GenAI Shadow IT Audit

Find out what AI tools your employees are actually using — and what data is exposed.

The problem

The AI genie is out of the bottle. Your employees didn't wait for IT to approve a tool, write a policy, or finish an evaluation. They signed up, pasted in customer data, and moved on with their day. It happened months ago.

The question isn't whether sensitive data is flowing into AI systems — it's how much. Browser extensions summarizing emails. Marketing teams generating content with customer insights. Developers pasting proprietary code into chat interfaces. Every department has found their own tools.

Security teams consistently underestimate the scope by an order of magnitude. You can't govern what you can't see, and right now, you're flying blind.

What’s included

  • Discovery of AI tools across browser extensions, SaaS platforms, and API integrations
  • Employee survey and technical detection methods
  • Data flow mapping — what data goes where
  • Risk classification by tool and use case
  • Stakeholder interviews across departments
  • Policy gap assessment against current controls

What you get

  • Complete AI tool inventory across your organization
  • Data exposure risk report with severity ratings
  • Acceptable use policy template, customized to your environment
  • Executive summary for leadership and board
  • 60-minute debrief call to walk through findings

Who this is for

  • Companies with 200+ employees where GenAI adoption has outpaced policy
  • Security teams that need visibility into unsanctioned AI usage
  • Organizations preparing for SOC 2, ISO 27001, or regulatory audits
  • Leadership teams that need to answer: "What's our AI risk exposure?"

Timeline & investment

Timeline

1–2 weeks

Investment

$5,000–$10,000

Pricing

Fixed fee

Our approach

1

Kickoff Day 1

Align on scope, access, and communication plan.

2

Discovery Days 2–7

Technical detection, surveys, and stakeholder interviews.

3

Analysis Days 8–10

Risk classification, data flow mapping, and policy gap assessment.

4

Delivery Days 11–14

Final report, policy template, and executive debrief.

Frequently asked questions

We need read-only access to SSO/IdP logs and browser management tools, plus a short employee survey. No admin access, no agents installed on endpoints. We work with what you already have.

We adapt our methodology. If there's no centralized browser management or IdP, we rely more heavily on surveys, interviews, and network-level detection. We've done this with companies at every level of IT maturity.

We frame the audit as "understanding how we work" — not catching people doing something wrong. The goal is non-punitive. Employees are more cooperative when they know the purpose is to support better tools, not restrict them.

You get a clear picture of your AI tool landscape plus a customized acceptable use policy template. Follow-on engagements are available if you want help implementing recommendations, but there's no obligation.

Tools like CASBs catch known SaaS apps in network traffic. We go deeper — we give you analysis, risk context, and recommendations. We also catch browser extensions, API integrations, and tools that don't show up in network logs.

Ready to see what’s hiding in your AI stack?

Most companies are surprised by what we find. Book a 30-minute call to discuss your organization's AI risk posture.