Shadow AI Discovery

Find every AI tool your people are using, before someone else does

You Can’t Govern What You Can’t See

Most organisations have less visibility of their AI usage than they think. AI adoption has been bottom-up, employee-driven and largely invisible to IT teams. The result is a growing gap between what’s actually in use and what’s been sanctioned.

Shadow AI Discovery closes that gap. We give you a structured, evidence-led inventory of every AI tool in use across your organisation - sanctioned or not - so you can manage AI risk against the real picture, not the one you’d like to believe.

What’s In Scope

A Shadow AI Discovery looks at four data sources in combination:

  • Network traffic: outbound connections to known AI service providers, surfaced from firewall, proxy and SIEM data.
  • Browser and endpoint telemetry: what employees actually open, drawn from browser history, application logs and EDR signals.
  • Anonymous staff survey: structured, no-blame survey across functions to catch the tools that don’t leave clear technical traces.
  • Public exposure check: corporate accounts on AI platforms, cross-referenced against your asset inventory.

The output is a single, risk-rated inventory you can take into the next board conversation, the next ISO 42001 scoping session or the next regulator enquiry.

How It Connects to Your Wider Programme

Shadow AI Discovery is the first step in the AI assurance journey. It gives you the inventory; an AI Security Gap Analysis assesses the risks; an AI Security Programme helps you manage them over time. For organisations pursuing certification, ISO 42001 Implementation builds the management system on top of the inventory you now have.

What's Included

Network Traffic Analysis

Review outbound traffic against the public AI service inventory to surface every AI tool reachable from your network.

Browser & Endpoint Telemetry

Mine browser history, application logs and EDR data to identify web-based AI tools that bypass network controls.

Structured Staff Survey

Anonymous, no-blame survey across functions to capture the tools people actually use day to day.

AI Tool Inventory

Consolidated, risk-rated inventory of every AI tool in use, with data-handling notes and vendor due-diligence status.

Remediation Priorities

Ranked recommendations covering what to sanction, what to block and what needs a closer look, with a path to a full AI Security Gap Analysis.

Don't Wait for an Incident to Find Out

Most organisations discover significantly more AI usage than they anticipate. A structured discovery exercise gives you the inventory and the risk view in weeks, not quarters.

Book a Scoping Call

Who It's For

This service suits organisations that suspect their AI usage has outpaced their visibility. You might be a CISO preparing for a board conversation, a Head of GRC preparing for ISO 42001 scoping or a Data Protection Officer responding to a regulator’s enquiry.

It’s particularly relevant where AI adoption has been employee-driven and where existing policy work has assumed a tidier picture than the reality.

Engagement Model

Delivered as a fixed-scope engagement, typically completed within 3–4 weeks depending on the size of your estate and the maturity of your logging infrastructure.

Discovery is the first step. Once you know what you’re dealing with, most clients move into an AI Security Gap Analysis to assess the risk and into an AI Security Programme to manage it over time.

Standards & Frameworks

Our services are aligned to industry-leading standards and regulations.

Cyber Essentials
EU AI Act
EU GDPR
ICO AI Guidance
ISO 27001
ISO 42001
NCSC CAF
NHS DSPT
NIS2 Directive
NIST AI RMF
OWASP AI Top 10
SOC 2
UK AI Act
UK GDPR
Cyber Essentials
EU AI Act
EU GDPR
ICO AI Guidance
ISO 27001
ISO 42001
NCSC CAF
NHS DSPT
NIS2 Directive
NIST AI RMF
OWASP AI Top 10
SOC 2
UK AI Act
UK GDPR

Frequently Asked Questions

What is shadow AI?

Shadow AI refers to AI tools, applications and services that employees use without IT or security team oversight. It creates security risk because these tools often process sensitive business data without the data governance, access controls or vendor due diligence that sanctioned AI tools undergo.

How long does a shadow AI discovery take?

A structured discovery exercise typically takes three to four weeks. Organisations with existing SIEM infrastructure and cloud access security brokers already in place can often complete the data collection phase in days rather than a week. Timeline extends for large or geographically distributed organisations with limited logging infrastructure.

Does shadow AI discovery require specialist tools?

Not necessarily. Most organisations can conduct an initial discovery using existing security infrastructure: firewall and proxy logs, SIEM platforms, EDR tools and standard browser management capabilities. Specialist CASB and DLP solutions configured for AI service detection improve completeness but are not prerequisites for a first exercise.

What happens to the tools you find?

The output is a risk-rated inventory and a set of remediation priorities. Tools that process only non-sensitive information with strong vendor security practices may be approved retrospectively with appropriate controls. Tools that access sensitive data or connect to external services without oversight typically require immediate remediation or formal risk acceptance.

At what point does shadow AI become a compliance issue?

Shadow AI becomes a compliance issue as soon as it processes personal data covered by UK GDPR, which most AI tools do. Employees submitting customer data to an unvetted AI tool without a data processing agreement in place creates a potential GDPR breach. Under the EU AI Act, organisations deploying high-risk AI systems have additional compliance obligations that extend to shadow AI usage.

How does this fit alongside an AI Security Gap Analysis?

Discovery answers the question “what AI are we using?” A gap analysis answers the question “how risky is the way we’re using it?” Most organisations need both, in that order. Discovery feeds the gap analysis with the scope it needs to be accurate.

Start the Discovery

Get in touch to scope a Shadow AI Discovery for your organisation. You'll know what you're dealing with in weeks.

Book a Scoping Call
Book a Call