On this page
TL;DR
You can discover 80 percent of an organisation's shadow AI exposure in 90 minutes by running six parallel workstreams: SaaS billing audit, DNS log scan for known model provider endpoints, browser extension survey, corporate card scan for AI subscriptions, Slack and Teams app inventory, and identity provider OAuth grant review. The output is a single inventory with vendor, owner, data class, and risk tier. Source pattern: CSA Top Threats to Cloud Computing 2024 and NIST SP 800-115 assessment methodology. Updated 2026-05-20.
Why 90 minutes is the right window
The 90-minute hunt is designed for one CISO, one IT operations lead, one procurement analyst, and one identity engineer working in parallel for one focused block. The objective is not a perfect inventory. The objective is a defensible, ranked, time-stamped baseline that you can review at the next governance committee and act on within ten business days.
Shadow AI is dominated by long-tail tools accessed through three channels: paid SaaS that bypassed procurement, free or freemium SaaS adopted at the individual level, and AI features quietly enabled inside existing approved vendors. Each channel has a primary signal source. The 90-minute hunt instruments all three at once, and the parallel design avoids the failure mode of single-workstream audits that take three weeks and miss everything outside the chosen lens.
The Cloud Security Alliance's Top Threats to Cloud Computing 2024 report flags unmanaged AI consumption as one of the fastest-growing risk categories, and IDC's 2024 SaaS Management research found that the average mid-market organisation underestimates its SaaS footprint by 40 to 60 percent. The playbook below is engineered to close that gap inside one working session.
The six parallel workstreams
Each workstream is owned by one person, runs for 60 minutes of active investigation, and produces a structured output row per discovery. The remaining 30 minutes are consolidation, deduplication, and risk tiering. Run them concurrently - sequential execution defeats the design.
Workstream 1: SaaS billing audit (60 min)
Owner: Procurement analyst. Pull the last 12 months of accounts payable and credit card statements filtered for any subscription-style charge under USD 5,000. The threshold matters because most shadow AI lands in the under-5k band that bypasses formal procurement review at most enterprises.
Concrete steps. First, export the AP ledger to CSV with vendor name, amount, frequency, GL code, and requesting cost centre. Second, sort by vendor name and filter for any vendor containing the strings: ai, gpt, llm, copilot, claude, gemini, mistral, perplexity, jasper, writer, anthropic, openai, cohere, midjourney, runway, suno, eleven, descript, otter, fireflies, gong, sembly, replit, cursor, codeium, tabnine, sourcegraph, hugging. Third, cross-reference the vendor list against the official approved-vendor list from procurement. Anything on the AP ledger and not on the approved list is shadow AI by definition.
Output schema per row: vendor name, first invoice date, last invoice date, annual run rate, requesting employee, requesting cost centre, vendor URL, suspected use case, approval status (yes or no). Expect to find 8 to 25 vendors at a 500-employee organisation, of which 30 to 50 percent will be shadow.
Workstream 2: DNS log scan for model provider endpoints (60 min)
Owner: IT operations lead. Query the corporate DNS resolver, secure web gateway, or CASB for outbound traffic to known foundation model API endpoints over the last 30 days. This catches direct API consumption that has no SaaS billing footprint - typically developer use, automation scripts, and embedded vendor calls.
Target domains to query (non-exhaustive baseline). OpenAI: api.openai.com, oaistatic.com, openai.com. Anthropic: api.anthropic.com, claude.ai, anthropic.com. Google AI: generativelanguage.googleapis.com, aiplatform.googleapis.com. Microsoft: openai.azure.com (with workspace-specific subdomains), copilot.microsoft.com. Mistral: api.mistral.ai, mistral.ai. Cohere: api.cohere.com, cohere.com. Meta: api.together.xyz (common Llama host), llama.meta.com. Other: api.perplexity.ai, api.groq.com, api.deepseek.com, api.fireworks.ai, api.replicate.com, api.huggingface.co, api.aleph-alpha.com, api.character.ai.
Concrete commands. For a Cisco Umbrella tenant, use the reporting API or the Investigate domain search. For Zscaler, run Logs > Web Insights Logs with a destination filter on each domain. For a Palo Alto Cortex deployment, use the URL category filter ai-services or query traffic logs for the domain list. For pure DNS logs (BIND, AD DNS, Pi-hole), grep the log file for each domain string and aggregate by source host. Pseudocode for a flat DNS log: grep -E 'api\.(openai|anthropic|mistral|cohere|perplexity|groq|deepseek|together|fireworks|replicate|huggingface)\.' dns.log | awk '{print $client}' | sort | uniq -c | sort -rn.
Output schema per row: provider domain, requesting host or user, first observation date, request volume over 30 days, suspected use case. Cross-reference requesting users with HR data to identify the team and manager.
Workstream 3: Browser extension survey (60 min)
Owner: IT operations lead (or endpoint engineer if available). Browser extensions are the highest-velocity shadow AI vector at most enterprises because they require no procurement event, no IT install, and no admin rights on managed endpoints. They also exfiltrate page content, including customer data, by design.
Concrete steps. For managed Chrome, use the Google Workspace Admin > Devices > Chrome > Apps and extensions report to export installed extensions across the fleet. For Microsoft Edge under Intune, use the Endpoint Manager extension inventory. For unmanaged endpoints or to triangulate, run an MDM scan via Jamf or Intune for the extension storage path: macOS Chrome at ~/Library/Application Support/Google/Chrome/Default/Extensions, Windows Chrome at %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions, macOS Edge at ~/Library/Application Support/Microsoft Edge/Default/Extensions.
Filter for known AI extension IDs and name patterns: ChatGPT, GPT, Claude, Copilot, Jasper, Bard, Gemini, Notion AI, Grammarly, Quillbot, Compose, Writesonic, Otter, Fireflies, Tactiq, Reclaim, Magical, Lex, Lavender, Wordtune. Document install count by extension. Expect a 500-employee organisation to surface 15 to 40 distinct AI extensions, with the top three accounting for the majority of installs.
Output schema per row: extension name, extension ID, install count, permission scope (whole page, specific domains, clipboard access), suspected use case. Flag any extension with broad read access to all pages.
Workstream 4: Corporate card scan (60 min)
Owner: Procurement analyst (parallels Workstream 1 but separate data source). Corporate cards capture spend that never hits AP because employees expense it back. This is the single richest source of long-tail freemium and prosumer-tier AI shadow because almost every popular AI tool offers a $20 to $50 per month tier that fits inside individual expense policies.
Concrete steps. Export the corporate card system (Brex, Ramp, SAP Concur, Coupa, Expensify) for the last 12 months, filtered to transactions under USD 100 with a recurring monthly pattern. Apply the same vendor string filter as Workstream 1. Then add a second pass for: chatgpt.com, openai.com, anthropic.com, perplexity.ai, cursor.sh, midjourney.com, runwayml.com, suno.ai, elevenlabs.io, descript.com, otter.ai, fireflies.ai, granola.ai, gong.io, sembly.ai, jasper.ai, writer.com, copy.ai, gamma.app, beautiful.ai, tome.app.
Output schema per row: vendor name, billing email, employee, cost centre, monthly amount, first charge date, last charge date, data classification likely exposed. The data classification field is critical: a marketing analyst using Jasper for blog drafts is different from a customer success rep pasting transcripts into Otter.
Workstream 5: Slack and Teams app inventory (60 min)
Owner: IT operations lead or workspace admin. Collaboration platforms have become AI distribution channels. A single Slack or Teams app install grants AI tools access to messages, files, and channels across the workspace, often with broader scope than the requesting employee realises.
Concrete steps for Slack. As workspace admin, go to Apps > Manage and export the installed apps list, including installer, install date, and OAuth scope. Filter for apps with names matching the AI vendor list (Workstream 4) plus: PromptLoop, Glean, Gleam, Lindy, Coda AI, Notion AI, Mem, Reclaim, Clay, Apollo, Outreach, Salesloft, Drift, Ada, Intercom Fin, Forethought. Note any app with channels:history, files:read, or users:read scopes.
Concrete steps for Microsoft Teams. In Teams Admin Center > Teams apps > Manage apps, export the global app list and filter on the same vendor names. Cross-check Azure AD > Enterprise applications for OAuth grants tied to AI tools - this catches connectors not visible in the Teams app catalogue alone.
Output schema per row: platform, app name, installer, install date, OAuth scope summary, channels or teams with access, suspected data exposure. Apps with broad files:read or channels:history scope are top-tier risks for review.
Workstream 6: SSO and identity provider OAuth scan (60 min)
Owner: Identity engineer. The identity provider holds the ground truth for SaaS that employees actually use, even when those tools never appeared in procurement. OAuth grants are the canonical inventory of third-party apps with access to corporate identity and corporate data.
Concrete steps. For Okta, query the System Log API for event type application.user_membership.add over the last 12 months, then filter by application label against the AI vendor list. Also pull the full SSO application registry from Applications > Applications. For Microsoft Entra ID (Azure AD), use Enterprise applications > All applications, filter on Application Type = Enterprise applications, export to CSV, and cross-reference the AI vendor list. For Google Workspace, use Admin > Security > API Controls > Domain-wide delegation and the Token audit log.
Pay particular attention to: applications with permissions to read mail, files, or calendar; applications using user-consented OAuth (rather than admin-consented), which bypass IT review by design; applications with sign-ins from regions or devices outside the corporate footprint. Microsoft and Google both publish OAuth scope inventories - flag any AI tool requesting Mail.Read, Files.Read.All, Calendars.Read, or User.Read.All.
Output schema per row: identity provider, application name, grant type (admin or user), OAuth scopes granted, distinct user count, last sign-in date, suspected use case.
Consolidation and risk tiering (30 min)
The final 30 minutes merge the six output schemas into one inventory, deduplicate by vendor, and assign a risk tier per row. The deduplication step is essential because most genuine shadow AI tools will appear in two or three workstreams (for example, ChatGPT Plus on corporate card, api.openai.com in DNS logs, and the ChatGPT Chrome extension all point to the same underlying exposure).
Use this risk-tier rubric. Tier 1 (immediate): any tool with confirmed processing of customer data, regulated data (PHI, PCI, PII), or source code. Tier 2 (10 business days): tools with broad OAuth scopes (files, mail, calendar) but no confirmed regulated data exposure. Tier 3 (next quarterly review): personal productivity tools with bounded data exposure (writing assistants without files access, image generators with no input data of concern).
At Areebi, we built the platform inventory and DLP layer so that the 90-minute hunt becomes a one-click report rather than a manual workstream, and so that Tier 1 findings can be remediated by redirecting users to the sanctioned tenant in the same session rather than chasing them down individually. The hunt below is the manual baseline; the platform is the steady state.
Get your free AI Risk Score
Take our 2-minute assessment and get a personalised AI governance readiness report with specific recommendations for your organisation.
Start Free AssessmentThe unified inventory template
The output of the 90-minute hunt is a single spreadsheet with one row per discovered tool. Use the schema below as a starting point. Save the artefact in a controlled location (the AI governance committee SharePoint or equivalent), version it, and date the snapshot.
| Field | Description | Example |
|---|---|---|
| Tool name | Canonical product name | ChatGPT Plus |
| Vendor | Legal entity | OpenAI, L.L.C. |
| Discovery source | Which workstreams flagged it | Card scan + DNS + extension |
| Distinct users | Estimated count | 34 |
| Data class | Worst-case data observed | Customer PII suspected |
| OAuth scope | If applicable | None (web only) |
| Annual run rate | USD per year | $8,160 |
| Risk tier | 1, 2, or 3 | Tier 1 |
| Remediation owner | Named individual | CISO + Sales Ops lead |
| Target action | Block, sanction, replace, monitor | Replace with sanctioned tenant |
| Due date | From risk tier rubric | 2026-05-30 |
The completed inventory is the deliverable to the AI governance committee. It satisfies the discovery half of NIST AI RMF GOVERN 6 (third-party AI risk) and feeds directly into the enterprise compliance checklist and the AI governance programme build.
Common failure modes
Three failure modes appear in nearly every first hunt. Each one is avoidable with a small adjustment in scoping.
Failure 1: Single-workstream tunnel vision. The most common pattern is to run only the SaaS billing audit because procurement owns that data and procurement called the meeting. This misses 60 to 80 percent of the actual exposure, because free tiers, corporate card spend, and DNS-level direct API consumption never appear in AP. Avoid by enforcing all six workstreams run in parallel, with named owners agreed in advance.
Failure 2: Skipping the consolidation step. Each workstream produces a list; the value is in merging the lists and observing which tools appear in multiple workstreams (highest signal) versus single-workstream noise. Without consolidation, the output is six separate Excel files with no risk ranking. Enforce the 30-minute consolidation block as a structured exercise with a named scribe.
Failure 3: Treating discovery as a one-off event. The 90-minute hunt produces a point-in-time baseline. Shadow AI is a flow, not a stock - new tools land weekly. The hunt must become a continuous discovery posture, ideally via automated platform telemetry. Areebi customers receive ongoing inventory updates from the same telemetry sources, but any continuous-discovery approach works if it covers all six workstreams.
What to do next
Schedule the 90 minutes this week, name the four owners, and book the room. The hunt does not require new tools or budget; everything in the playbook uses data your organisation already collects. If your team would benefit from a structured walkthrough or a sanctioned-tenant migration to replace the Tier 1 findings, the Areebi AI Governance Assessment incorporates the hunt as Module 1 of a four-week baseline.
- What is shadow AI? - the foundational definitions and risk taxonomy that this playbook operationalises.
- The cost of one shadow AI breach (2026) - quantifies the dollar impact of the Tier 1 exposures you are about to find.
- Enterprise AI compliance checklist - the full checklist your inventory feeds into.
- NIST AI RMF GOVERN deep dive - the regulatory framing for why the inventory exists.
- AI control plane enterprise guide - the steady-state architecture that turns the one-time hunt into a continuous posture.
External sources
- Cloud Security Alliance, Top Threats to Cloud Computing 2024: cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-2024.
- NIST SP 800-115, Technical Guide to Information Security Testing and Assessment: csrc.nist.gov/pubs/sp/800/115/final.
- IDC, SaaS Management Buyer's Guide: idc.com/getdoc.jsp?containerId=US51461524.
- IAPP, Shadow IT and Generative AI: A Privacy and Risk Lens: iapp.org/resources/article/shadow-it-and-generative-ai/.
- NIST AI 600-1, Generative AI Profile (July 2024): nist.gov/itl/ai-risk-management-framework.
Frequently Asked Questions
How is the 90-minute hunt different from a normal shadow IT audit?
A normal shadow IT audit typically runs a single workstream (SaaS billing or DLP scan) over multiple weeks. The 90-minute AI hunt runs six workstreams in parallel for one focused block, because shadow AI is distributed across channels that no single workstream covers. DNS logs catch direct API consumption, corporate cards catch freemium tools, browser extensions catch endpoint-level exfiltration, and OAuth grants catch identity-level exposure. Together they cover the actual surface; alone they miss the majority.
What if we don't have DNS logs or a CASB?
Even basic resolver logs (Active Directory DNS, BIND, or a corporate Pi-hole) are sufficient to grep for the domain list in Workstream 2. If you have nothing at all, prioritise the other five workstreams and treat Workstream 2 as a follow-up after you stand up centralised DNS logging. The corporate card scan and Slack and Teams inventory typically surface 40 to 60 percent of exposure even without network telemetry.
Should we tell employees we are running this hunt?
Yes, with framing. Announce that the AI governance committee is conducting a discovery exercise to build an inventory and identify approved tools, not a witch hunt for disciplinary action. Couple the hunt with a positive output: within 30 days, publish a list of sanctioned AI tools that employees can use without approval. This converts the hunt from a deterrent into a partnership and dramatically improves voluntary disclosure on the next round.
What is the biggest single source of shadow AI?
At most mid-market and enterprise organisations, the single largest source is corporate card subscriptions to consumer-tier ChatGPT, Claude, Perplexity, and similar tools at $20 to $30 per month - because these subscriptions land inside individual expense policies and never trigger procurement review. The second largest is browser extensions installed without IT approval. AI features inside existing approved SaaS (Notion, Slack, Salesforce, Microsoft 365) are a fast-growing third category that often dwarfs the others when measured by data exposure rather than vendor count.
How often should we re-run the hunt?
The first hunt establishes the baseline. After that, run a lightweight (30-minute) version monthly to catch delta, and the full 90-minute hunt quarterly to refresh the full inventory. Once an AI control plane (such as the Areebi platform) is in place, continuous discovery replaces the manual cadence, but the quarterly manual hunt remains a valuable cross-check against telemetry blind spots.
What do we do with Tier 1 findings?
For each Tier 1 finding (tools processing customer, regulated, or source code data without authorisation): within ten business days, contact the requesting employee and manager, document the use case, redirect them to a sanctioned alternative if one exists, block the tool at the network or browser layer if no alternative is acceptable, and update the AI Acceptable Use Policy and approved-vendor list to reflect the outcome. The full workflow is covered in our enterprise compliance checklist and the 30-60-90 governance playbook.
Related Resources
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and governance best practices.
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and best practices.
About the Author
Areebi Research
The Areebi research team combines hands-on enterprise security work with deep AI governance research. Our analysis is informed by primary sources (NIST, ISO, OECD, federal registers, IAPP) and the operational realities of CISOs running AI programs in regulated industries today.
Ready to govern your AI?
See how Areebi can help your organization adopt AI securely and compliantly.