Your company has an AI policy. It probably says something like "no unsanctioned use of generative AI tools without IT approval." It was published eight months ago. Maybe twelve. And I can tell you with near certainty that it has been cheerfully ignored by at least a third of your workforce.
I know this because I have run shadow AI audits at seven enterprises in the past year, and every single one discovered the same thing: the teams closest to revenue, including marketing, finance, and customer success, had been using LLMs for months before anyone in security knew. One financial services firm found 23 distinct AI tools in production use across four departments. Their approved list had two.
The instinct is to crack down. Issue a memo. Block endpoints. That instinct is wrong, and it will make your problem worse. What follows is a 4-week discovery framework I have refined across those seven engagements. It starts with observation, moves to classification, and ends with guardrails that people actually follow. No turf wars required.
Your "No Unsanctioned AI" Policy Is Already Dead
The data is unambiguous. A 2025 Salesforce survey found that 67% of enterprise AI usage happens outside IT oversight. A separate Gartner analysis from early 2025 estimated that by mid-2026, more than 75% of employees will have used generative AI tools acquired outside of IT's procurement process. Your ban is not a policy. It is a suggestion that most of your organization has already decided to ignore.
The top three shadow AI adopters, in every audit I have conducted, are consistent: marketing teams using tools like Jasper, Writer, and ChatGPT for content generation; finance teams running models through Claude or GPT-4 for scenario analysis and report drafting; and operations teams building automations with Zapier AI, Make, and various API integrations.
Permission-first governance (the "submit a request and wait six weeks" model) creates an adversarial relationship between security and the rest of the business. Teams learn to route around you. They use personal accounts. They expense AI subscriptions as "research tools" or "consulting services." Every layer of restriction you add pushes usage further underground, where you have zero visibility into what data is flowing where.
The discovery-first alternative inverts the sequence: observe first, classify second, govern third. You build your policy around what is actually happening, not what you wish was happening. In practice, this approach surfaces 3x more AI usage than permission-first policies in the same timeframe, because you are measuring reality instead of compliance theater.
Week 1: Network Telemetry and API Fingerprinting
Week one is entirely passive. You are instrumenting, not intervening. The goal is a raw inventory of every AI-related API call leaving your network, every AI vendor charge hitting your books, and every cloud-native AI service in use across your AWS accounts.
DNS and Proxy Detection
Start with your DNS logs and forward proxy data. You are looking for outbound calls to a specific set of domains: api.openai.com, api.anthropic.com, api.cohere.ai, api.mistral.ai, api.replicate.com, and their associated CDN subdomains. If you run Zscaler or Palo Alto Prisma Access, you can filter on these destinations within minutes. For organizations using CrowdStrike Falcon LogScale, create a saved search with a regex pattern matching these endpoints and set it to aggregate by source IP and department subnet.
# Example LogScale query for shadow LLM API detection
#repo=dns-logs
| domain = /api\.(openai|anthropic|cohere|mistral|replicate)\.(com|ai)/
| groupBy([source_ip, domain], function=count())
| sort(_count, order=desc)AWS-Native AI Services
For organizations on AWS, pull CloudTrail events for bedrock:InvokeModel, sagemaker:InvokeEndpoint, and any lambda:Invoke functions that call model endpoints. Use CloudTrail Lake to run SQL queries across all accounts in your organization:
SELECT
userIdentity.arn,
eventSource,
eventName,
COUNT(*) as invocation_count
FROM cloudtrail_logs
WHERE eventSource IN ('bedrock.amazonaws.com', 'sagemaker.amazonaws.com')
AND eventTime > '2025-01-01'
GROUP BY userIdentity.arn, eventSource, eventName
ORDER BY invocation_count DESCThis catches internal teams who went through AWS but skipped the formal approval process.
Expense and Procurement Mining
The third data source is financial. Search your expense management system (Concur, Brex, Ramp) for charges from known AI vendors. Include not just the obvious names but embedded AI features: Notion AI ($10/user/month add-on), Grammarly Business (now AI-powered by default), Canva's Magic features, and HubSpot's AI assistants. One client discovered $14,000/month in ChatGPT Team subscriptions spread across 11 cost centers.
By end of Week 1, you should have a spreadsheet with four columns: endpoint or tool name, source team or department, estimated monthly call volume or spend, and a preliminary data sensitivity flag (does this tool likely receive PII, financial data, or customer information?). Do not share this spreadsheet with anyone outside your audit team yet.
Week 2: The Amnesty Interview (How to Get Honesty Without Threats)
Network telemetry gives you the "what." Interviews give you the "why" and the "how." But if you walk into a department lead's office with a printout of their API logs, you will get defensiveness, not honesty. The framing matters enormously.
Setting the Tone
The invitation should explicitly use language like: "We are building an AI enablement strategy and we need to understand what tools are actually delivering value for your team." Not: "We have detected unauthorized tool usage and need to discuss compliance." The difference in response quality is night and day. I have seen the same department head give a three-sentence answer under the compliance framing and a 45-minute walkthrough under the enablement framing.
Targeting the Right People
Use your Week 1 data to identify the 3 to 5 department leads with the highest detected API volume or AI vendor spend. These are your power users, and they are also your best allies. They have already validated that AI tools solve real problems for their teams. You want their expertise, not their confession.
The Structured Questionnaire
For each tool or workflow, capture four things:
- What tool or model are you using, and for what specific task?
- What data goes in to the model? Internal docs? Customer emails? Financial projections?
- What decisions come out of the model's responses? Are outputs reviewed by a human before action?
- Who sees the output? Internal only, or does it reach customers, regulators, or partners?
Surfacing Hidden Complexity
This is where interviews pay for themselves. Network telemetry cannot see agent workflows. One marketing team I interviewed had built a 6-step automation chain: a Zapier trigger pulled customer feedback from Intercom, sent it to Claude for sentiment analysis, routed negative sentiment to a GPT-4 draft response generator, and posted the draft to a Slack channel for review. None of the individual API calls looked alarming on their own. Together, they formed an autonomous customer communication pipeline that no one in security knew existed.
Week 3: The 4-Tier Risk Classification Matrix
Now you have a full inventory, both what telemetry detected and what interviews revealed. Week 3 is about classification. The goal is to assign every discovered tool or workflow to one of four risk tiers, and to make 70% of those decisions immediately.
| Risk Tier | Data Characteristics | Example Use Cases | Governance Requirement | Approval Speed |
|---|---|---|---|---|
| Tier 1: Unrestricted | No PII, no financial data, no customer-facing output | Internal brainstorming with ChatGPT, code documentation, meeting summary drafts | Self-service, usage logging only | Instant |
| Tier 2: Monitored | Aggregated or anonymized data, internal-only outputs | Productivity copilots (GitHub Copilot, Notion AI), internal report generation, trend analysis | Approved vendor list, quarterly usage review | Same day |
| Tier 3: Controlled | PII-adjacent data, customer-facing content, financial models | Marketing copy generation, customer email drafting, financial scenario modeling | Approved vendor, 48-hour review, DLP integration | 48 hours |
| Tier 4: Restricted | Regulated data (HIPAA, SOX, ITAR), autonomous decisions | Claims processing, credit scoring inputs, agent-to-agent workflows with no human review | Full architecture review, data flow mapping, legal sign-off | 1-2 weeks |
Applying the Matrix
In practice, the distribution is remarkably consistent across industries. Roughly 40% of discovered usage falls into Tier 1, 30% into Tier 2, 20% into Tier 3, and 10% into Tier 4. This means you can approve 70% of what teams are already doing on the spot, which is the single most important thing you can do to build trust and credibility for the remaining 30% that actually needs guardrails.
The Tier 3 classification is where most disagreements arise. Marketing teams generating customer-facing blog posts with AI will argue it belongs in Tier 2. Your legal team will want it in Tier 4. The right answer depends on your specific regulatory exposure, but as a default, any AI output that reaches a customer or prospect without human review belongs in Tier 3 at minimum.
Tier 4 is the smallest category but demands the most attention. Agent-to-agent workflows, where one LLM's output feeds directly into another LLM's input with no human checkpoint, represent a category of risk that most governance frameworks have not yet addressed. If you find these (and you will), flag them for immediate architecture review regardless of the data sensitivity.
Week 4: Guardrails That Feel Like Features, Not Fences
The final week is about implementation. Your goal is to make compliant AI usage easier than shadow AI usage. If your approved path is slower, more cumbersome, or less capable than what teams were already doing, they will go right back underground.
Tier 1 and 2: Self-Service with Visibility
Publish an approved tools list on your internal wiki or portal. Include links, SSO-provisioned accounts where possible, and a simple usage dashboard. The dashboard matters. When department heads can see their team's AI spend and call volume, they self-regulate. One client reduced redundant AI subscriptions by 34% in the first month just by making usage visible.
Tier 3: Lightweight Approval with a Real SLA
Build a Tier 3 approval workflow in whatever ticketing system your organization already uses (Jira Service Management, ServiceNow, even a Google Form routed to a shared inbox). The critical commitment: 48-hour SLA for approval or denial. If you cannot review a request in 48 hours, the system is too complex. Simplify it.
Tier 4: Full Architecture Review
Tier 4 requests route through your security architecture team for data flow mapping, vendor security assessment, and DLP integration. Deploy AWS Bedrock Guardrails for any Tier 4 usage running on AWS to enforce PII redaction, content filtering, and topic restrictions at the API layer:
# Example: Applying Bedrock Guardrails to a Tier 4 workflow
import boto3
bedrock = boto3.client('bedrock-runtime', region_name='us-east-1')
response = bedrock.invoke_model(
modelId='anthropic.claude-3-sonnet-20240229-v1:0',
guardrailIdentifier='yr8xk2l4gp0e', # PII redaction guardrail
guardrailVersion='1',
body=json.dumps({
"anthropic_version": "bedrock-2023-05-31",
"messages": [{"role": "user", "content": user_input}],
"max_tokens": 1024
})
)Monthly AI Usage Digest
Create a recurring report for department heads. Include three things: total AI spend by team, call volume trends, and risk tier distribution. This report turns governance from a policing function into a business intelligence function. Department heads start asking "why is our Tier 3 usage spiking?" instead of you having to investigate.
The Three Tools That Make This Audit Actually Work
You do not need a six-figure GRC platform for this audit. In fact, most GRC platforms are poorly suited for shadow AI discovery because they are designed for known, cataloged assets. Shadow AI is, by definition, uncataloged. Here is what actually works.
CrowdStrike Falcon LogScale (or Datadog Cloud SIEM) for DNS-level detection. Both tools can ingest DNS query logs and proxy data at scale, with sub-second search performance. LogScale's free tier handles up to 1 GB/day, which is sufficient for most organizations' DNS telemetry during the audit period.
AWS CloudTrail Lake for querying Bedrock, SageMaker, and Lambda invocations across your entire AWS Organization. The SQL interface means your security analysts can write ad-hoc queries without learning a proprietary query language. Seven-day query results are included in CloudTrail's standard pricing.
A centralized AI registry that becomes your system of record post-audit. This does not need to be a fancy tool. A well-structured Notion database, Airtable base, or even a SharePoint list with columns for tool name, owner, risk tier, approval status, review date, and data classification will outperform any enterprise GRC platform that requires six weeks of configuration. Start simple. Migrate to something more sophisticated once you understand your actual requirements.
Custom tooling often outperforms commercial GRC platforms for this specific audit type because shadow AI discovery requires flexibility and speed. You are building a new inventory category, not checking compliance against an existing one.
What "Good" Looks Like 90 Days After the Audit
If you execute this framework well, here is what you should see three months later.
85 to 90% of AI usage is now visible, documented, and tier-classified. You will never hit 100%. New tools appear constantly. But having clear visibility into the vast majority of usage is a fundamentally different risk posture than the zero-visibility state most organizations are in today.
Department satisfaction should increase. This sounds counterintuitive for a security initiative, but remember: you approved 70% of what teams were already doing. You gave them SSO accounts, usage dashboards, and a clear path for new tool requests. For most employees, the audit made their AI usage more convenient, not less.
The Three KPIs That Matter
Track these weekly for the first 90 days, then monthly:
- Percentage of AI usage inventoried: target 85% by day 90, measured by comparing registry entries against ongoing network telemetry
- Mean time to approve new tool requests: target 24 hours for Tier 1/2, 48 hours for Tier 3, 10 business days for Tier 4
- Policy violation rate: the percentage of AI calls detected outside the approved registry. This should trend downward. If it flatlines or increases, your approved path is still too cumbersome.
Plan for the Living Problem
Shadow AI is not a one-time cleanup. It is a continuous discovery challenge. Schedule quarterly re-audits using the same Week 1 telemetry methodology. Each quarter, update your approved tools list, re-classify any tools whose usage patterns have shifted, and retire tools that are no longer in active use.
The organizations that treat shadow AI governance as a living program rather than a project consistently maintain higher visibility rates and lower friction with business teams. The ones that run a one-time audit and declare victory find themselves back at square one within six months.
Here is your 30-minute action item: open your DNS logs right now and search for api.openai.com. Count the unique source IPs. That number, compared to the number of people on your "approved ChatGPT users" list, is the gap you need to close. If you do not have an approved users list, the entire count is your gap. That is where Week 1 starts.