The AI Tools Your DNS Can't See

CyberSight's new AI Usage Report sees what DNS misses: Locally installed AI clients, locally-hosted models, and the active time employees spend in each.

Shadow AI and the AI visibility gap

Ask most IT and security leaders which AI tools their employees use, and the honest answer is some version of "ChatGPT, and probably others." The "probably others" is the problem, and it's bigger than most teams realize.

The "AI visibility" tools on the market today are mostly DNS-based. They count queries to known AI domains and call that a report. That works fine for the AI tools that look like websites. It misses everything else: Locally installed AI applications running directly on the laptop, downloadable LLM clients, IDE plugins that run inference on-device, desktop AI assistants. These tools generate little to no recognizable DNS traffic. To a DNS-based visibility tool, they don't exist.

That gap matters because the local-AI category is growing fast. The same employees who installed unsanctioned SaaS a decade ago are now running models on their own machines, downloading clients, and stitching together workflows that bypass the network (and your security protocols) entirely.

And even the network-visible portion is climbing. Gen AI traffic on the DNSFilter network grew more than 6x in the past year, a 561% increase from roughly 432 million requests in April 2025 to over 2.86 billion in April 2026. That's only what we can see at the DNS layer. The full picture is larger.

Most organizations don't have a tool for any of this. The dedicated AI governance vendors that do exist are priced for the Fortune 500 and require a separate agent on every endpoint. Everyone else has been left to guess.

What's new in CyberSight

The new AI Usage Report inside CyberSight gives admins a purpose-built view of employee AI tool activity, built from telemetry the Roaming Client and browser extension already collect. No new agent. No new deployment. No new data collection.

When you open the report, you'll see:

• Detection of locally installed AI applications, including desktop clients (ChatGPT, Copilot) and locally-hosted model runtimes (Ollama, LM Studio). DNS-based visibility tools miss these entirely.
• Executive summary cards showing total AI tool activity across your organization, distinct tools detected, and active users over the selected period.
• Top AI applications by activity volume and active time spent, so you can see at a glance whether your environment is mostly ChatGPT, mostly Copilot, or quietly running a long list of tools you've never approved.
• User and device drilldown, so when a tool shows up that shouldn't be there, you can see exactly who's using it and on which device.
• CSV export for compliance reviews, board reporting, or handing a clean record to an auditor.

It's available now to all Pro and Enterprise CyberSight customers as part of the existing subscription.

Why this is more accurate than DNS-only reporting

Most "AI visibility" tools on the market today are really just DNS query counts with a new label. That sounds fine until you realize how noisy that data actually is. A meaningful share is browser prefetch, background tab activity, telemetry calls, and domains that resolve but are never actually visited.

CyberSight's browser extension captures actual URL and IP-level context, which means the AI Usage Report reflects what users actually opened, not what their browser happened to look up. For an audit, a compliance review, or a difficult conversation with an employee, that distinction matters.

More importantly, CyberSight sees AI applications that DNS-based tools cannot. A growing share of AI usage happens on locally installed clients and on locally-hosted model runtimes like Ollama and LM Studio, which run inference directly on the endpoint and generate no recognizable traffic. DNS-based visibility tools are blind to this category by design. CyberSight isn't, because the visibility comes from the endpoint itself, not the resolver.

CyberSight also measures active time spent on AI tools, not just how many times a domain was queried. For a security team trying to understand real usage patterns, "an employee spent four hours in ChatGPT this week" is a different signal than "ChatGPT resolved 40 times."

Why we built this and who it's for

We built the AI Usage Report to provide visibility. It does not inspect prompt contents, read what employees are typing into AI tools, or proxy AI traffic. This is a deliberate choice. CyberSight's job is to make behavior transparent, not to read over employees' shoulders.

For organizations that need to block specific AI tools, those policies live where they've always lived in DNSFilter, at the filtering layer. The AI Usage Report makes it easier to know which tools you'd want to set policy on in the first place.

We specifically built this for:

• IT admins who need to answer "what AI is running in our environment?" without standing up a new tool. The report is filterable by user, device, and time range, so the answer takes minutes instead of weeks.
• MSPs who want a clean, exportable artifact to share with clients.
• Security teams and CISOs preparing for board questions, AI governance committees, or insurance renewals. The CSV export gives you a defensible record of what was running, when, and on which endpoints.
• SMBs that have heard the phrase "shadow AI" in a webinar and want to know if it applies to them. The report answers that question the first day you open it.

Getting started

The AI Usage Report is available now for Pro and Enterprise customers. Just log in and click here to see it.

Not a customer yet? Try it for free today.