Most organisations can name the AI tools they have sanctioned. Almost none can name the AI tools their employees are actually using. The gap between those two lists is shadow AI — and in most UK organisations it is now larger than the sanctioned stack.
Shadow AI is not a future risk. It is what is on your network this afternoon. A finance analyst pasting management accounts into a free LLM to draft the board pack. A salesperson piping customer call notes into a third-party meeting bot. A developer letting an AI code assistant suggest changes against a private repository. None of those people are acting maliciously. They are doing their jobs with the best tools they can find. But every one of those interactions is moving data outside your governance perimeter, and your CISO, your DPO and your auditor have no record of any of it.
Shadow AI Discovery is the work of bringing that activity into view — not to punish anyone, but so you can govern what is actually happening rather than what your policy says is happening. This page explains what shadow AI looks like inside a real organisation, how a structured discovery exercise works, what you should expect to find, and what comes next once you can see clearly.
Three forces have made shadow AI the default in 2026, not the exception.
The first is consumer-grade AI is now better than most enterprise alternatives for everyday knowledge work. Free ChatGPT, Claude, Gemini, Copilot and a long tail of specialist assistants are one tab away and faster than the IT helpdesk. Employees who would never historically have installed unsanctioned software are now logging into AI services from their work browser every day.
The second is the sanctioned stack is incomplete. Few organisations have rolled out a full set of approved AI tools across drafting, summarisation, data analysis, coding, customer comms, research and meeting capture. Where the sanctioned stack has gaps, people fill them. The 2025 AI at Work studies consistently put unsanctioned-tool usage at well over half of all knowledge workers, often higher than the sanctioned figure.
The third is the data flow is invisible to legacy security tooling. Most outbound traffic to AI services looks like ordinary HTTPS to an unremarkable cloud host. DLP rules built around file movements, USB devices and named cloud apps do not catch a paste into a chat box. The places where shadow AI usage shows up — browser history, expense receipts for personal AI subscriptions, document drafting metadata — are not where most security teams look.
The result is a structural visibility gap, not a policy failure. You cannot govern what you cannot see, and most of the standard control catalogue was designed for a world where the data path was a file, a port or a known application — not a prompt.
A structured Shadow AI Discovery is a one-to-two-week exercise that combines four investigative streams to build a defensible inventory of AI activity inside your organisation.
Network and identity telemetry. Outbound traffic logs from your secure web gateway, CASB or proxy are sampled and matched against a curated list of several hundred AI service hostnames and IP ranges. SSO logs are queried for any OAuth grants to AI services. Endpoint telemetry surfaces browser plugins and locally-installed assistants. This is the broadest source and usually produces the largest number of hits.
Spend analysis. Expense systems, corporate-card statements and procurement records are queried for AI subscriptions and add-ons paid for personally and reclaimed, or paid through team budgets without procurement review. Spend signals catch productivity tools that bypass IT entirely.
Targeted interviews. Anonymous, no-blame conversations with a representative cross-section of the workforce — typically twenty to forty interviews across functions — surface the tools employees actually use, the tasks they use them for, and the workarounds they have built when official systems are too slow. Interviews catch the high-impact uses that telemetry will miss, particularly anything employees do on personal devices or accounts.
Output forensics. A sample of recent business documents, code commits and customer communications is reviewed for stylistic and structural fingerprints of AI generation. This is the least precise stream but the only one that can detect prompts to AI tools where the employee never logged in from a corporate device — for example, drafting on a personal phone and pasting back.
The four streams cross-validate each other. Network logs that show a particular AI tool but no spend or interview signal often turn out to be a single power user. Spend signals without telemetry hits usually mean off-network use of a personal device. Interview signals without telemetry mean either personal-device use or detection-resistant tools. Each combination tells you something different about how that tool is being used.
The output of a discovery exercise is a structured inventory with three layers: which AI services are in use, in which business functions, for what kinds of data. That inventory is the input every downstream governance decision needs.
The recurring patterns in shadow AI inventories are remarkably consistent across organisations.
Drafting is the dominant use. Email drafts, board papers, customer responses, internal memos, proposals, marketing copy, performance reviews. The data being put into AI to support drafting is almost always sensitive — board content, customer correspondence and HR material in particular.
Summarisation of meetings is the fastest-growing use. Meeting capture tools have proliferated. Many record the audio of internal meetings — including conversations that contain commercial-in-confidence information, customer data or material non-public information — and store the transcripts on third-party infrastructure under terms of service that most employees have never read.
Coding assistants are universal in engineering teams. GitHub Copilot, Cursor, Claude Code, Cody, Tabnine and others are used by engineering teams whether or not the organisation has approved them. Suggestions are often accepted into proprietary codebases without review, and some assistants train on the prompts they see, depending on tier.
Data analysis is the highest-risk use. Analysts pasting raw extracts of customer data, finance data or HR data into free AI tools to ask for trends, anomalies or summaries. This is the use case most likely to result in genuine data protection breaches and most likely to be invisible to security teams.
Customer-facing autonomy is rare but growing. A small but increasing number of organisations have employees connecting AI agents to customer systems — autonomous email handling, autonomous booking, autonomous CRM updates. These are the highest-impact cases, often discovered for the first time during a structured discovery.
You should expect to find between three and ten times the number of AI tools you currently have on your sanctioned list. Most will be benign. A small number will warrant immediate intervention.
The inventory is the start, not the end. A discovery exercise should always land alongside a decision framework — otherwise the inventory becomes shelfware.
Each AI tool surfaced needs to be classified along three axes: what data it is touching, what decisions it is influencing, and what the failure mode looks like. A tool that helps a developer rename a variable is in a different category from a tool that drafts contract clauses, which is in a different category from a tool that responds autonomously to customer messages. The same product can sit in different categories depending on how a particular team uses it.
That classification feeds three buckets:
Sanction and integrate. Tools that meet your standards on data handling, contractual posture and oversight, and that solve a real need, should be brought formally into the stack. Usually this involves an enterprise tier with the right data-handling commitments, SSO integration, an acceptable use policy update, and training.
Replace and retire. Tools that fail your standards but solve a real need should be replaced with a sanctioned equivalent and then actively retired. The replacement matters — you cannot tell people to stop using a productive tool without giving them a sanctioned alternative that works.
Block and educate. Tools that fail your standards and have no defensible business case should be blocked at the gateway and added to the do-not-use list, with clear communication explaining why.
The discovery work is what makes those decisions defensible. Without it, you are either banning everything (and watching everyone bypass the ban) or sanctioning nothing (and accepting whatever risk arrives).
For most UK organisations, the conversation about shadow AI has shifted from a productivity question to a compliance question over the last twelve months.
The EU AI Act requires organisations placing AI systems in scope on the EU market to maintain documentation of those systems, including their purpose, training data, performance characteristics and risk management. You cannot maintain that documentation for AI you do not know you are using. Shadow AI Discovery is the prerequisite for AI Act inventory work — see the AI Act Preparedness service for the broader compliance picture.
ISO/IEC 42001, the AI management system standard, requires a maintained inventory of AI systems and a control environment around how they are used. The standard’s stage-1 audit will look for evidence that the inventory is real, not aspirational. Discovery feeds that inventory directly — see ISO 42001 certification for the certification path.
UK GDPR and the Data Protection Act 2018 apply to personal data that is processed via AI tools, including for purposes of drafting, summarising or analysing. Shadow AI tools that handle personal data without a lawful basis, without a data processing agreement and without a transfer mechanism are a breach risk. The ICO has been clear that organisations cannot disclaim responsibility for processing they have not authorised but have failed to detect.
Sector regulators — the FCA in financial services, the PRA on operational resilience, the MHRA on medical AI, the NCSC and DSIT for critical national infrastructure — increasingly expect to see AI inventory and governance evidence as part of normal supervisory dialogue. Several recent supervisory letters have asked firms specifically what they have done to discover unsanctioned AI use.
Compliance is rarely the trigger that initiates a discovery exercise, but it is almost always part of the business case once the leadership team understands what is at stake.
A few principles distinguish a useful Shadow AI Discovery from one that produces a long report no one acts on.
No-blame framing. Discovery only works if employees are willing to tell you what they actually use. The fastest way to ensure they do not is to make the exercise feel like an audit. Frame it as understanding, not enforcement. Make the interviews anonymous. Lead the comms with the same message internally.
Combine telemetry with interviews. Telemetry alone tells you what is on the network. Interviews alone tell you what people are willing to admit. The combination of the two — particularly the cases where one source contradicts the other — is where the real intelligence lives.
Time-box it. A discovery that runs for months produces a stale inventory by the time it lands. A focused one-to-two-week exercise produces a current inventory and a clear handover to the governance work.
Plan for the second discovery. Shadow AI usage is not static. New tools arrive every quarter, employee preferences shift, business processes evolve. A defensible governance posture includes a cadence — typically every six to nine months — for refreshing the inventory.
Integrate with the broader posture. Discovery is most useful when its output flows into the rest of the AI security programme — gap analysis, controls, training, vendor due diligence, regulator engagement — rather than sitting in a one-off report. See the AI Security Programmes service for the operating-model view.
Shadow AI Discovery is the starting point for several broader pieces of work. The most common follow-ons are:
AI Security Gap Analysis — a structured posture assessment that places the shadow AI findings alongside the broader control environment and produces a prioritised remediation roadmap.
AI Security Programmes — the managed governance operating model that turns the discovery output into an ongoing inventory, control set and reporting line.
AI Security Projects — discrete project engagements covering specific shadow AI remediation work, controlled rollout of sanctioned tools, and tactical fixes for the highest-risk findings.
AI Act Preparedness — the compliance programme that feeds the discovery inventory into the AI Act documentation set.
ISO 42001 Certification — the management system certification path, where the discovery output sits as evidence of inventory control.
AI Behaviour Verification — testing of sanctioned AI tools (and the most-used unsanctioned ones) to verify they behave as expected under the prompts your business actually uses.
How long does Shadow AI Discovery take? A focused engagement typically runs one to two weeks. The telemetry and spend analyses can be completed inside the first week. Interviews and output forensics overlap with that. A formal write-up and governance recommendations are delivered in the second week.
Will Shadow AI Discovery disrupt employees’ work? No. Telemetry and spend analyses are passive — they read existing logs and records and do not interact with end-users. Interviews are voluntary, scheduled at convenient times, and anonymous in the final report. No tools are blocked during discovery; the goal is to understand what is happening, not to interrupt it.
Do we need to talk to every employee? No. A stratified sample of twenty to forty interviews — drawn from a representative cross-section of functions, seniorities and tenure — is usually enough to surface the patterns. Larger organisations may want a wider sample, particularly if business units operate independently.
What happens to the data collected during discovery? All collected data is held under a data processing agreement that limits use to the engagement, requires deletion or return at the end, and prohibits use for any other purpose. Interview transcripts are anonymised before any sharing with the wider client team.
What if we already have a CASB or DLP system in place? Those tools form a valuable input to the telemetry stream, but they were not designed to detect AI usage specifically. Most CASB and DLP products catch a subset of AI services but miss the long tail. A discovery exercise complements existing tooling by adding the curated AI-specific hostname list, the spend analysis, and the human-source streams.
How do we explain shadow AI findings to the board? The discovery report is structured for board presentation. It leads with the inventory headline (number of AI tools in use, number of sanctioned versus shadow), the data exposure summary (what categories of data are flowing where), the highest-risk findings, and the recommended actions with cost and effort estimates. The technical detail sits in appendices.
Will employees be punished if we find them using shadow AI? No. The engagement is structured as a no-blame inventory exercise. The framing — communicated upfront and reinforced in interview consent — is that the organisation needs to understand the actual landscape in order to provide better sanctioned alternatives. Employees who report extensively are typically a leading indicator of where the sanctioned stack is failing them.
How often should we run a Shadow AI Discovery? Once is the minimum. After the initial exercise, a refresh every six to nine months is the typical cadence for a defensible governance posture. Some organisations move to a continuous-monitoring model after the initial discovery, with telemetry feeds running permanently and human review on a quarterly cycle.
What does Shadow AI Discovery cost? Engagement size depends on the scope (number of employees, number of business units, integration depth with existing telemetry). A focused engagement for a mid-market UK organisation typically lands in the range of a single substantive consulting project — comparable to a standard penetration test or compliance audit. We will scope a fixed price after an initial scoping call.
Is Shadow AI Discovery the same as an AI risk assessment? No. Discovery answers the question “what AI is in use?” A broader AI risk assessment answers the question “what are the risks across the AI estate, and what should we do about them?” The two are complementary — discovery is the inventory foundation that an assessment then evaluates.
Shadow AI Discovery is most useful when it is the first phase of a wider governance conversation. If you want to understand what your organisation is actually using, what risks it is carrying, and what the most leveraged response looks like for your specific situation, get in touch. We will scope a discovery engagement that matches your scale and the regulatory pressures you are facing.
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "Article",
"headline": "Shadow AI Discovery: Find the AI Your Organisation Is Already Using",
"description": "A practical guide to discovering, assessing and bringing unsanctioned AI under governance. For UK CISOs, CIOs and risk leaders who need to know what their people are actually using.",
"author": {
"@type": "Organization",
"name": "QL Security",
"url": "https://qlsecurity.co.uk/"
},
"publisher": {
"@type": "Organization",
"name": "QL Security",
"url": "https://qlsecurity.co.uk/"
},
"mainEntityOfPage": {
"@type": "WebPage",
"@id": "https://qlsecurity.co.uk/services/shadow-ai-discovery/"
},
"datePublished": "2026-05-10",
"dateModified": "2026-05-10",
"inLanguage": "en-GB",
"about": [
{ "@type": "Thing", "name": "Shadow AI" },
{ "@type": "Thing", "name": "AI Governance" },
{ "@type": "Thing", "name": "AI Security" },
{ "@type": "Thing", "name": "Generative AI Risk" }
]
}
</script>
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "How long does Shadow AI Discovery take?",
"acceptedAnswer": {
"@type": "Answer",
"text": "A focused engagement typically runs one to two weeks. Telemetry and spend analyses complete inside the first week; interviews and output forensics overlap with that. A formal write-up and governance recommendations are delivered in the second week."
}
},
{
"@type": "Question",
"name": "Will Shadow AI Discovery disrupt employees' work?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. Telemetry and spend analyses are passive and do not interact with end-users. Interviews are voluntary, scheduled at convenient times, and anonymous in the final report. No tools are blocked during discovery."
}
},
{
"@type": "Question",
"name": "Do we need to talk to every employee?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. A stratified sample of twenty to forty interviews drawn from a representative cross-section of functions, seniorities and tenure is usually enough to surface the patterns. Larger or more federated organisations may want a wider sample."
}
},
{
"@type": "Question",
"name": "What happens to the data collected during discovery?",
"acceptedAnswer": {
"@type": "Answer",
"text": "All collected data is held under a data processing agreement that limits use to the engagement, requires deletion or return at the end, and prohibits use for any other purpose. Interview transcripts are anonymised before sharing."
}
},
{
"@type": "Question",
"name": "What if we already have a CASB or DLP system in place?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Those tools form a valuable telemetry input but were not designed to detect AI usage specifically. Most CASB and DLP products catch a subset of AI services but miss the long tail. A discovery exercise complements them with curated AI-specific hostname lists, spend analysis, and human-source streams."
}
},
{
"@type": "Question",
"name": "How do we explain shadow AI findings to the board?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The discovery report is structured for board presentation. It leads with the inventory headline, the data exposure summary, the highest-risk findings, and the recommended actions with cost and effort estimates. Technical detail sits in appendices."
}
},
{
"@type": "Question",
"name": "Will employees be punished if we find them using shadow AI?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. The engagement is structured as a no-blame inventory exercise. The aim is to understand the actual landscape and provide better sanctioned alternatives. Employees who report extensively are typically a leading indicator of where the sanctioned stack is failing."
}
},
{
"@type": "Question",
"name": "How often should we run a Shadow AI Discovery?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Once is the minimum. A refresh every six to nine months is the typical cadence for a defensible governance posture. Some organisations move to a continuous-monitoring model with permanent telemetry feeds and quarterly human review."
}
},
{
"@type": "Question",
"name": "What does Shadow AI Discovery cost?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Engagement size depends on scope (number of employees, number of business units, integration depth with existing telemetry). A focused engagement for a mid-market UK organisation lands in the range of a single substantive consulting project, comparable to a standard penetration test or compliance audit. We scope a fixed price after an initial scoping call."
}
},
{
"@type": "Question",
"name": "Is Shadow AI Discovery the same as an AI risk assessment?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. Discovery answers the question what AI is in use. A broader AI risk assessment answers the question what are the risks across the AI estate, and what should we do about them. The two are complementary; discovery is the inventory foundation that an assessment then evaluates."
}
}
]
}
</script>
This page is intended as a hidden service: present at /services/shadow-ai-discovery/, but not linked from:
/services/)The page should still be indexable by search engines (robots: index, follow) and crawlable by AI assistant fetchers — it is hub-and-pillar SEO/AEO bait, intended to capture organic traffic and convert visitors onto the sibling service pages.
Internal links FROM this page TO the other services are part of the conversion path. Internal links from other pages TO this page should be limited or omitted to preserve the hidden-service positioning.
Schema blocks (Article + FAQPage) are intended for the <head> or end-of-body section of the rendered page.
Word count: ~2,800 words.