Staff have not waited for a policy. They are pasting customer data, spreadsheets, and code into public AI chatbots, drafting with browser add-ins, and letting AI note-takers sit in confidential meetings — usually with good intent and no idea they have created an exposure. The Shadow AI Discovery + Policy Readiness Sprint is a fixed-scope, 3–4 week engagement that identifies the unsanctioned AI tools in use and the data flowing to them, assesses your policy and control gaps, and hands back a prioritized control roadmap and an AI acceptable-use policy framework you can put in front of your board.
Part of the AI Security & Cyber Risk practice · fees fixed in writing after scoping — see engagement models.
This is Discovery, not monitoring. The sprint is bounded to systems you already have access to and data sources you agree to in scoping — network, DNS, or gateway logs; SaaS and OAuth-grant inventories; expense and procurement records; and voluntary employee surveys and interviews. It is explicitly not covert surveillance, not employee monitoring, and not unauthorized access to any system. It is a readiness assessment and advisory work — a point-in-time exposure map and a roadmap, not a certification, a legal opinion, or a guarantee of any regulatory or examination outcome. The findings and the policy framework are yours to own; we work alongside your counsel, HR, and security team.
Unsanctioned AI use rarely lives in one place. We assemble a picture from the sources you can see and the people who will tell you — then map each finding to the data it touches and the risk it carries.
Staff paste customer records, financials, contracts, and source code into public generative-AI chatbots to summarize, draft, or debug. We look for the signal that this is happening and, with your team, the categories of data most likely leaving — without accessing the prompts themselves.
AI writing assistants, meeting summarizers, and browser extensions request broad access to mail, documents, and calendars through OAuth grants nobody reviewed. We inventory the connected third-party AI apps in your Microsoft 365 or Google Workspace tenant and flag the over-permissioned ones.
Automatic transcription and AI note-taker bots join calls where privileged, material, or customer-confidential matters are discussed, and quietly retain recordings in a third-party account. We surface where they are in use and the data-retention questions that follow.
Vendors ship AI features into the SaaS you already run, often on by default. We identify where AI has been enabled inside sanctioned tools and whether that changes what data is processed, where, and by whom — the line between shadow AI and a governed-replacement decision.
Individual teams buy AI tools on a card or a free tier to move faster, well below the radar of IT and procurement. We review expense, procurement, and SaaS-spend records for the AI subscriptions that never went through review.
The fastest route to the real picture is often to ask. We run short, voluntary, non-punitive surveys and interviews with a sample of team leads about how they actually use AI — framed to surface reality, not to catch anyone out.
The value of this sprint is that it is defensible: bounded scope, agreed data sources, and no covert monitoring of your people. Being precise about that is the whole point.
A short scoping agreement up front, a focused discovery-and-assessment window, and a debrief that ends in a roadmap and a policy framework. Built for a compliance and technology calendar, not a six-month program.
We keep it tight and senior-led, with the scope and data sources agreed in writing before any discovery begins:
Want a fast read before you scope? Start with the free Shadow AI Inventory Quiz — it runs entirely in your browser.
The sprint ends in artifacts your compliance committee, your CIO, and your board can use — a clear picture of what is in use, and the short list of moves that most reduce your risk. Not a certificate. A starting point you own.
A concrete read on your shadow-AI exposure the day the sprint closes:
Every sprint includes an AI acceptable-use policy framework outline. As a scoped add-on, we can extend that outline into a fuller, finalized AI acceptable-use policy tailored to your firm:
The policy framework is a readiness artifact and a starting point — you finalize and adopt it with your counsel. It is not legal advice.
Sponsored by compliance and technology leadership, and scoped so it opens the compliance-and-legal channel and the HR / people-ops channel at the same time — distinct from the technical CISO buyer, and a natural partner to privacy counsel.
You own the answer when an examiner or the board asks how AI use across the firm is governed. A discovered inventory and an acceptable-use policy framework turn "we're not sure" into a defensible, evidenced position.
You carry the data-flow and vendor risk of tools that were never reviewed. The exposure map tells you where AI is actually running, what it touches, and where a governed, sanctioned alternative removes the reason to go around you.
You need a real inventory before any governance program means anything. The sprint gives you the shadow-AI baseline your policy, risk register, and roadmap all depend on — and the policy framework to build from.
HR and people-ops are essential partners: acceptable-use policy, employee communications, training, and the voluntary, non-punitive framing that makes discovery work depend on them, which is why this engagement opens the people channel, not just the technical one. And privacy counsel is a natural secondary buyer — especially post-incident, when the question shifts to what personal or regulated data reached which third-party AI tool, and what the firm must do about it.
Before you scope a sprint, get a read. Answer ten questions about your current visibility into employee AI-tool use and our free, 100% browser-local Shadow AI Inventory Quiz returns an exposure score, the common unsanctioned AI tools in your industry, and a sample AI acceptable-use-policy framework outline. Nothing you enter leaves your browser. Bring the output to a scoping call and we turn it into a real discovery.
What does it cost? The fee is fixed in writing after a short scoping call — it scales with the number of systems and data sources in scope and whether you add the fuller acceptable-use policy build, not your headcount. See the non-binding market-estimate ranges for this and every DSE engagement on the pricing page.
See engagement models →What compliance, technology, and people leaders ask before they scope a shadow AI discovery sprint.
A shadow AI assessment is a structured discovery of the unsanctioned AI tools your employees are already using and the data flowing to them — public chatbots, browser and app add-ins, AI note-takers, AI features switched on inside tools you already buy, and departmental subscriptions bought below procurement's radar. DSE delivers it as a fixed-scope 3–4 week sprint that ends in an exposure map, a policy and control gap assessment, a prioritized control roadmap, and an AI acceptable-use policy framework. It is Discovery, not monitoring: a readiness assessment, not a certification or an audit.
We work only within systems you already have access to and data sources you agree to in scoping — connected-app and OAuth-grant inventories in your Microsoft 365 or Google Workspace tenant, SaaS-spend and procurement records, available network, DNS, or gateway logs, and voluntary, non-punitive surveys and interviews with a sample of team leads. We do not read prompts, key-log, monitor individuals, or access anything outside the agreed scope. It is deliberately Discovery, not covert surveillance or employee monitoring, and the framing is designed to surface reality without putting anyone on the defensive.
The framework is a structured, ready-to-adapt outline for a GenAI policy for employees: scope and definitions, an approved-tool list and a request path for new tools, prohibited uses and the data that may never enter a public AI tool, data-handling and logging rules, human-review gates for AI-assisted decisions, and an acknowledgment, training, and review cadence. Every sprint includes the framework outline; as a scoped add-on we can extend it into a fuller, finalized AI acceptable use policy for financial services tailored to your roles and data. It is a readiness artifact and a starting point you finalize with counsel — not legal advice.
The recurring categories are public generative-AI chatbots used for drafting, summarizing, and coding (for example ChatGPT, Gemini, Claude, or a browser Copilot); AI writing and email assistants added as browser extensions; AI meeting note-takers and transcription bots that join calls; AI coding assistants used by engineering; and AI features quietly enabled inside SaaS tools the firm already licenses. The exact mix depends on your stack — the free Shadow AI Inventory Quiz returns a common-tools list tuned to your industry, and the sprint replaces that with what is actually in use in your environment.
The fee is fixed in writing after a short scoping call and scales with the number of systems and data sources in scope and whether you add the fuller acceptable-use policy build, not your company size. We publish non-binding market-estimate ranges for every engagement, including this one, on the engagement models page.
Last reviewed: 2026-07-03 · Initial release. The Shadow AI Discovery + Policy Readiness Sprint is a service line of the AI Security & Cyber Risk practice. All work is Discovery, readiness, and advisory — a bounded discovery limited to accessible systems and agreed data sources, plus an exposure map, gap assessment, control roadmap, and AI acceptable-use policy framework. It is not covert surveillance, employee monitoring, or unauthorized system access, and not a certification, legal advice, or a guarantee of any regulatory or examination outcome. The NIST AI RMF is referenced as a framework, not certified.