Shadow AI: How to Discover, Govern, and Reduce Risk from Unauthorized AI Tool Use

You cannot govern what you cannot see. Discovery is the prerequisite step, and it requires data from multiple sources because AI tool usage happens across web browsers, API calls, installed applications, and mobile devices.

CASB (Cloud Access Security Broker) as the primary discovery source CASBs that operate inline (as a forward proxy or via API connectors) can identify AI application traffic by destination domain, URL patterns, and application fingerprinting. Major CASB vendors (Netskope, Microsoft Defender for Cloud Apps, Zscaler, Palo Alto Prisma Access) have built dedicated AI application catalogs that classify hundreds of AI tools by vendor, data handling practices, risk rating, and compliance certifications. Start here.

Key CASB queries to run:

• List all AI applications accessed by category (generative AI, code AI, image generation, AI-enhanced SaaS)
• Volume of data uploaded to each AI application (bytes uploaded, number of sessions)
• Users with the highest AI application usage outside approved tools
• AI applications with high-risk data handling ratings (no enterprise data agreements, training on user data, non-EU jurisdiction)

Secure Web Gateway (SWG) and DNS logs URL categorization databases in SWGs typically classify AI domains. Pull reports of traffic to the AI category over 30-90 days. DNS query logs are useful for identifying AI tools accessed from non-proxied devices (direct internet from corporate laptops, mobile devices on carrier networks).

Endpoint DLP telemetry Endpoint DLP agents (Microsoft Purview, Forcepoint, Symantec DLP) can log clipboard paste events and file upload events by destination application. If an employee copies content from an internal document and pastes it into a browser tab pointing to chat.openai.com, endpoint DLP captures both the source (SharePoint document containing PII) and the destination (ChatGPT).

Developer toolchain scanning Code-focused AI tools (GitHub Copilot, Cursor, Tabnine, Codeium, JetBrains AI Assistant) are used heavily by engineering teams and may not appear in standard CASB reports if they operate via IDE plugins rather than browser tabs. Audit installed IDE extensions and developer tool configurations. Review .gitignore and .env files for API keys indicating direct API usage of AI providers.

Survey-based discovery Combine technical discovery with a voluntary self-reporting survey. Ask employees which AI tools they use for work. Survey data identifies tools that evade technical controls (e.g., AI tools accessed via personal mobile devices) and provides insight into use case categories (writing assistance, code generation, data analysis, customer research).

Not all shadow AI carries equal risk. Apply a classification framework to prioritize remediation and policy decisions.

Risk dimension 1: Data handling practices The highest-risk AI applications use submitted content to train future models and do not offer enterprise data agreements that opt out of training. Verify the following for each discovered AI tool:

• Does the provider use user-submitted content for training? (Check Terms of Service and Enterprise agreements)
• Does the provider offer a Business Associate Agreement (BAA) for HIPAA-regulated data?
• Where is data processed and stored? (EU AI Act, China PIPL, and GDPR jurisdiction implications)
• What is the data retention period for submitted content?

Risk dimension 2: Access to sensitive data categories Classify discovered AI tools by the type of data employees are submitting, using CASB DLP inspection of uploaded content:

• Source code and proprietary algorithms
• Customer PII and financial data
• Internal documents classified as Confidential or Restricted
• Credentials, API keys, or secrets in pasted content
• M&A, legal, or HR sensitive information

Risk dimension 3: Tool category and capability Agentic AI tools that can take actions (browse the web, execute code, send email) carry higher risk than passive generation tools. Browser-integrated AI assistants that see all browser content carry higher risk than single-prompt tools.

Risk tiers:

• Tier 1 (Approved): Tools with enterprise agreements, data processing agreements, opt-out from training, and security certifications (SOC 2, ISO 27001)
• Tier 2 (Conditional): Tools acceptable for non-sensitive use cases with user training and monitoring
• Tier 3 (Blocked): Tools with no enterprise agreements, no data handling commitments, or that operate from high-risk jurisdictions

An AI acceptable use policy (AUP) is the governance foundation. Without it, enforcement is arbitrary and employees have no clear guidance. The policy must be practical enough that employees follow it rather than route around it.

Core policy components:

Approved tool list with clear use cases. Name the specific tools employees may use (example: Microsoft 365 Copilot for internal content, GitHub Copilot Enterprise for code with internal context, Grammarly Business for writing assistance). Specify approved use cases for each tool. Vague permission creates ambiguity.

Data classification rules. Specify which data classifications may not be submitted to AI tools under any circumstances. Example: Confidential and Restricted data (as defined in the Data Classification Policy) must never be submitted to AI tools, including approved tools, unless the tool has a validated enterprise data agreement and explicit CISO approval.

Specific prohibitions. Name behaviors that are always prohibited regardless of tool: submitting customer PII, source code from unreleased products, legal communications, M&A documents, credentials or API keys, unpublished financial data.

Attribution and disclosure requirements. Specify when AI-generated content must be disclosed (customer-facing content, regulatory filings, academic submissions, contractual representations).

Exception and approval process. Define how employees can request approval for tools not on the approved list. Make the process fast (2-5 business days) or employees will bypass it. Automate approvals for tools already assessed as Tier 1.

Consequences. State the disciplinary consequences of policy violation clearly. Ambiguity signals that the policy is not enforced.

Policy without enforcement is a wishlist. Implement technical controls aligned to the policy tiers.

Shadow AI governance is not a one-time project. Track these metrics to measure program effectiveness and demonstrate progress to leadership.

Discovery metrics:

• Number of distinct AI applications in use (decreasing over time as policy takes hold)
• Percentage of AI application usage covered by approved tools
• Volume of data submitted to Tier 3 applications (target: approaching zero after blocking)

Policy compliance metrics:

• Percentage of employees who have completed AI acceptable use training
• Number of DLP policy violations involving AI tools (trending down over time)
• Number of exception requests processed and average approval time

Risk reduction metrics:

• Number of sensitive data submissions to non-approved AI tools blocked by DLP
• Number of AI-related API keys detected and rotated via secrets scanning
• Risk score of the AI application portfolio (weighted average of data handling risk across all tools)

Report these metrics quarterly to CISO and annually to the board or risk committee alongside the AI tool catalog and policy update status.