
[SCREENSHOT PLACEHOLDER: The Risk section with the Sensitive Data Egress panel showing detected PII categories and the Recent AI Policy Events table with a "blocked" and a "warned" badge visible]
Discovery section
Shadow AI Discovery lists AI-looking domains that are not yet in any catalog, with the matched token, distinct user count, visit count, and first-seen date. Each row offers:
- Promote — mark the domain sanctioned. Users stop seeing warnings on it.
- Ignore — remove it from Discovery without sanctioning or blocking (use for false positives).
- Block — hard-block navigation to the domain in every enforcement mode.
Every action opens a confirmation dialog listing the exact domains affected before anything changes:
| Dialog | What it tells you |
|---|---|
| Block AI domain(s)? | Extensions will refuse navigation to the listed domains in every enforcement mode after the next policy sync; users see the standard block overlay; you can unblock from Settings > AI Catalog |
| Promote to sanctioned? | The domains are added to the sanctioned list and users can use them without warnings |
| Ignore from discovery? | The domains stop appearing in Shadow AI Discovery but are not blocked — users can still visit them |
| Remove block? | Extensions allow navigation again after the next policy sync |
Bulk selection works the same way in both Shadow AI Discovery and Recent AI Policy Events: tick the checkboxes, then use Promote, Block, or Ignore from the action bar that appears. Selections on the policy-events table collapse to their unique domains before the action runs.
[SCREENSHOT PLACEHOLDER: The Shadow AI Discovery panel with two rows selected and the bulk action bar showing Promote, Block, and Ignore buttons, plus the "Block AI domain(s)?" confirmation dialog]
People section
Top Users by AI Activity ranks users by Sessions, Apps touched, and Sensitive hits (sensitive-data detections attributed to them). Each row links to that user's detail page for investigation.
Per-app drill-down
Click any app in Top AI Apps to open its dedicated page at /dashboard/ai-usage/apps/<app>. It shows:
- The app name with a Sanctioned or Unsanctioned pill, plus vendor, category, and default risk level.
- Sessions, Visits, and Unique users for the selected timeframe.
- Domains — every domain registered to this app in the catalog.
- Catalog — the app's key, vendor, category, and default risk.
- Recent policy events scoped to this app, with Time, User, Site, Content, and Action columns.
Use Back to AI Usage to return to the dashboard.
[SCREENSHOT PLACEHOLDER: A per-app drill-down page for a popular chat assistant showing the Sanctioned pill, the Sessions/Visits/Unique users tiles, and the Domains list]
Configuration
The dashboard itself needs no configuration, but three things determine what it shows:
- GenAI protection (Settings, GenAI Protection) — must be on for file-upload, sensitive-data, and policy-event panels to populate. See GenAI Governance.
- Your AI catalog decisions — Promote/Block/Ignore actions taken here or on the AI Catalog settings page.
- Policy sync interval — Block and Promote decisions reach extensions on their next policy sync (60 minutes by default; tunable via the
policySyncIntervalmanaged setting). The confirmation dialog reminds you of this window.
Roles and permissions, panel-by-panel reference detail, and block-propagation guidance are covered in the platform guide: AI Usage Dashboard configuration.
Worked example: triaging a new shadow AI tool
- Monday morning, Shadow AI Discovery shows
chatpdf-helper.example— 14 users, 210 visits, first seen three days ago. - Click the row's checkbox and review: the matched token and visit pattern suggest a real AI document tool, not a false positive.
- Your policy is that document-upload AI tools require review. Click Block. The confirmation dialog lists the domain and notes that extensions enforce the block after their next policy sync (default 60 minutes).
- A week later the vendor passes security review. Open Settings, then AI Catalog (or use the Manage AI catalog link), filter by Blocked, and click Unblock. Then Promote it so users stop seeing warnings.
- Check Sanctioned coverage on the dashboard — it should tick upward as usage shifts to the now-sanctioned tool.
Troubleshooting
The Risk panels are empty but I know people use AI tools. Check the header chip. If it reads GenAI protection off, content inspection is disabled and file uploads, sensitive-data detections, and policy events are not recorded. Click Enable to open the settings page. If the chip reads GenAI protection: status unavailable, the settings could not be loaded — reload the page or check your account's permissions.
I blocked a domain but users can still reach it. Blocks propagate on the extension's next policy sync (default 60 minutes). For an active incident, pair the block with a DNS or firewall rule you control directly.
A shadow domain is not actually an AI tool. Use Ignore. The domain disappears from Discovery without being blocked or sanctioned, and users are unaffected.
An app I expect is missing from Top AI Apps. The panel shows the most-used apps in the selected window. Widen the timeframe, or open the app's drill-down page directly if you know it — the drill-down states explicitly when an app had no recorded activity in the window.
Clicking the Shadow segment empties the Top AI Apps panel. That is expected: shadow domains are not cataloged apps, so they have no entry in Top AI Apps. The panel offers a Jump to Shadow AI Discovery shortcut instead — that is where shadow domains live until you promote, block, or ignore them.
Sanctioned coverage seems low even though our approved tools dominate. Coverage is the share of AI sessions on sanctioned domains, not the share of apps. A handful of users hammering one unsanctioned tool can outweigh many light users of sanctioned ones. Click the Sanctioned coverage card to see the split, then use the Unsanctioned (known) filter to find which apps to review next.
How far back can I look? The timeframe selector goes back 90 days. Underlying volume data is kept for 180 days and policy events for 90 days, so the widest window always has complete data.