Shadow AI Discovery & Risk-Triage Kit
You can't govern what you can't see. List every AI tool your team actually uses — amnesty, no blame — and triage which ones to pull into governance first, before one of them quietly takes regulated data out the door.
instant download · .xlsx · yours to keep
The problem
The tools you don't know about are the ones that hurt.
organizations have had a breach tied to employees using unsanctioned shadow-AI tools.
have any policy or detection to manage it — most are flying blind on what's actually in use.
the consensus first move: discover without blame, because banning tools just pushes them onto personal accounts.
Shadow AI isn't a discipline problem — it's a visibility problem. The fix is to surface the real list, then triage it by what actually creates exposure: regulated data, personal accounts, and vendors that train on your data. This kit does the triage so you know which tool to bring in first.
See it work
One regulated tool on a personal login flips the whole org.
Tap any field to cycle it. One regulated tool on a personal account makes the whole org UNGOVERNED.
Regulated data on a personal account — trips the org gate.
Governed but imperfect — tighten sanction, account, or training.
Unsanctioned and touches personal/regulated data.
Approved, SSO, exposure handled.
Gate tripped: a tool processes regulated data on a personal account. The data is outside your control and the account can't be revoked — UNGOVERNED regardless of how many tools are clean.
Bring into governance first: ChatGPT (free, personal logins).
Grades the tools, never people. A discovery aid — not monitoring, a scan, or an audit. Runs offline in the .xlsx.
What's inside
One workbook. Four columns. A live triage.
Sanctioned, under review, or unsanctioned — the difference between a governed tool and a blind spot.
None, low, personal, or regulated. Regulated data is what turns a convenience into a liability.
SSO-managed, mixed, or a personal login you can't revoke when someone leaves.
Controlled, unclear, or trains on your data — does your input become someone's training set?
The standard
The combination decides it — not a score.
A tool is PULL INTO GOVERNANCE when it has a biting exposure, SANCTIONED only when fully clean, REVIEW in between. Forcing a 0–100 number onto categorical facts would be less honest than letting the combination speak.
Regulated data on a personal account makes the whole org UNGOVERNED, however many tools are clean — the exposure a coverage percentage hides.
Every verdict routes a tool toward governance, never an accusation about who used it. Amnesty is the point: you only fix what people are willing to show you.
Who it's for / not for
For the person who has to answer “what are we using?”
- Founders, ops, and IT leads taking the first honest inventory of AI tools in use.
- Anyone who needs to know which unsanctioned tool to bring into governance first.
- Teams preparing for an audit, an insurer, or a customer security questionnaire.
- Monitoring or scoring employees — it grades the tools, never the people.
- Network scanning or automatic detection — you supply the inventory, by amnesty.
- A governance program in a box — it triages and routes; it doesn't contract or remediate. Not legal advice.
Pairs well with
Discover here, then govern there.
Once a tool is pulled in, register its data flows and grade whether each is governed.
ViewFind out whether your AI governance evidence would survive an auditor's request in 90 days.
ViewThe editable policy templates that turn a sanctioned-tool list into an actual acceptable-use baseline.
ViewCommon Questions
Straight answers before you buy.
Get the kit
See it, triage it, govern it.
- One .xlsx — Start Here, Dashboard, Shadow AI Triage.
- Live verdicts, exposure rate, and the tool to govern first.
- Instant download, yours to keep, opens anywhere.
A discovery and triage aid — not monitoring, a scan, or a security audit. Grades the tools, never people. Lightly regulated; not legal advice.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai