DE | EN

Uncovering Shadow AI Systematically

Uncovering shadow AI systematically

In my article on shadow AI in the company I described the problem: AI tools that employees use without IT approval are an invisible compliance risk. But knowing a problem is not enough. Today I show how you uncover, assess and get a grip on shadow AI systematically.

Why shadow AI needs its own analysis

The IT system scan finds officially licensed systems. Department interviews capture consciously used tools. But shadow AI does not reliably appear in any of these sources. Employees use ChatGPT, DeepL or browser extensions not out of malice, but because these tools make them more productive.

The EU AI Act makes no distinction between approved and unapproved AI use. Article 4 requires AI literacy for all users, Article 26(5) requires appropriate training. Both presuppose that you know which systems are actually in use. This step is therefore not an additional task, but a prerequisite for a complete AI inventory.

Method 1: reading interview signals correctly

Your department interviews already contain clues to shadow AI. Typical signals are hesitant answers to questions about private tools, phrasings like “sometimes” or “now and then” and indirect hints about colleagues.

The questioning technique decides the success. Do not ask: “Do you use unapproved AI tools?” That creates defensiveness. Better: “Do you sometimes use private AI tools for work?” or “Do you have browser extensions that help you?” Normalise the situation with sentences like: “Many colleagues use ChatGPT. That is not forbidden, we just have to document it.” Whoever asks this way gets honest answers.

Method 2: technical analysis via network logs

If your IT has access to firewall or proxy logs, check accesses to known AI services: openai.com, claude.ai, perplexity.ai, midjourney.com and similar domains. This method delivers objective data without dependence on employee statements.

For smaller companies this is often not practical. In that case, focus on the interview method and the systematic source check.

Method 3: checking known sources deliberately

Unauthorised AI use follows patterns. I work with a checklist in four categories: web-based tools like ChatGPT, Claude and Perplexity. Browser extensions like Grammarly, DeepL and Monica. Mobile apps on private smartphones. Embedded AI in freemium tools like Notion AI or Canva AI.

Work through these categories systematically in every conversation. Most findings come from the first two categories. The targeted question about browser extensions alone brings new insights in almost every interview.

Risk assessment: not every shadow AI is equally critical

Assess each uncovered system based on four factors: which data is entered? How frequent is the use? How many people use the tool? How business-critical is the use?

A tool into which personal data from several teams is entered daily has a completely different risk profile than a browser extension for occasional translations. This differentiation prevents you from wasting resources on non-critical cases and directs the focus to the actual risks.

Decision matrix: four options for action

From the combination of risk and benefit, four routes emerge.

Legitimise with high benefit: introduce an official company version. That is the most common and most sensible route. Employees use productive tools that merely have to be brought into the official process.

Tolerate with low risk: tolerate the use for now, but document the tool in the asset register.

Review with medium risk: analyse more closely and look for approved alternatives.

Stop with high risk: stop the use immediately, communicate clearly why and offer alternatives.

Each uncovered system then flows into your AI asset register. The record includes system name, vendor, using departments, data types and your role. In the vast majority of cases you are a deployer. This role determines your obligations in the further phases of the NADOVO framework.

Your quick start for this week

Take the results of your last department conversations and check for the signals described. Create a list of the four to five most likely sources of shadow AI in your company. Ask about them specifically in your next team meeting. In two weeks you will have a realistic picture of the actual AI use, not what is in the IT documentation, but what really happens.

Conclusion

Shadow AI is not misconduct, but the natural consequence of employees who want to work more productively. But the EU AI Act knows no exceptions for unknown systems. With the three methods, the risk assessment and the decision matrix, you can uncover shadow AI systematically and establish complete visibility over your AI landscape.


About the author

Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.

© 2026 Jochen Stier / contoro.solutions