How to run an internal Shadow AI inventory in one afternoon

1. Why this matters now

Most organisations do not have a Shadow AI problem because employees are reckless. They have a Shadow AI problem because sanctioned tools are slower, weaker, or simply not available , and because the cost of not using AI is now felt at the individual level. A marketing analyst under deadline will choose a consumer chatbot over a ticket queue every time.

The numbers are no longer in doubt. IBM's 2025 breach data put shadow AI inside one in five incidents, adding roughly $670K per case. BlackFog's 2026 research found 49% of employees using AI tools their employer has not sanctioned. Gartner projects that 75% of corporate data will transit unsanctioned cloud services by 2027. The question is no longer whether shadow AI exists in your organisation. It is whether you can describe it.

The goal of this afternoon is not enforcement. It is visibility. You cannot govern what you cannot see, and you cannot build a credible AI posture on top of a baseline you have not measured. Four hours, three people, one spreadsheet. That is the entire brief.

2. Scope the afternoon

Before you open a single console, agree on three boundaries:

• Time box. Four hours, one afternoon. If it takes longer, this is the wrong exercise; you need a full audit engagement, not a sweep. The point of the time box is to force triage: you will not find everything, and that is fine.
• People. One lead (IT or Security), one business sponsor (COO, Legal, or Head of Ops), one note-taker. Larger than three and the afternoon dies in coordination overhead. Smaller than three and the output has no executive weight tomorrow.
• Outcome. A single spreadsheet and a three-tier triage. Nothing more ambitious. See Section 9 for the minimum columns.

What you are explicitly not doing this afternoon: writing policy, selecting vendors, running a DPIA, or building an AI governance board. Those are downstream. Scope creep is the single most common reason this exercise never ships.

Target: ~45 minutes

Start with what you already pay for. AI features have quietly shipped into tools you never classified as AI: your CRM, your helpdesk, your note-taker, your design suite, your code editor. These are the highest-confidence wins of the afternoon and the easiest to close.

Where to look

• SSO provider. Export the list of active applications from Okta, Entra ID, Google Workspace, or JumpCloud. This is your ground truth for sanctioned apps.
• Finance system. Pull 12 months of card and invoice data. Filter merchant descriptors for AI, Copilot, Assistant, GPT, Claude, Gemini, Perplexity, Mistral, Cursor, Replit, Cognition, Anthropic, OpenAI, Hugging Face. Expenses under €100 are where shadow AI hides.
• OAuth grants. In Google Workspace or Entra ID, list third-party apps employees have authorised with their work identity. This catches AI tools that use "Sign in with Google" but never appear in SSO.
• Embedded AI features. Go through your top 20 SaaS contracts by spend and note which have shipped AI features in the last 18 months. Salesforce (Einstein), HubSpot (Breeze), Atlassian (Rovo), Notion (AI), Slack (AI), Zoom (AI Companion), GitHub (Copilot), Figma (Make), Intercom (Fin). Most are on by default.

For each tool, record

• Plan tier (consumer / team / enterprise), because the data handling differs sharply between them.
• Training on inputs: yes / no / opt-out available. Check the DPA, not the marketing page.
• Data residency: EU, US, or unspecified.
• Admin controls present on your tier (audit logs, DLP hooks, SSO enforcement, retention controls).
• Whether the tool sub-processes through another model provider (e.g. a SaaS vendor routing prompts to OpenAI or Anthropic).

Target: ~30 minutes

Browser extensions are the fastest-moving and least-governed surface in most enterprises. A single extension with the read and change all data on websites you visit permission can quietly route every page an employee opens to a third-party model, including webmail, CRM records, internal wikis, and SaaS dashboards. Most EDR tools do not inspect what an extension exfiltrates.

Where to pull the inventory

• Chrome Enterprise / Google Admin. Reports → Apps → Chrome → Extensions. Groups extensions by user and device.
• Microsoft Edge / Intune. Endpoint security → Attack surface reduction → Browser extensions report.
• MDM. Jamf and Kandji both surface installed extensions per device; Intune does the same for Windows estate.
• CASB / SSE. Netskope, Zscaler, and Defender for Cloud Apps all maintain extension risk catalogues.

Extension permission rubric

Not every extension needs the same scrutiny. Score each one against this rubric and only deep-dive the ones that score 3 or higher.

Scoring: 0–2 review only if another signal appears. 3–4 deep-dive, document, decide. 5+ remove from the estate today and notify the owner afterwards.

Known-risk categories

• "Summarise this page" and PDF summariser extensions: they post the entire DOM to a remote endpoint.
• Grammar and writing assistants running on consumer tiers while the user drafts in a corporate webmail.
• Screen-recording and "meeting copilot" extensions that inject themselves into Zoom and Meet calls.
• AI coding assistants running against private repositories without an enterprise agreement.
• "Prompt library" and "ChatGPT sidebar" extensions: the category has a documented history of sale-to-spyware handovers.

Going forward, move to an allowlist. Blocklists lose this race; a new AI extension ships on the Chrome Web Store roughly every day.

Target: ~30 minutes

This is the hardest surface to inventory and the one where the real exposure usually sits. You are not going to see a personal ChatGPT account from an IT console. You are going to see its fingerprints: the copy-paste events, the browser tabs, the file transfers, the expense receipts. The job here is pattern recognition, not enumeration.

Fingerprint checklist

• DLP copy-paste events. Filter for clipboard or paste actions targeting chat.openai.com, chatgpt.com, claude.ai, gemini.google.com, perplexity.ai, mistral.ai, poe.com, and character.ai. The payload size distribution tells you who is pasting entire documents versus short questions.
• Exfil-to-prompt pattern. File-share activity to personal Gmail, iCloud, or Dropbox shortly preceding a visit to a known AI domain. Classic workflow: email the deck to yourself, open it on a personal device, paste into ChatGPT.
• Calendar invites. Search your calendar estate for strings like "Notetaker", "AI Assistant", "Fireflies", "Otter", "Fathom", "Read.ai", and "tl;dv" as attendees or organisers.
• Expense & reimbursement. Receipts or expense claims referencing AI subscriptions paid personally. The €20/month line items almost always indicate a personal account being used for work.
• Local model inference. GPU utilisation spikes and outbound connections to ollama.com, huggingface.co, or model weight CDNs. Locally-hosted models bypass every network-level control you have.
• Code repositories. Commits with Co-authored-by: lines referencing Copilot, Cursor, Claude, or Codeium, which indicates AI coding assistants are in use regardless of whether they are sanctioned.

Target: ~45 minutes

Your SASE, CASB, or secure web gateway already knows more than you think. You just need to ask it the right question: which destinations hosting model inference are being hit from corporate endpoints, by whom, and at what volume? This step is the one that tends to produce the chart your executive sponsor will actually remember.

Query set: run all ten

1. Top 50 destinations in the last 30 days matching the vendor-supplied "Generative AI" or "LLM" category. Netskope, Zscaler, Palo Alto, and Defender for Cloud Apps all ship this taxonomy; use theirs rather than building your own.
2. Upload bytes per AI destination per user, ranked descending. A long right tail means document-pasting, not Q&A. Anything over ~50KB per session is almost certainly a pasted artefact.
3. Session count by AI destination by department. Segment against your HRIS groups. Legal and Finance using consumer AI at high volume is a different risk profile than Marketing doing the same.
4. Direct API traffic to api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, api.mistral.ai, api.cohere.ai, and api-inference.huggingface.co. This indicates developer-built shadow integrations, higher risk than end-user chat because they scale.
5. Replicate, Modal, RunPod, Together.ai, Fireworks, Groq endpoints. Inference marketplaces that are rarely in a standard CASB catalogue.
6. AI coding-assistant traffic: api.cursor.sh, codeium.com, *.githubcopilot.com, tabnine.com, sourcegraph.com (Cody). Map each to an enterprise agreement or flag.
7. Agentic & browser-automation endpoints: browserbase.com, browser-use.com, Anthropic's Computer Use endpoints, and OpenAI Operator traffic. These signal nascent agent deployments, which carry a materially different risk profile than chat.
8. OAuth events granting a third-party AI app scope over Google Workspace, Microsoft 365, Slack, Notion, or GitHub data. Pull from admin audit logs and correlate with Query 1.
9. DNS queries to model weight mirrors: huggingface.co, civitai.com, ollama.com. Indicates local model deployment, which your network controls cannot inspect once the weights land on the endpoint.
10. After-hours volume. Session counts to AI destinations outside business hours by geography. Unusual after-hours spikes from a single identity are one of the highest-signal indicators of a compromised credential being used for exfiltration via an AI tool.

Target: ~15 minutes to send, results next day

The cheapest and most under-used instrument in the afternoon. Anonymous. Five questions. Sent to the whole company before the end of the day. Response rates on a short AI-use pulse typically land between 40% and 65% when the framing is genuinely non-punitive.

1. 1. In the last 30 days, which AI tools have you used for work tasks? (free text, multiple)
2. 2. For each tool above, were you logged into a personal account, a team account, or a company-provided account?
3. 3. What categories of information have you entered into those tools? (tick list: internal documents, client data, code, HR or financial data, meeting transcripts, strategy / roadmap, none of the above)
4. 4. What work task would you be able to do noticeably better if the company provided a sanctioned AI tool?
5. 5. What is stopping you from using the AI tools we already provide?

Question 5 is the one that pays for the afternoon. It tells you exactly where your sanctioned offering is losing to the consumer market, which is the only useful input to the remediation plan. Common answers: "too slow", "model is worse", "can't upload files", "had to request access and never heard back", "didn't know we had one".

8. Triage & classify what you find

Resist the urge to rank everything. A three-tier classification is enough for the afternoon. The purpose of triage is to decide what needs action this week, not to build a permanent risk taxonomy.

If more than a third of your findings end up Red, do not panic and do not launch a crackdown. Sequence the response: contain the highest-volume Red item first, communicate the sanctioned alternative the same week, and only then work down the list. The fastest way to turn a visible problem back into a shadow one is to punish the people who told you about it.

9. Stand up a minimum-viable AI register

A spreadsheet is fine. A Notion page is fine. An Airtable base is fine. What matters is that it exists by end of day, has a named owner, and is the single source of truth going forward. Resist tooling debates; you can migrate later.

Minimum columns

Fourteen columns. No more. The temptation to add fields for regulatory mapping, DPIA status, model provenance, and training-data lineage is real, and every one of those additions is a reason the register will not be maintained. Ship the fourteen columns. Extend only when a specific regulatory ask forces you to.

10. What to do tomorrow morning

The inventory is not the deliverable. The deliverable is a decision. Tomorrow morning, in this order:

1. Share the Red/Amber/Green summary (not the raw list) with your executive sponsor. One slide. Counts per tier, top three findings, recommended first action.
2. Name one sanctioned replacement for the highest-volume unsanctioned tool. One. Not a platform strategy. A replacement with a link, a licence count, and an owner.
3. Send a company-wide note thanking people for the survey responses, publishing the sanctioned replacement, and describing, in plain language, what data should and should not go into AI tools. Specificity beats policy tone every time.
4. Book the 30-day re-inventory. Shadow AI regrows. Anything you cannot commit to re-running in 30 days is theatre.
5. Open the governance conversation. The afternoon has given you the factual baseline. Now the board conversation is about accountability, budget, and architecture, not whether a problem exists.