On this page
TL;DR
Shadow AI detection is the practice of continuously discovering the AI tools your workforce uses without sanction, by correlating five signal families: network and DNS traffic, SaaS and card billing, identity and OAuth grants, endpoint and browser telemetry, and collaboration-app installs. No single tool sees all five, so a real detection programme blends categories - CASB, DLP, SSPM, browser governance, and purpose-built AI security - rather than buying one box. The end state is a continuous feed, not a one-off audit. This guide covers the signal taxonomy, the vendor landscape, a build plan, the metrics that matter, and the decision every team eventually faces: block unsanctioned tools, or redirect users to a governed workspace. Updated 10 June 2026.
Why it is urgent: IBM's 2025 Cost of a Data Breach report found shadow AI was a factor in 20% of breaches, adding roughly USD 670,000 to the average breach cost, and that 63% of breached organisations had no AI governance policy at all (Source). You cannot govern what you cannot see, and most organisations cannot yet see it.
What shadow AI detection actually means
Shadow AI detection is the continuous identification of unsanctioned AI tools, models, and features in use across an organisation, together with who is using them and what data they touch. It is the operational counterpart to the question "what is shadow AI?" - the definitions and risk taxonomy are covered in our shadow AI primer; this guide is about how you find it and keep finding it.
Detection differs from a one-off discovery audit in one decisive way: cadence. A point-in-time hunt produces a baseline; detection produces a stream. Shadow AI is a flow, not a stock - new tools land weekly, free tiers spread by word of mouth, and incumbent SaaS vendors quietly switch on AI features without a procurement event. The scale of the underlying behaviour is now well documented. Cyberhaven's 2025 AI adoption research found that the volume of corporate data flowing into AI tools rose 485% between March 2023 and March 2024, and that more than 73% of workplace AI use happens through unsanctioned personal accounts rather than enterprise tenancies (Source).
Microsoft and LinkedIn's 2024 Work Trend Index, a survey of 31,000 knowledge workers across 31 markets, found 75% already use generative AI at work and 78% of those users bring their own AI tools (BYOAI) rather than waiting for an approved option (Source). Detection is the discipline that turns that diffuse, individual behaviour into a managed inventory.
The five detection-signal families
Every shadow AI tool leaves a trace in at least one of five places. A detection programme that covers all five sees roughly the full surface; one that covers a single family misses the majority. Map your existing telemetry against these five before buying anything new - you almost certainly already collect three or four of them.
1. Network and DNS
The signal: outbound traffic to known model-provider and AI-application endpoints. This is the canonical catch-all because it sees direct API consumption that has no billing or SaaS footprint - automation scripts, embedded vendor calls, and developer use against raw model APIs.
Where it lives: the corporate DNS resolver, the secure web gateway (SWG), the next-generation firewall, and the CASB. Query for traffic to domains such as api.openai.com, chatgpt.com, api.anthropic.com, claude.ai, generativelanguage.googleapis.com, api.mistral.ai, api.perplexity.ai, api.deepseek.com, and the long tail of model hosts. The full domain list and the exact resolver and CASB queries are in our 90-minute shadow AI hunt playbook (Workstream 2) - this guide does not duplicate them.
Strengths and blind spots: network telemetry catches everything that touches the corporate network and is hard for a user to evade without leaving the perimeter. Its blind spot is off-network use - a personal laptop on home Wi-Fi, or a managed device a user takes home - and increasingly the use of AI features tunnelled inside an already-approved SaaS domain, where the AI traffic is indistinguishable from ordinary app traffic at the DNS layer.
2. SaaS and card billing
The signal: recurring charges to AI vendors that bypassed procurement. This is the single richest source of long-tail freemium and prosumer-tier shadow AI, because almost every popular AI tool offers a USD 20 to 50 monthly tier that fits inside an individual expense policy and never triggers a vendor review.
Where it lives: the accounts-payable ledger, the corporate card platform (Brex, Ramp, SAP Concur, Coupa, Expensify), and the SaaS-management tool if you run one. Filter for vendor strings and known AI billing domains.
Strengths and blind spots: billing data is authoritative - a charge is a charge - and it captures tools no network or endpoint sensor would flag because the user accesses them off-network. Its blind spot is everything free: a free-tier ChatGPT account, a free Gemini login, or an AI browser extension costs nothing and therefore appears in no ledger. Harmonic Security's analysis of 22.4 million enterprise AI prompts found that 16.9% of all sensitive-data exposures flowed through free or personal-tier accounts - precisely the usage that billing detection cannot see (Source).
3. Identity and OAuth
The signal: OAuth grants and SSO application registrations tied to AI tools. The identity provider holds the ground truth for which third-party applications employees have actually connected to corporate identity and corporate data - even tools that never appeared in procurement or billing.
Where it lives: Okta (System Log and the application registry), Microsoft Entra ID (Enterprise applications and consented permissions), and Google Workspace (API Controls, domain-wide delegation, and the token audit log). Pay particular attention to user-consented (rather than admin-consented) grants, which bypass IT review by design, and to any AI tool requesting broad scopes such as Mail.Read, Files.Read.All, or Calendars.Read.
Strengths and blind spots: OAuth detection is high-signal because a grant is an explicit, logged authorisation with a defined scope - it tells you not just that a tool is in use but what it can reach. Its blind spot is any tool that never integrates via OAuth: a user pasting text into a chatbot web page grants no OAuth scope and leaves no identity trace at all.
4. Endpoint and browser
The signal: AI browser extensions, desktop AI applications, and - crucially - the act of pasting sensitive content into an AI tool. The browser is where most knowledge-worker shadow AI actually happens, and browser extensions are the highest-velocity vector because they need no procurement event, no IT install, and no admin rights.
Where it lives: the managed-browser admin console (Google Workspace Chrome management, Microsoft Edge under Intune), the EDR or MDM agent for installed-application and extension inventory, and a browser-governance extension for the content layer. The content layer is the one most teams lack: it is the difference between knowing the ChatGPT extension is installed and knowing that a customer-success rep pasted a customer record into it.
Strengths and blind spots: endpoint and browser telemetry is the only family that sees the prompt itself - the actual data leaving the organisation - which is why it is the foundation of any real data-loss control for AI. Cyberhaven found that 11% of everything employees paste into ChatGPT is confidential, and that just 0.9% of employees account for 80% of the egress (Source). Its blind spot is unmanaged devices the agent does not reach.
5. Collaboration and SaaS-embedded AI
The signal: AI apps installed into Slack, Microsoft Teams, Salesforce, Notion, and other collaboration platforms, plus AI features switched on inside SaaS tools you already pay for. This is the fastest-growing family by data exposure, because a single workspace app install can grant an AI tool access to messages, files, and channels across the whole organisation.
Where it lives: the Slack and Teams app-management consoles, the SSPM tool, and each major SaaS vendor's own admin and audit surface. An SSPM (SaaS security posture management) product is the natural home for this family because it is purpose-built to inventory third-party app connections and their scopes across many SaaS tenants at once.
Strengths and blind spots: this family catches the exposure that is invisible to the other four - the "AI feature your incumbent vendor enabled last Tuesday" problem. Its blind spot is that the underlying AI processing often happens inside the vendor's own cloud, so you can detect that the feature is enabled and who can use it, but not always what was sent through it.
The detection tooling landscape
Five tool categories detect shadow AI, each anchored to one or two of the signal families above. None covers all five, so the practical question is not "which tool" but "which combination closes my specific gaps". The table below names real vendors fairly across each category. Inclusion is descriptive, not an endorsement - evaluate against your own environment.
| Category | Primary signal families | What it does well for shadow AI | Representative vendors |
|---|---|---|---|
| CASB / SWG | Network and DNS | Discovers AI domains in outbound traffic at scale; can coarse-block categories. The broadest discovery net for anything on-network. | Netskope, Zscaler |
| DLP | Endpoint and browser; network | Inspects content for sensitive data before it leaves, including into AI tools; the data-classification layer. | Microsoft Purview, Nightfall |
| SSPM | Collaboration apps; identity and OAuth | Inventories third-party AI app connections and OAuth scopes across SaaS tenants; catches SaaS-embedded AI. | SSPM modules within Netskope and major posture-management suites |
| Browser governance / purpose-built AI security | Endpoint and browser; content | Sees the prompt itself: which AI tool, by whom, with what data; can redact or block at the point of paste. | Cyberhaven, Areebi |
| Govern-and-redirect platform | All five, plus enforcement | Detects, then redirects users from unsanctioned tools to a governed workspace with DLP, audit, and policy - detection that resolves into control. | Areebi |
A few honest notes on the landscape. CASB and SWG give you breadth but operate at the domain layer, so they increasingly struggle to separate AI traffic from ordinary SaaS traffic. DLP gives you the content layer but is only as good as its classification and its coverage of the egress channels. SSPM is the right home for SaaS-embedded AI but says little about raw web-chat use. Purpose-built AI security and browser-governance tools see the prompt - the thing that actually matters for data loss - but require an endpoint or browser footprint. The reason a govern-and-redirect approach exists at all is that detection without a destination tends to fail: when you block a tool people need, they route around you. More on that in the block-versus-govern decision.
How to build a continuous detection programme
The goal is a standing capability that surfaces new shadow AI within days of it appearing, not a quarterly fire drill. A one-off audit is the right way to establish a baseline - run the 90-minute shadow AI hunt first - but the programme below is what keeps the inventory alive afterwards. Build it in five steps.
Step 1: Establish the baseline (week 1)
Run the one-off hunt across all five signal families to produce a dated, ranked inventory: vendor, owner, data class, discovery source, and risk tier. This is the reference point every later delta is measured against. Do not skip to continuous monitoring without a baseline - you will have no way to tell signal from noise.
Step 2: Instrument the signal families you already own (weeks 2-4)
Wire your existing CASB or SWG, DLP, identity provider, and collaboration-app consoles to emit AI-relevant events into one place - typically your SIEM or a dedicated dashboard. The aim is coverage of as many of the five families as your current stack allows before you spend on anything new. Most organisations find they already have three or four instrumented and simply never correlated them.
Step 3: Close the content and browser gap (month 2)
The family most teams lack is the content layer - the prompt itself. This is where a DLP-for-AI or browser-governance capability earns its place, because it is the only way to move from "this tool is in use" to "this customer record was pasted into this tool by this person". Without it, your detection programme can name tools but cannot quantify exposure, and exposure is what the board and the regulator ask about.
Step 4: Correlate and risk-tier automatically (month 2-3)
Deduplicate across families - a genuine shadow tool usually shows up in two or three at once - and assign a risk tier per finding. Tier 1: any tool with confirmed processing of regulated data (PHI, PCI, PII) or source code. Tier 2: broad OAuth scopes without confirmed regulated-data exposure. Tier 3: bounded personal-productivity use. Automate the tiering against your data-classification rules so new findings are triaged the moment they appear.
Step 5: Close the loop into policy and the sanctioned catalogue (ongoing)
Detection only creates value if findings drive action. Feed Tier 1 findings into remediation within ten business days, feed recurring demand into your sanctioned-tool catalogue (if 40 people are using an unapproved transcription tool, the signal is that you need a sanctioned one), and feed both back into the AI acceptable-use policy. This is the difference between a detection programme and a detection report. For the full governance scaffolding around this loop, see our guide to building an AI governance programme.
See Areebi in action
Get a 30-minute personalised demo tailored to your industry, team size, and compliance requirements.
Get a DemoMetrics to track
A detection programme needs a small set of metrics that a non-technical executive can read in thirty seconds and that move when the programme works. Track these five.
- Distinct unsanctioned AI tools detected. The headline inventory count. Expect it to rise at first (you are getting better at seeing, not worse at controlling) then stabilise as the sanctioned catalogue absorbs demand.
- Time-to-detect (TTD). Median days from a new tool first appearing in your environment to its appearing in your inventory. This is the single best measure of whether your detection is genuinely continuous. Mean-time-to-detect for shadow channels runs months longer than for monitored ones, which is a large part of why shadow AI breaches cost more.
- Sensitive-data exposure rate. The share of detected AI sessions that touch regulated data. This is the metric most predictive of breach cost. Harmonic's corpus put the overall rate of prompts containing sensitive data at roughly 2.6%, with ChatGPT alone accounting for 71.2% of sensitive-data exposures across the tools studied (Source).
- Coverage of the five signal families. A simple five-point score of how many families you actively monitor. Most programmes start at two or three; the gap to five is your roadmap.
- Tier 1 remediation SLA adherence. The percentage of Tier 1 findings remediated within your stated window (ten business days is a defensible default). This is the metric a regulator will actually ask to see.
For context on why the exposure rate matters in dollar terms: Varonis's 2025 State of Data Security report, drawn from nearly 10 billion files across 1,000 real-world environments, found that 99% of organisations have sensitive data exposed to AI and 98% have unverified apps including shadow AI (Source). The exposure is effectively universal; the differentiator is whether you can see it.
The block-versus-govern decision
Once detection is working, every team faces the same fork: block the unsanctioned tool, or redirect the user to a governed alternative. Blocking is satisfying and occasionally necessary, but as a default it fails for a documented reason: demand does not disappear, it relocates. When 75% of knowledge workers already use AI at work and 78% bring their own, a hard block on the popular tool simply pushes the activity onto a personal device or a less-visible channel, which is worse for detection, not better.
The govern alternative is to meet the demand with a sanctioned destination. This is the model Areebi is built around: when a detection signal shows a user reaching for an unsanctioned AI tool, the browser extension blocks the unapproved tool and redirects the user to the governed workspace - same task, but now with real-time DLP, an immutable audit log, the policy engine, and data residency applied. The user gets their answer; the organisation gets the prompt inside a controlled boundary instead of leaking into a personal account. Detection is what makes this possible: you cannot redirect a tool you have not detected.
A reasonable policy is a hybrid. Block outright the small set of tools that are categorically unacceptable for your jurisdiction or sector - for example, the consumer apps that store prompt data in jurisdictions you cannot accept; Harmonic found roughly 4.1% of enterprise AI traffic going to China-based tools such as DeepSeek (Source), and the Australian Government banned DeepSeek from its devices in February 2025 on exactly that basis (Source). Govern-and-redirect everything else. The block list stays short; the governed workspace does the heavy lifting.
The cost of getting this wrong is the cost of getting detection wrong, plus a false sense of safety. IBM's data shows shadow AI added USD 670,000 to the average breach and that 97% of organisations suffering an AI-related breach lacked proper AI access controls (Source). Detection plus a governed destination is how you become the 3% that does have controls.
Where Areebi fits
Areebi is the layer that turns shadow AI detection into shadow AI control. The browser extension provides the endpoint-and-browser signal family - the prompt-level visibility most stacks lack - and rather than simply blocking, it redirects users from unapproved AI tools to a governed workspace where real-time DLP redacts sensitive data, an immutable audit log captures every prompt and response, the policy engine enforces acceptable use, and SSO, MFA, and RBAC control access. For organisations that need data to stay onshore or inside their own network, the same governance applies to a private, self-hosted deployment.
Detection is the entry point; governance is the destination. If you want to see the detect-and-redirect flow against your own environment, you can book a demo or read the platform overview. For the wider data behind this guide, see our companion resource below.
Further reading and next steps
- Shadow AI statistics 2026 - 40+ verified, individually sourced stats on unsanctioned AI at work; the data behind this guide.
- The 90-minute shadow AI hunt playbook - the one-off baseline audit, with the exact DNS domains and console queries this guide references.
- What is shadow AI? - the foundational definitions and risk taxonomy.
- Build an AI governance programme - the governance scaffolding around a detection programme.
- The Shadow AI Index Q3 2026 - the 4-tier maturity model detection feeds into.
External sources
- IBM & Ponemon Institute, Cost of a Data Breach Report 2025: ibm.com/reports/data-breach.
- Cyberhaven Labs, 11% of data employees paste into ChatGPT is confidential / 2025 AI Adoption and Risk Report: cyberhaven.com.
- Harmonic Security, What 22 Million Enterprise AI Prompts Reveal About Shadow AI in 2025: harmonic.security.
- Varonis, 2025 State of Data Security Report: varonis.com/blog/state-of-data-security-report.
- Gartner, 40% of organisations will suffer shadow-AI incidents by 2030 (Infosecurity Magazine, Nov 2025): infosecurity-magazine.com.
- Microsoft & LinkedIn, 2024 Work Trend Index Annual Report: microsoft.com/worklab.
Frequently Asked Questions
What is shadow AI detection?
Shadow AI detection is the continuous identification of unsanctioned AI tools, models, and features in use across an organisation, along with who is using them and what data they touch. It works by correlating five signal families: network and DNS traffic, SaaS and card billing, identity and OAuth grants, endpoint and browser telemetry, and collaboration-app installs. Because no single signal sees everything, effective detection blends multiple sources rather than relying on one tool. It is the operational practice that makes AI governance possible, since you cannot govern tools you cannot see.
How do you detect shadow AI?
Detect shadow AI by instrumenting five signal families. Network and DNS logs (via your CASB, secure web gateway, or resolver) catch direct API calls to model providers. SaaS and corporate-card billing catch paid subscriptions that bypassed procurement. Identity and OAuth grants in Okta, Microsoft Entra ID, or Google Workspace catch tools connected to corporate identity. Endpoint and browser telemetry, ideally with a content-aware DLP or browser-governance extension, catches the prompt itself and the data being pasted. Collaboration-app and SSPM inventories catch AI apps installed into Slack, Teams, and other SaaS. Start with a one-off baseline audit, then make it continuous by feeding all five into a single dashboard or SIEM.
What are the best shadow AI detection tools?
There is no single best tool; there are five categories, and most organisations combine them. CASB and secure web gateways (such as Netskope and Zscaler) give the broadest network-layer discovery. DLP tools (such as Microsoft Purview and Nightfall) provide the content-classification layer. SSPM products inventory SaaS-embedded AI and OAuth connections. Browser-governance and purpose-built AI security tools (such as Cyberhaven) see the prompt itself. Govern-and-redirect platforms such as Areebi detect across all five families and then redirect users from unsanctioned tools to a governed workspace with DLP, audit, and policy enforcement. The right choice depends on which signal families your current stack already covers.
How is shadow AI detection different from a one-off shadow AI audit?
A one-off audit produces a point-in-time baseline; detection produces a continuous stream. Shadow AI is a flow rather than a stock - new tools appear weekly, free tiers spread informally, and incumbent SaaS vendors enable AI features without a procurement event. A baseline audit (such as a 90-minute hunt across the five signal families) is the right starting point, but the value comes from instrumenting those families so new shadow AI surfaces within days. The key metric is time-to-detect: the median number of days from a tool first appearing to its appearing in your inventory.
Should you block shadow AI or govern it?
A hybrid is usually best. Block outright the small set of tools that are categorically unacceptable for your sector or jurisdiction - for example, consumer apps that store prompts in jurisdictions you cannot accept. Govern-and-redirect everything else, because hard-blocking a tool people genuinely need does not remove the demand; it pushes the activity onto personal devices and less-visible channels, which is worse for detection. The govern approach meets demand with a sanctioned destination: when a user reaches for an unsanctioned tool, they are redirected to a governed workspace where DLP, audit logging, and policy still apply. Detection is what makes redirection possible, since you cannot redirect a tool you have not detected.
How prevalent and costly is undetected shadow AI?
It is effectively universal and measurably costly. Varonis found 99% of organisations have sensitive data exposed to AI and 98% have unverified apps including shadow AI. Cyberhaven found the volume of corporate data flowing into AI tools rose 485% in a year and that more than 73% of workplace AI use runs through unsanctioned personal accounts. IBM's 2025 Cost of a Data Breach report found shadow AI was a factor in 20% of breaches, added roughly USD 670,000 to the average breach cost, and that 63% of breached organisations had no AI governance policy. The exposure is near-universal; whether you can detect it is the differentiator.
Related Resources
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and governance best practices.
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and best practices.
About the Author
Areebi Research
The Areebi research team combines hands-on enterprise security work with deep AI governance research. Our analysis is informed by primary sources (NIST, ISO, OECD, federal registers, IAPP) and the operational realities of CISOs running AI programs in regulated industries today.
Ready to govern your AI?
See how Areebi can help your organization adopt AI securely and compliantly.