Mima

How to Detect Shadow AI: The Enterprise Discovery & GRC Guide

A step-by-step technical guide for CISO and IT asset management teams on discovering unauthorized AI tools, comparing API-first OAuth scans against endpoint browser extensions.

Mima Intelligence · 18 July 2026 · 5 min read

The Rise of Shadow AI in the Enterprise

In 2026, employee adoption of generative AI tools (ChatGPT, Claude, v0, Midjourney, and thousands of specialized domain agents) has outpaced traditional IT approval cycles. This adoption creates Shadow AI—unauthorized, unvetted AI applications accessed by employees using enterprise credentials or corporate devices.

Shadow AI introduces severe business risks:

  1. Intellectual Property Exposure: Employees pasting proprietary code, customer lists, or financial models into public LLM training prompts.
  2. Regulatory Non-Compliance: Violating GDPR, DORA, and the EU AI Act (which mandates strict risk classifications for AI tools).
  3. Ghost Subscription Costs: Untracked credit card expenses (expensed SaaS seats) that bypass standard procurement review.

To secure your software estate, security and Software Asset Management (SAM) teams need a structured, multi-layer approach to discover and govern AI tools.


The AI Discovery Stack: Comparison of Detection Methods

To build an accurate AI Bill of Materials (AI-BOM), organizations combine different telemetry layers. Each layer has specific trade-offs:

Detection LayerData SourceCoverageImplementation EffortTrust Level
1. Identity & SSO (OAuth)Okta, Entra ID, Google WorkspaceSSO-enabled enterprise AI accountsLow (API-first, minutes)1.0 (High)
2. Billing & FinanceERP logs, corporate card expensesPaid subscriptions expensed via invoicesLow (CSV/API matching)1.0 (High)
3. Web Gateway & SIEMProxy logs, DNS queries, firewallAll network-based visits to AI domainsMedium (Log ingestion)0.90 (Medium)
4. Endpoint/Browser ExtensionBrowser agent telemetryDirect web sessions, extension-based toolsHigh (Agent rollout required)1.0 (High)

Step-by-Step Guide to Implementing Shadow AI Discovery

Step 1: Map the Identity Perimeter

Over 70% of unauthorized AI tool logins occur using the standard “Sign in with Google” or “Sign in with Microsoft” OAuth flows.

Step 2: Financial Expense Reconciliation

Employees often bypass SSO by paying for Pro seats (e.g., ChatGPT Plus, Claude Pro) on personal corporate credit cards and expensing them.

Step 3: Network Traffic Analysis (SIEM/DNS)

Network-level visibility catches employees accessing free AI tools without logging in or using personal email accounts.

Step 4: Endpoint & Browser Telemetry

The final layer of defense is endpoint monitoring, which catches localized AI browser extensions, IDE plugins, and standalone desktop binaries that bypass identity and network layers.


Privacy-by-Design: Governing AI Without Surveillance

While detecting Shadow AI is crucial for security, continuous monitoring of employee endpoints can trigger Works Council objections and GDPR violations in strict jurisdictions.

To maintain compliance:


Building Your AI Bill of Materials (AI-BOM)

Once discovery is complete, compile your findings into a central AI Bill of Materials (AI-BOM). Classify each detected AI tool into one of three risk categories:

  1. Approved/Sanctioned: Tools that have undergone security review, possess signed enterprise data privacy agreements, and are integrated into enterprise SSO.
  2. Tolerated: Low-risk utility tools (e.g. translation, spelling correction) that do not store PII or corporate code.
  3. Prohibited: Tools that store submitted prompts to train public models, lack security attestations, or violate regional regulations (such as DORA or the EU AI Act).

Further reading

Last reviewed on July 18, 2026 by Mima Intelligence

Related Reading

See your position before the auditor does.

Mima runs the auditor's methodology against your estate continuously — for every vendor, with every finding grounded in a citable source.

See how Mima works →