Solutions · Shadow AI Discovery

Shadow AI discovery for the whole organisation

Q: What counts as shadow AI?

Any AI tool used inside the organisation without IT, security, or procurement having sanctioned it — including free-tier ChatGPT on a personal Google account, Cursor paid by an engineer on their own card, or a marketing team's Midjourney subscription billed through expenses.

Q: How is shadow AI discovery different from shadow IT discovery?

Shadow IT discovery leans on SSO catalogues. Shadow AI discovery has to lean on corporate-card data, network logs, browser extensions, and email receipts because AI tools commonly arrive through consumer onboarding paths, free tiers, and personal-card expenses that a SaaS-era CASB never had to look at.

Q: Will employees know I'm doing shadow AI discovery?

That's a customer choice. We provide an optional in-product attestation flow that asks employees directly. Many customers pair it with internal comms, framing the work as sanctioning what people are already using. The audit log captures every detection and decision either way.

Q: Where does the data live and who can see it?

Tenant data lives in EU-region Postgres managed by Railway. Only the tenant's admins and members see shadow AI candidates. Data is never shared between tenants. Full detail is at https://greyscape.ai/what-we-collect.

Find every AI tool your employees are using — sanctioned or shadow — across five independent discovery surfaces. Built for IT, security, and FinOps teams who need a clear, defensible answer to “what AI is running here, and who's using it?” in time for the next board meeting.

Try the shadow AI inventory Get started Read the architecture

Why shadow AI matters

You can't govern what you can't see

Shadow AI — employees using AI tools without IT's knowledge — is the single largest blind spot in modern enterprise security. Surveys consistently put adoption above 80% of office workers, while fewer than 30% of those tools have ever been sanctioned, contracted, or risk-reviewed by the organisation paying the bills. Every undiscovered AI tool is a vendor your DPO has never assessed, a data flow your DLP has never inspected, and a line item your finance team is paying for through expense reports rather than vendor invoices.

Traditional shadow-IT tools — CASBs, SSO catalogues, expense policy enforcement — were built for the SaaS era and miss the two things that make AI different. First, AI tools have a consumer onboarding path even when targeted at the enterprise (ChatGPT, Claude, Perplexity, Midjourney, Cursor). Second, AI usage often shows up as zero-dollar free tiers and personal credit-card charges that never reach corporate procurement. Shadow AI discovery has to look in different places than shadow SaaS — and that is what GreyScape.ai is built to do.

How it works

Five shadow AI discovery surfaces, all rolled into one inventory

No single signal catches every AI tool. Card data misses free tiers. Network logs miss employees on home WiFi. SSO catalogues miss anything not behind your IdP. We run five independent discovery surfaces in parallel, then deduplicate into a single shadow AI inventory you can act on.

1 · Expense and corporate-card data

We scan corporate-card transactions for an evolving catalogue of AI merchants — OpenAI, Anthropic, Midjourney, Replicate, Perplexity, ElevenLabs, Suno, Cursor, Runway, v0, Lovable, and dozens more. New merchant in the feed becomes a candidate on the shadow AI dashboard within minutes.

See expense connectors

2 · Network egress and DNS logs

Optional integration with Cloudflare Gateway, Zscaler, or a CSV of DNS queries. We match AI tool domains and surface the originating user when your gateway logs identity. Catches tools accessed on the corporate network but paid for personally — a classic shadow AI pattern.

See network connectors

3 · Browser extension

Our lightweight extension watches a curated allow-list of AI tool domains and sends one heartbeat per day per tool per device. The only surface that catches consumer-tier ChatGPT on a personal Google account, Midjourney on Discord, or Suno on a phone-tethered laptop. Detection-only — never reads page content.

Browser extension details

4 · Inbound email receipts

Forward your billing inbox to a tenant-specific GreyScape.ai address. We parse vendor receipts, extract amounts and plans, and add the underlying AI tool to the shadow AI inventory automatically — even when it was paid on a personal card.

See receipt parsing

5 · Self-declaration via SSO + attestation

Targeted attestation campaigns ask employees to declare what AI they use. Pre-populated from SSO sign-in data so the form is short. Provides ground truth for the other four surfaces and closes the audit loop required by ISO 42001 and the EU AI Act.

See SSO connectors

Bonus · Provider API ground truth

When you connect your sanctioned providers (OpenAI org, Anthropic workspace, Azure OpenAI, AWS Bedrock, Vertex AI) we anchor everything else against ground truth. Anything spending money outside those keys is, by definition, shadow AI.

See provider connectors

What you get

One shadow AI inventory, scored and ready to triage

Each shadow AI candidate lands on the dashboard with the evidence trail (which discovery surface flagged it, when, and why), the user it's attributed to (when SSO or attestation data allows), a category (general AI, code, image, audio, video, search, agent), and a status — Review, Sanctioned, Restricted, or Blocked.

From there you can launch an attestation campaign to the users involved, kick off a vendor-risk review, set a budget cap, or — if the tool turns out to be a duplicate of something already sanctioned — merge it into the existing entry. The audit log captures every decision so the next time internal audit asks “when did we know about Midjourney?” you have a defensible answer.

Outcomes

What shadow AI discovery unlocks for your organisation

A defensible AI inventory

The single answer to “what AI is running here?” that survives questions from internal audit, regulators, your insurer, and your board. Required for ISO 42001, useful for SOC 2 Trust Services, and explicitly named in the EU AI Act Article 13 transparency obligations.

Risk reviews focused on real exposure

Rather than reviewing the same handful of sanctioned vendors over and over, your security team focuses on the actual rolling top-ten of shadow AI tools in active use. Higher signal, lower toil.

Attribution that respects employees

Discovery is paired with attestation, not surveillance. Employees declare what they actually use and why; the dashboard surfaces both sides. You build a tool inventory and a usage signal that nobody resents.

Faster, calmer DLP and DSAR responses

When the legal team has to answer “does any of our employee data live in a third-party LLM?” you can answer in minutes instead of weeks — because every AI tool in use is already in one inventory with a known data-flow profile.

See your own shadow AI inventory in 10 minutes

Connect a corporate-card feed, your SSO, or just forward your billing inbox — pick the surface that's easiest for you and we'll have your first shadow AI candidates on the dashboard before the end of your lunch break. Read-only on day one. No procurement required to start.

Get started Try the interactive demo AI workload calculator

Frequently asked

Shadow AI discovery — common questions

What counts as shadow AI?

Any AI tool — generative AI, computer-vision, code assistant, agentic platform — used inside the organisation without IT, security, or procurement having sanctioned it. That includes free-tier ChatGPT on a personal Google account, Cursor paid by an engineer on their own card, or a marketing team's Midjourney subscription billed through expenses.

How is shadow AI discovery different from shadow IT discovery?

Shadow IT tools rely heavily on SSO catalogues and IdP sign-in data. AI tools are different: they have rich consumer onboarding paths, they often run on free tiers that never trigger expense reports, and they're frequently paid on personal cards. Shadow AI discovery has to lean on card data, network logs, browser extensions, and email receipts — the surfaces a SaaS-era CASB never had to look at.

Do I have to install a browser extension to find shadow AI?

No. The browser extension is one of five independent discovery surfaces. Most organisations start with corporate-card data and email receipts — both are zero-touch for employees and surface roughly 60-70% of shadow AI within the first week.

Will employees know I'm doing shadow AI discovery?

That's up to you. We provide an optional in-product attestation flow that asks employees directly. Many customers pair it with a short internal comms note — discovery without surveillance, framed as helping the company sanction what people are already using. The audit log captures every detection and every decision either way.

Where does the data live and who can see it?

Your tenant data lives in EU-region Postgres managed by Railway. Only your tenant's admins and members see shadow AI candidates. We never share data between tenants. Full detail is at /what-we-collect.

AI budget control → — the companion capability: once you can see it, you have to govern the spend.
How GreyScape.ai works → — architecture, sync cadence, security stack.
All integrations → — every data feed we read.
Browser extension → — the newest shadow AI discovery surface.
What we collect → — the data we read, and the data we deliberately don't.