§ Shadow AI Inventory Quiz·client-side form · no sign-up

How much do you actually see of employee AI use?

Answer ten questions about your visibility into employee AI-tool use and get an exposure score — low, medium, or high — plus the common unsanctioned AI tools in your industry and a sample AI acceptable-use-policy framework outline to build from.

This is a starting point to focus a shadow-AI conversation for a compliance, HR, or technology leader — not an audit and not a guarantee. Your team owns the decisions it raises.

This runs entirely in your browser. Nothing you enter is sent to a server.
§ Read this first

This quiz scores your current visibility and controls over employee AI use and returns an exposure band, an industry common-tools list, and a sample acceptable-use-policy outline. It is a starting point, not an audit, not employee surveillance, and not legal, compliance, or security advice. Regulatory framing is kept generic — map each result to the supervisory expectations that govern you. Your team owns the decisions. No data leaves the browser.

§ The quiz·ten questions, then your exposure read
IndustryWhat industry are you in?

This tunes the list of common unsanctioned AI tools we show you. It does not change your score.

Q1Do you have an approved list of AI tools staff may use?

An approved-tool list is the baseline of visibility: without one, "sanctioned" and "shadow" are indistinguishable.

Q2Is there a written AI acceptable-use policy staff have acknowledged?

A policy people have actually read and signed is what turns intent into a defensible position.

Q3Can you see which AI and SaaS apps staff connect?

Connected-app and OAuth-grant review in Microsoft 365 or Google Workspace is where over-permissioned AI add-ins show up.

Q4Do you have controls that can detect data going to public AI tools?

DLP, a CASB, or proxy/gateway egress rules are what turn "we hope not" into evidence about data leaving for public AI.

Q5Have you asked staff how they actually use AI?

Voluntary, non-punitive surveys and interviews are often the fastest route to the real picture.

Q6Do you know whether staff paste sensitive or regulated data into public AI?

Customer PII, financials, and source code pasted into public chatbots is the exposure that most often triggers an incident.

Q7Is there a named owner for AI governance and acceptable use?

Someone with the authority to approve tools, own the policy, and answer for AI use when an examiner or the board asks.

Q8Do you offer a sanctioned, governed AI alternative?

A governed enterprise or private-AI option staff will actually use removes the reason to reach for a shadow tool.

Q9Do staff get training on safe AI use?

Onboarding and refresher training is what makes an acceptable-use policy stick beyond the day it was signed.

Q10Do you re-inventory AI tool usage on a recurring cadence?

Shadow AI is a moving target; a point-in-time list decays fast without a defined review cycle.

Pick your industry and answer all ten questions to compute your exposure read.
·

Shadow AI exposure: ·

Why this read

·

Per-question breakdown

What this calls for

Common unsanctioned AI tools in your industry

Illustrative categories and widely used public tools — the real list is whatever is running in your environment.

    Sample AI acceptable-use-policy framework outline

    A starting outline to adapt with your counsel — the structure a workable GenAI policy for employees needs.

      § Turn this into a real discovery·from a self-read to an exposure map

      A quiz is a self-assessment from the inside. The value is a bounded discovery from your actual environment: connected-app and OAuth review, SaaS-spend analysis, and voluntary interviews that produce an exposure map, a control roadmap, and a finalized acceptable-use policy. That is the Shadow AI Discovery + Policy Readiness Sprint.

      § What to produce next

      ·

      § The fine print

      This quiz is a structured starting point to focus a shadow-AI conversation. It is not an audit, not employee surveillance, and not legal, compliance, or security advice. Regulatory framing is kept generic — map each result to the supervisory expectations that govern you. The exposure bands, tool lists, and policy outline are structured heuristics, not certifications or benchmarks.

      No data leaves the browser. Nothing you enter is sent to a server or retained.

      Copied to clipboard.

      Last reviewed: 2026-07-03 · Initial release. The questions, exposure bands, tool lists, and policy outline are a structured practitioner heuristic for shadow-AI readiness, re-checked quarterly. Accuracy is the point.

      § When you want the real picture·fixed-fee, senior-only

      Get a full shadow AI discovery engagement.

      A quiz reads your own view from the inside. When you want the real picture, a principal runs a fixed-scope discovery of your actual environment and hands you an exposure map, a control roadmap, and an AI acceptable-use policy framework.

      § What this is·and what it isn't

      A self-assessment. Not surveillance.

      This quiz is a structured self-assessment to focus a shadow-AI conversation for a compliance, HR, or technology leader. It does not monitor employees, does not access your systems, and does not provide legal, compliance, or security advice. Regulatory framing is deliberately generic; map each result to the supervisory expectations that govern you.

      DSE provides AI governance and security readiness work, including shadow AI discovery bounded to accessible systems and agreed data sources. We are not an accredited certification body and do not run covert surveillance, monitor employees, or guarantee any regulatory, examination, or litigation outcome, and we do not provide legal advice. We work alongside your counsel.