Top 100 AI Apps Used in Enterprises (Categorized)
- This is a curated, categorized reference of roughly one hundred real, well-known AI applications that show up across enterprises today, grouped by what they do rather than ranked by adoption.
- The point is discovery: security teams cannot govern AI tools they have never enumerated, and the vast majority of these apps arrive bottom-up without a ticket, a review, or a contract.
- Categories span general assistants, AI coding tools, writing and productivity, meeting notetakers, search and research, image and video generation, agent builders, and MCP-based clients.
- Every category carries a distinct primary data-exposure risk, from pasted source code and customer data to broad OAuth grants and page content sent to third parties.
- This reference deliberately avoids invented adoption numbers or market-share figures; it names real products so you know what to look for, not how many people use them.
- Use it as a starting checklist for an AI app inventory, then discover what is actually running on your endpoints rather than guessing from a list.
Ask a CISO to name the AI tools running inside their organization and you will usually get a short list: ChatGPT, maybe Copilot, maybe Gemini. Ask their engineers, sales team, marketers, and analysts, and the real list runs into the dozens. AI applications have spread through the enterprise the way SaaS did a decade ago, only faster and with far less friction - a browser tab and a personal login is often all it takes. This guide is a categorized reference to the AI apps you are most likely to find, grouped by what they do, so you know what to look for when you go looking.
A note on scope up front. This is a discovery reference, not a leaderboard. We name real, well-known products so you can recognize them, and we deliberately avoid attaching adoption percentages, install counts, or market-share figures, because trustworthy enterprise-wide numbers for shadow AI usage are not something we can cite honestly. Treat every category below as a checklist of things to look for, and the primary risk column as the reason each one matters to a security team. For the wider problem this list is part of, start with what is shadow AI.
Why enumerating AI apps is a security task, not an IT curiosity
Every AI app on this list shares one property: to be useful, it has to receive work context. A chat assistant needs your prompt, a coding agent needs your code, a notetaker needs your meeting audio, a research tool needs your query. That context is exactly the sensitive material a security program exists to protect - source code, customer data, contracts, roadmaps, credentials. When an app is adopted bottom-up on a personal account, none of that flow is visible to IT, DLP, or procurement. The app is a data-egress channel that no one signed off on.
The agentic tools raise the stakes further. A general assistant reads and responds; an AI agent or coding tool can act - run shell commands, edit files, call APIs, and reach across a network. That shifts the risk from data disclosure alone to unintended action. Enumerating what is in use is therefore the first control, not a housekeeping exercise. You cannot write an acceptable-use policy, tune a DLP rule, or apply least privilege to tools you have never listed. See how to build an AI agent inventory for the practical method.
The categories at a glance (and their primary risk)
The single most useful lens on AI apps is not the vendor but the function, because function predicts the data that flows and therefore the risk. The table below maps each major category to representative real products and the primary data-exposure risk that category tends to carry.
| Category | Example apps (real names) | Primary data-exposure risk |
|---|---|---|
| General assistants / chatbots | ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, Meta AI, Grok, Mistral Le Chat, DeepSeek | Employees paste source code, customer data, and internal documents into the prompt; content may be retained or used for training depending on plan and settings. |
| AI coding tools / IDEs | GitHub Copilot, Cursor, Claude Code, OpenAI Codex, Windsurf, Cline, Tabnine, Amazon Q Developer, Replit, Aider, Sourcegraph Cody, JetBrains AI Assistant | Whole repositories, secrets in code, and internal APIs are sent to a model; agentic modes can run commands and edit files with the developer's permissions. |
| Writing & productivity | Grammarly, Notion AI, Jasper, Writer, Copy.ai, QuillBot, Wordtune, Sudowrite | Draft documents, emails, and strategy text pass through a third party; browser-based helpers can read on-page content across sites. |
| Meeting notetakers / transcription | Otter.ai, Fathom, Fireflies.ai, Read AI, Avoma, tl;dv, Granola, Zoom AI Companion, Gong | Full recordings and transcripts of internal and customer meetings are stored externally; bots auto-join calls they were never explicitly approved for. |
| Search & research | Perplexity, You.com, Glean, Elicit, Consensus, Exa | Queries reveal internal projects and intent; enterprise search connectors can index sensitive corpora and surface them broadly. |
| Image & video generation | Midjourney, DALL-E, Adobe Firefly, Stable Diffusion, Ideogram, Runway, Sora, Synthesia, HeyGen, Descript, ElevenLabs | Uploaded brand assets, faces, voices, and unreleased material leave the org; provenance and rights of generated media are unclear. |
| Customer support agents | Intercom Fin, Sierra, Decagon, Ada, Salesforce Agentforce, Zendesk AI | Customer PII and ticket history feed the model; autonomous responses can act on accounts without review. |
| Agent builders / orchestration | LangChain, LangGraph, LlamaIndex, CrewAI, AutoGen, n8n, Zapier, Make, Flowise, Dify, Relevance AI, Lindy | Workflows wire data sources, credentials, and tools together, often with broad standing access and little review. |
| Model platforms / API providers | OpenAI API, Anthropic API, Azure OpenAI, Google Vertex AI, AWS Bedrock, Hugging Face, Together AI, Groq, OpenRouter | API keys become long-lived, over-scoped credentials; usage bypasses the app-layer controls entirely. |
| MCP-based clients & tools | Claude Desktop, Cursor, VS Code, Cline, Goose, Windsurf | MCP connectors expose files, databases, and internal tools to an agent; a single connector can widen an agent's reach dramatically. |
A closer look at the categories
General-purpose assistants and chatbots
This is the category everyone knows and the one most people mean by AI. ChatGPT, Claude, Gemini, and Microsoft Copilot anchor it, alongside Perplexity, Meta AI, Grok, Mistral Le Chat, and DeepSeek. They are used for drafting, summarizing, analysis, coding help, and answering questions. The dominant risk is simple and pervasive: people paste whatever they are working on into the box. That includes proprietary code, customer records, unreleased financials, and legal text. Whether that content is retained or used to improve models depends on the specific plan, workspace settings, and account type, which is exactly why usage on personal accounts is so hard to reason about. We break this down in shadow AI data exposure: what employees paste.
AI coding tools and IDEs
The fastest-moving category. GitHub Copilot, Cursor, Claude Code, OpenAI Codex, Windsurf, Cline, Tabnine, Amazon Q Developer, Replit, Aider, Sourcegraph Cody, and JetBrains AI Assistant all put a model inside the developer's workflow. In their newer agentic modes, these tools do not just suggest code - they read whole repositories, run commands, edit files, and call tools with the developer's own permissions. That makes them both a data-egress channel (code and secrets sent to a model) and an action surface (an agent that can change your environment). For hardening this specific class, see securing AI coding agents and CLIs.
Writing, productivity, and knowledge
Grammarly, Notion AI, Jasper, Writer, Copy.ai, QuillBot, and Wordtune live where employees already write. Several of them ship as browser extensions or integrations that can read on-page content across many sites, which broadens the exposure well beyond a single document. Because they feel like features rather than AI apps, they are easy to overlook in an inventory. The browser-based ones deserve particular scrutiny; we cover that surface in the most common AI browser extensions and browser AI security risks and controls.
Meeting notetakers and transcription
Otter.ai, Fathom, Fireflies.ai, Read AI, Avoma, tl;dv, Granola, Zoom AI Companion, and Gong record, transcribe, and summarize meetings. The risk here is uniquely sticky: they create a durable external store of your most sensitive conversations - strategy calls, customer negotiations, HR discussions - and their auto-join bots frequently appear in meetings no one formally approved. A single connected notetaker can quietly accumulate a searchable archive of everything the organization says out loud.
Search, research, image, video, and voice
Search and research tools like Perplexity, You.com, Glean, Elicit, and Consensus turn queries into answers, but the queries themselves leak intent, and enterprise-search connectors can index sensitive corpora. Generative media tools - Midjourney, DALL-E, Adobe Firefly, Runway, Sora, Synthesia, HeyGen, Descript, and ElevenLabs for voice - take uploaded brand assets, faces, and unreleased material outside the org, and raise provenance and rights questions for anything they produce. None of these are inherently unsafe, but each is a place where data crosses a boundary you may not be watching.
Agents, orchestration, model platforms, and MCP
This is where the app layer turns into the agent layer. Agent builders and orchestration tools - LangChain, LangGraph, LlamaIndex, CrewAI, AutoGen, n8n, Zapier, Make, Flowise, Dify, Relevance AI, and Lindy - wire data sources, credentials, and tools into autonomous workflows, often with broad standing access. Model platforms like the OpenAI, Anthropic, Azure OpenAI, Vertex AI, and Bedrock APIs, plus aggregators like Hugging Face, Together AI, Groq, and OpenRouter, sit underneath all of it and are reached with API keys that tend to become long-lived, over-scoped credentials. And the growing set of MCP clients - Claude Desktop, Cursor, VS Code, Cline, Goose, Windsurf - connect agents to files, databases, and internal tools through the Model Context Protocol, where a single connector can dramatically widen an agent's reach. For that layer, see model context protocol (MCP) security explained and how to build an MCP server registry.
From a list to a live inventory
A categorized list is a good map, but it is still a map. The gap between the apps you know about and the apps actually installed is where shadow AI lives, and it is usually much wider than teams expect - a coding extension a developer added last month, a notetaker bot on a personal account, an MCP connector wired into a side project. The only reliable way to close that gap is to observe what is really present on your endpoints rather than infer it from a reference. Detection approaches, from network telemetry to endpoint discovery, are compared in shadow AI detection techniques and best practices.
Once you have a real inventory, the work is to classify by risk and apply proportionate controls rather than reach for a blanket ban - which mostly drives usage onto personal devices where you see nothing. Approved tiers, clear data-handling rules, least privilege for the agentic tools, and runtime governance for the ones that can take actions are the durable pattern. The buyer-side view of tooling for this is in AI discovery: the enterprise buyer's guide.
How Anomity turns this reference into verified reality
Anomity's category is agentic endpoint security, built on a single principle: you can't govern what you can't see. A lightweight, unprivileged Endpoint Sensor runs on every managed endpoint across Windows, macOS, and Linux and discovers eight AI artifact types - AI agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs. Rather than asking you to trust a list, it surfaces which of these AI apps and their underlying components are actually installed on each machine, who added them, and what they can reach.
The sensor sends metadata only over HTTPS to the Anomity Cloud - never source code, never prompts, with secrets redacted on the endpoint. On agents that expose a hook, Anomity evaluates each tool call before it runs and returns allow, deny, or log, so an agentic coding tool or orchestration workflow is governed at the moment of action, not just catalogued. Every AI artifact added, removed, or modified lands in a queryable 90-day audit trail, and violations route to your SIEM, Slack, email, and Jira. Anomity is SOC 2 Type II and complements your existing EDR/XDR, DLP, network and gateway controls, and GRC program by adding the artifact-layer visibility they were never built to provide.
You can't govern what you can't see.The Anomity principle
The bottom line
The universe of enterprise AI apps is large, fast-moving, and mostly adopted without anyone asking - which is precisely why a categorized reference like this is a starting point, not an endpoint. Recognize the categories, understand the primary data-exposure risk each one carries, and use the real product names here as a checklist. Then move from the map to the territory: discover what is genuinely running across your fleet, classify it by risk, and govern the agentic tools where their actions happen. To see your own AI app footprint discovered and inventoried in practice, book a 30-minute demo.
Frequently asked questions
What counts as an enterprise AI app?
Any application whose core function is powered by generative AI or an autonomous agent, used by employees or developers for work. That includes obvious chat assistants like ChatGPT and Claude, but also coding tools like Cursor and GitHub Copilot, meeting notetakers like Otter and Fathom, writing helpers like Grammarly, and the agent builders and MCP clients that stitch these together. The common thread is that they send work context - prompts, documents, code, or transcripts - to an external model.
Is this a ranked list of the most popular AI apps?
No. It is a categorized reference of real, widely known AI applications, organized by function so you can recognize what to look for across your organization. We deliberately do not attach adoption percentages, install counts, or market-share numbers, because reliable enterprise-wide figures for shadow AI usage are not something we can cite honestly. Treat the list as a discovery checklist, not a popularity chart.
Why do security teams need to know which AI apps are in use?
Because you cannot govern what you cannot see. Most AI apps enter through a side door - a browser tab, a personal login, an IDE extension - and never touch procurement or IT. Each one is a potential channel for sensitive data to leave the organization or for an untrusted model to influence a workflow. Knowing what is actually in use is the prerequisite for any policy, DLP rule, or access control to mean anything. See what is shadow AI.
What is the biggest data-exposure risk across these apps?
Pasted and uploaded content. Employees routinely paste source code, customer records, contracts, and internal documents into general assistants, and developers point coding agents at entire repositories. That content leaves your control the moment it is submitted, and it may be retained or used for training depending on the plan and settings. We cover the mechanics in shadow AI data exposure: what employees paste.
How is an AI app different from an AI agent or MCP server?
An AI app is the product an employee interacts with. An AI agent is an autonomous system that can take actions - call tools, run code, browse - often built on top of a model API. An MCP server is a connector that exposes tools and data to an agent through the Model Context Protocol. Many modern AI apps are really agents with MCP connectors underneath, which is why a full inventory has to reach past the app name to what it can actually access. See how to build an AI agent inventory.
How does Anomity help with AI app discovery?
Anomity runs a lightweight, unprivileged Endpoint Sensor on every managed endpoint (Windows, macOS, and Linux) that discovers and inventories eight AI artifact types: AI agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs. Instead of trusting a static list, it surfaces what is actually installed and running on each machine, who put it there, and what it can reach. Metadata only is sent over HTTPS to the Anomity Cloud - never source code, never prompts, with secrets redacted on the endpoint - and every change lands in a queryable 90-day audit trail. That turns a reference list like this one into a live, verified inventory.
Should we block all of these apps?
Almost never, and blocking is usually the wrong first move. Most of these tools deliver real productivity, and blanket bans push usage further underground onto personal devices and accounts where you have zero visibility. The better path is discover first, then classify by risk, then apply proportionate controls - approved tiers, data-handling rules, and runtime governance for the agentic ones. See AI discovery: enterprise buyer's guide and shadow AI detection techniques.




