Guide

How to assess Shadow AI in your organization

Guide to identifying, assessing, and controlling ungoverned AI use in the organization. Shadow AI detection, risk assessment, and control framework.

Shadow AI is the use of AI tools by employees without the organization's knowledge or formal approval. 73% of organizations in LATAM operate with some form of Shadow AI. This guide provides a structured method to detect it, assess it, and decide what to do with each case.

Step by step

Execute a Shadow AI discovery

Combine technical methods (network traffic analysis, AI API access logs, SaaS subscription review) with organizational methods (anonymous surveys, area leader interviews) to identify all unapproved AI uses.

Auditor's tip: Do not frame the discovery as punitive. If employees perceive a threat, they will hide usage. Framing the survey as 'inventory to improve tools' generates better response rates.

Classify uses by risk level

For each identified Shadow AI use, assess risk based on: type of data processed (personal, confidential, public), impact of an erroneous decision, regulatory exposure, and operational dependency on the system.

Auditor's tip: Use a 4-quadrant matrix: low risk/low value (eliminate), low risk/high value (adopt), high risk/low value (prohibit), high risk/high value (govern with controls).

Define the acceptable AI use policy

Draft a clear policy defining which AI tools are approved, what types of data can be processed with each, which uses are prohibited, and what the request process is for new tools.

Auditor's tip: A policy that only prohibits does not work. Offer approved alternatives for legitimate use cases; otherwise, employees will continue using Shadow AI.

Implement technical detection and prevention controls

Deploy controls such as URL filtering for unapproved AI services, DLP (Data Loss Prevention) to detect sensitive data being sent to external APIs, and monitoring of new SaaS subscriptions.

Auditor's tip: Technical controls must be proportional. Blocking everything generates resistance and pushes employees to use personal VPNs or devices to circumvent restrictions.

Establish an evaluation and approval process for new AI tools

Create an agile request, risk assessment, and approval workflow for new AI tools. If the process is slow or bureaucratic, employees will avoid it and Shadow AI will persist.

Auditor's tip: Define a 10-business-day SLA to evaluate low-medium risk tool requests. For high-risk ones, a more thorough process of up to 30 days is reasonable.

Monitor and repeat the assessment cycle

Shadow AI is dynamic: new tools appear every week. Establish a quarterly re-discovery and assessment cycle to keep the inventory updated and controls effective.

Auditor's tip: Incorporate detected Shadow AI as a KRI on the organization's risk dashboard. If the number grows, the acceptable use policy needs revision.

Key points

Shadow AI is inevitable; the question is not whether it exists, but how much risk it is generating without visibility.
A policy that only prohibits without offering approved alternatives is ineffective.
The new tool approval process must be agile; if bureaucratic, it feeds Shadow AI.
Shadow AI assessment is not a one-time project: it requires a quarterly re-discovery cycle.

Frequently asked questions

No. Many Shadow AI uses reveal legitimate productivity needs the organization is not covering. The goal is not to eliminate all use, but to govern it: adopt what adds value with controls, and prohibit what generates risk without benefit.

ISO 42001 requires an AI systems inventory as part of the AIMS. Shadow AI represents systems outside that inventory, constituting a conformity gap. A Shadow AI assessment is a natural preliminary step to ISO 42001 implementation.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Key points

Shadow AI is inevitable; the question is not whether it exists, but how much risk it is generating without visibility.

A policy that only prohibits without offering approved alternatives is ineffective.

The new tool approval process must be agile; if bureaucratic, it feeds Shadow AI.

Shadow AI assessment is not a one-time project: it requires a quarterly re-discovery cycle.

Frequently asked questions

How to assess Shadow AI in your organization

Step by step

Execute a Shadow AI discovery

Classify uses by risk level

Define the acceptable AI use policy

Implement technical detection and prevention controls

Establish an evaluation and approval process for new AI tools

Monitor and repeat the assessment cycle

Key points

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001

ISMS

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

How to assess Shadow AI in your organization

Step by step

Execute a Shadow AI discovery

Classify uses by risk level

Define the acceptable AI use policy

Implement technical detection and prevention controls

Establish an evaluation and approval process for new AI tools

Monitor and repeat the assessment cycle

Key points

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001

ISMS

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

How to assess Shadow AI in your organization

Step by step

Execute a Shadow AI discovery

Classify uses by risk level

Define the acceptable AI use policy

Implement technical detection and prevention controls

Establish an evaluation and approval process for new AI tools

Monitor and repeat the assessment cycle

Key points

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001

ISMS

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

How to assess Shadow AI in your organization

Step by step

Execute a Shadow AI discovery

Classify uses by risk level

Define the acceptable AI use policy

Implement technical detection and prevention controls

Establish an evaluation and approval process for new AI tools

Monitor and repeat the assessment cycle

Key points

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001

ISMS

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?