Shadow AI Detection
Shadow AI Detection helps MSPs discover and govern unauthorized or unvetted AI services in use within client organizations. As AI tools proliferate, employees routinely adopt AI assistants, code generators, and data analysis tools without IT approval — creating data exposure and compliance risks.
How Shadow AI Works
The Shadow AI module provides a registry of AI service discoveries. Discoveries can be submitted manually by analysts or by integrations that detect AI service usage in network traffic or browser activity.
Navigate to SecOps → Shadow AI Discovery.
Summary Metrics
| Metric | Description |
|---|---|
| Total Discoveries | All AI services identified |
| High/Critical Risk | Services classified as high or critical risk |
| By Category | Breakdown by AI service type |
| By Risk Level | Breakdown by severity |
Service Categories
| Category | Examples |
|---|---|
| Chatbot | ChatGPT, Claude, Gemini, Copilot |
| Code Generation | GitHub Copilot, Cursor, Codeium |
| Image Generation | Midjourney, DALL-E, Stable Diffusion |
| Data Analysis | Julius AI, ChatCSV, OpenAI Assistants with file uploads |
| Custom | Any other AI service |
Risk Classification
| Risk Level | Criteria |
|---|---|
| Critical | Can process regulated data (PHI, PCI, PII); no enterprise agreement; no data processing agreement |
| High | Retains user data for training; limited privacy controls; no BAA available |
| Medium | Consumer tier of an enterprise product; data retention unclear |
| Low | Enterprise-tier with DPA/BAA; data not used for training |
Discovery Workflow
Reporting a Service
Click Report Service to manually add a discovery:
| Field | Required | Description |
|---|---|---|
| Service Name | Yes | Name of the AI service (e.g., "ChatGPT", "Midjourney") |
| URL | No | Service URL for reference |
| Category | Yes | Service type (chatbot, code_gen, etc.) |
| Risk Level | Yes | Initial risk assessment |
| Notes | No | Context about how it was discovered or used |
Review and Decision
Newly reported services land in Discovered status. Move them through the review workflow:
| Status | Description |
|---|---|
| Discovered | Newly identified, not yet reviewed |
| Under Review | Analyst is evaluating the service |
| Approved | Service approved for use (possibly with conditions) |
| Blocked | Service blocked; users should not use it |
Approve — marks the service as approved (with conditions if needed). Users can continue using it.
Block — marks the service as blocked with a policy violation reason. This creates a record for policy enforcement conversations.
Filtering
Filter the discovery list by Risk Level, Status, or Category to focus on what needs immediate action (e.g., all Critical discoveries in Discovered status).