Shadow AI Audit Checklist: Find Every Unauthorized AI Tool in Your Organization
A step-by-step audit process to discover unauthorized AI tools in your organization. Covers network traffic analysis, browser extension audits, SaaS spend analysis, employee surveys, DLP reviews, and API key audits — with a 25-item checklist you can use immediately.
You cannot secure what you cannot see. Before writing policies, deploying monitoring tools, or rolling out sanctioned AI alternatives, you need an accurate picture of what AI tools are currently being used in your organization, by whom, and with what data.
This is the shadow AI audit. It is a structured, repeatable process that produces a complete inventory of unauthorized AI usage — tools, users, data categories, and risk levels. This article provides the full process, including a 25-item checklist you can adapt to your organization immediately.
Organizations with 200–1,000 employees interact with an average of 45 distinct AI websites monthly. In larger organizations, that number climbs to 72. The audit will almost certainly reveal more tools than you expect.
Before You Start: Set the Scope
Define three things before beginning:
Time window. Audit the last 90 days. This captures habitual usage patterns without going so far back that the data is stale. AI tool adoption is accelerating — usage patterns from six months ago may not reflect current behavior.
Organization scope. Decide whether this is a company-wide audit or a department-first approach. If you are resource-constrained, start with departments that handle the most sensitive data: legal, HR, finance, engineering, and customer-facing teams.
Desired outcome. The audit should produce three deliverables: (1) an inventory of all AI tools in use, (2) a risk classification of each tool based on data sensitivity, and (3) a list of immediate remediation actions ranked by risk.
Phase 1: Network Traffic Analysis
Network logs are your most objective data source. They show what actually happened, not what employees remember or choose to disclose.
What to look for
Monitor outbound connections to known AI service domains. The following list covers the major services as of March 2026, but new tools appear monthly — update this list quarterly.
| AI Service | Domains to Monitor |
|---|---|
| OpenAI / ChatGPT | chat.openai.com, api.openai.com, cdn.openai.com |
| Anthropic / Claude | claude.ai, api.anthropic.com, console.anthropic.com |
| Google Gemini | gemini.google.com, generativelanguage.googleapis.com, aistudio.google.com |
| Perplexity | perplexity.ai, api.perplexity.ai |
| xAI / Grok | grok.x.ai, x.com/i/grok |
| Mistral | chat.mistral.ai, api.mistral.ai |
| Cohere | coral.cohere.com, api.cohere.ai |
| Hugging Face | huggingface.co, api-inference.huggingface.co |
| Poe | poe.com |
| Character.AI | character.ai |
| Jasper | app.jasper.ai |
| Copy.ai | app.copy.ai |
| Notion AI | notion.so (look for AI-specific API calls) |
| GitHub Copilot | copilot.github.com, copilot-proxy.githubusercontent.com |
| Cursor AI | cursor.sh, api2.cursor.sh |
| Codeium | codeium.com, server.codeium.com |
How to extract this data
- Firewall logs: Export connection logs from your firewall or UTM appliance. Filter for the domains above. Most enterprise firewalls (Palo Alto, Fortinet, Sophos) can export to CSV or SIEM.
- DNS query logs: If you run internal DNS, query logs show every domain lookup regardless of whether the connection was completed. This catches tools that employees tried to access even if the firewall blocked them.
- Proxy logs: If you route web traffic through a proxy (Zscaler, Netskope, etc.), you have full URL-level visibility including HTTPS inspected traffic.
- SIEM aggregation: If you have a SIEM (Splunk, Sentinel, Elastic), create a dashboard that aggregates connections to the domains above, grouped by source IP → user mapping.
What this tells you
Network analysis gives you the tools in use, the frequency of use, and the users (via IP-to-user mapping from your directory service). It does not tell you what data was sent — that requires DLP inspection, which is covered in Phase 5.
Phase 2: Browser Extension Audit
AI-powered browser extensions are a significant and often overlooked vector. Employees install extensions that read page content, capture form data, or intercept clipboard content — and send it to external AI services for processing.
What to audit
- Chrome extension inventory: Use Google Admin Console (for managed Chrome) or endpoint management tools (Intune, Jamf) to pull a list of installed extensions across all managed devices.
- Edge extension inventory: Same process via Microsoft Endpoint Manager.
- Extension categories to flag: Any extension with permissions for "Read and change all your data on all websites," "Read your browsing history," or "Modify data you copy and paste."
Common AI extensions to search for
- ChatGPT browser extensions (multiple third-party variants)
- Merlin (GPT-4 in browser)
- Monica AI
- Sider AI
- MaxAI.me
- UseChatGPT.AI
- Compose AI
- Writesonic
- Grammarly (AI features — may be sanctioned, verify)
- Otter.ai (meeting transcription — often installed individually)
Risk assessment
Extensions that have "read all site data" permissions can capture data from internal web applications (your CRM, ERP, intranet, code repositories) and send it to external servers. This is a higher risk than employees manually pasting data into ChatGPT, because it happens passively and continuously.
Phase 3: SaaS Spend Analysis
Individual AI subscriptions show up in expense reports and on corporate credit cards. This is a simple but effective detection method.
Where to look
- Expense reports: Search for reimbursement requests containing "OpenAI," "ChatGPT," "Claude," "Anthropic," "Jasper," "Copy.ai," "Midjourney," "Runway," or "AI" in the description.
- Corporate credit card statements: Run the same keyword search across all corporate card transactions for the last 90 days.
- Procurement system: Check if any team has submitted purchase requests for AI tools outside your standard procurement process.
- App store charges: For organizations that reimburse mobile app purchases, check for AI app subscriptions (ChatGPT Plus at $20/month is the most common).
What this tells you
SaaS spend analysis identifies the employees who are invested enough in AI tools to pay for them. These are typically your heaviest users and the ones sending the most data. They are also, importantly, the ones who will have the strongest opinions about what a sanctioned alternative needs to do.
Phase 4: Employee Survey
Network logs tell you what tools are being used. An employee survey tells you why they are being used and what data is being processed. Both are necessary.
Survey design principles
- Anonymous. If employees fear punishment, they will not disclose usage. Make the survey explicitly anonymous and frame it as a discovery exercise, not an investigation.
- Specific. Do not ask "Do you use AI tools?" Ask "In the last 30 days, have you used any of the following tools for work-related tasks?" and list specific tools.
- Data-focused. Ask what categories of data they have used with AI tools: source code, customer data, financial data, HR data, legal documents, internal communications, meeting notes.
Sample questions
- Which AI tools have you used for work-related tasks in the last 30 days? (Select all that apply — list specific tools)
- How frequently do you use AI tools for work? (Daily / Several times per week / Weekly / Monthly / Rarely)
- What types of work tasks do you use AI tools for? (Writing/editing, code development, data analysis, research, summarization, translation, other)
- What types of company data have you input into AI tools? (Source code, customer information, financial data, HR/personnel data, legal documents, meeting notes, internal communications, none, other)
- Do you use a personal account or a work-provided account for AI tools?
- What prevents you from using company-approved AI tools? (No approved tools exist, approved tools are too limited, approved tools are too slow, did not know approved tools existed, other)
- If the company provided an internal AI assistant with equivalent capabilities, would you use it instead of external tools?
Question 6 is critical. It tells you why the sanctioned alternative (if you have one) is not being adopted, or confirms that you do not have one.
Phase 5: DLP Policy Review
Most organizations have Data Loss Prevention policies configured for email, USB, and cloud storage. Very few have extended those policies to cover AI tool usage.
Audit your current DLP configuration
- Does your DLP policy monitor browser uploads? Specifically, does it inspect content being posted via form submissions or API calls to AI service domains?
- Does your DLP policy cover clipboard operations? Copy-paste into a browser-based AI tool is the most common data exfiltration method for shadow AI.
- Are AI service domains in your DLP monitoring scope? Most DLP solutions can be configured to flag or block uploads to specific domains. Check if the AI domains from Phase 1 are included.
- What data classification categories trigger alerts? Ensure that your DLP classifications (PII, PHI, financial data, source code, legal privileged) are applied to AI tool destinations, not just email and cloud storage.
Gap assessment
If your DLP does not cover AI tool uploads, you have a monitoring gap. Quantify it: based on Phase 1 network data, how many connections per day are being made to AI services, and what percentage of those could involve sensitive data based on the user roles making those connections?
Phase 6: API Key Audit
Developers and technical teams may be using AI services programmatically, embedding API keys in code repositories, environment files, CI/CD pipelines, or scripts. This usage is harder to detect through network monitoring because it may run on development machines, CI servers, or cloud infrastructure.
Where to search
- Code repositories: Search for strings like
sk-,sk-proj-,OPENAI_API_KEY,ANTHROPIC_API_KEY,GOOGLE_API_KEYacross all internal Git repositories (GitHub, GitLab, Bitbucket). - Environment files: Search for
.env,.env.local,.env.productionfiles containing AI service API keys. - CI/CD secrets: Review stored secrets in GitHub Actions, GitLab CI, Jenkins, or your CI/CD platform for AI service credentials.
- Secrets scanning tools: If you use a secrets scanner (GitGuardian, TruffleHog, gitleaks), check if AI API key patterns are included in the scanning rules.
- Cloud infrastructure: Check AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager for AI service credentials that may have been provisioned outside standard procurement.
Risk assessment
API key usage typically involves automated or semi-automated data processing, which means higher volumes of data are being sent to external AI services. A developer running a script that processes 10,000 customer records through the OpenAI API is a higher-volume exposure than the same developer manually pasting a few records into ChatGPT.
The Master Checklist
Use this checklist to track audit completion. Each item should be marked complete with findings documented.
| # | Audit Item | Phase | Status |
|---|---|---|---|
| 1 | Export firewall/proxy logs for last 90 days | Network | ☐ |
| 2 | Filter logs for all known AI service domains | Network | ☐ |
| 3 | Map source IPs to user accounts via directory service | Network | ☐ |
| 4 | Count unique users and frequency per AI service | Network | ☐ |
| 5 | Check DNS query logs for AI domains not in firewall logs | Network | ☐ |
| 6 | Pull installed browser extension inventory from all managed devices | Extensions | ☐ |
| 7 | Flag extensions with "read all site data" or clipboard permissions | Extensions | ☐ |
| 8 | Cross-reference flagged extensions against known AI extension list | Extensions | ☐ |
| 9 | Search expense reports for AI tool reimbursements (last 90 days) | SaaS Spend | ☐ |
| 10 | Search corporate card transactions for AI service charges | SaaS Spend | ☐ |
| 11 | Check procurement system for unapproved AI tool requests | SaaS Spend | ☐ |
| 12 | Check mobile app reimbursements for AI subscriptions | SaaS Spend | ☐ |
| 13 | Design and distribute anonymous employee AI usage survey | Survey | ☐ |
| 14 | Analyze survey results: tools used, data types, frequency | Survey | ☐ |
| 15 | Identify departments with highest shadow AI adoption | Survey | ☐ |
| 16 | Identify data categories most commonly pasted into AI tools | Survey | ☐ |
| 17 | Verify DLP policies cover browser uploads to AI domains | DLP | ☐ |
| 18 | Verify DLP covers clipboard/paste operations to AI sites | DLP | ☐ |
| 19 | Confirm AI service domains are in DLP monitoring scope | DLP | ☐ |
| 20 | Confirm sensitive data classifications apply to AI egress | DLP | ☐ |
| 21 | Scan all code repositories for AI API keys | API Keys | ☐ |
| 22 | Search .env files across development environments | API Keys | ☐ |
| 23 | Audit CI/CD secrets for AI service credentials | API Keys | ☐ |
| 24 | Check cloud secret stores for AI API credentials | API Keys | ☐ |
| 25 | Compile findings into risk-ranked inventory with remediation priorities | Final | ☐ |
Interpreting the Results
After completing all six phases, you will have three categories of findings:
Category 1: Known sanctioned tools with policy gaps
These are tools the organization has approved (e.g., GitHub Copilot, Grammarly) but where the usage exceeds the approved scope. For example, Copilot is approved for code suggestions but developers are also pasting customer data into ChatGPT for debugging. The tool is sanctioned; the usage pattern is not.
Action: Update policies to clarify approved vs. unapproved usage of sanctioned tools. Update DLP rules to enforce data category restrictions.
Category 2: Unsanctioned tools with low data sensitivity
These are consumer AI tools being used for tasks that do not involve sensitive data — rephrasing emails, generating meeting agenda templates, brainstorming. The tools are not approved, but the data risk is low.
Action: Decide whether to sanction these tools (if the cost is minimal and the risk is low) or redirect this usage to an internal alternative. Do not over-react to low-risk usage — treating benign productivity usage as a security incident damages trust and drives the behavior underground.
Category 3: Unsanctioned tools with high data sensitivity
This is the critical finding. Sensitive data — source code, customer PII, financial data, legal documents — flowing into consumer AI tools through personal accounts with no organizational controls.
Action: This requires immediate remediation. The priority order is:
-
Deploy a sanctioned on-premise alternative for the specific use cases identified. If developers are pasting code into ChatGPT, they need an internal AI coding assistant. If legal teams are summarizing contracts, they need an internal AI document analysis tool. See How to Build a Sanctioned AI Alternative to ChatGPT for Your Enterprise.
-
Update DLP policies to block or alert on sensitive data uploads to unsanctioned AI domains.
-
Communicate with affected teams — not punitively, but to explain the risk and introduce the sanctioned alternative.
-
Establish ongoing monitoring to detect new shadow AI tool adoption before it reaches the scale you just discovered.
After the Audit: Building the Remediation Plan
The audit is not the end — it is the input for a remediation plan. That plan should address four areas:
Sanctioned alternatives. For every high-risk usage pattern identified, determine what sanctioned tool or internal deployment will replace it. The goal is not to eliminate AI usage — it is to move AI usage onto infrastructure you control.
Policy. Draft or update your AI usage policy to reflect what the audit revealed. A policy that does not address the actual tools and use cases employees are using is a policy that will be ignored.
Monitoring. Implement continuous monitoring for the six categories audited above. The audit is a point-in-time snapshot; monitoring provides ongoing visibility. Set a quarterly cadence for repeating the full audit.
Training. Use the audit findings (anonymized) to build training materials. Showing employees that 45+ AI tools are being used across the organization, with specific data types at risk, is more persuasive than abstract security training.
Audit Cadence
Shadow AI is not a one-time problem. New AI tools launch weekly, employee adoption patterns shift, and the boundary between sanctioned and unsanctioned blurs as teams experiment.
Run the full audit quarterly. Between full audits, maintain continuous monitoring via network logs and DLP alerts. Update the AI service domain list monthly.
For the broader context on why shadow AI is a $19.5M risk and the structural fix beyond auditing, see Shadow AI: The $19.5M Enterprise Risk Your Security Team Can't See.
Turn unstructured data into AI-ready datasets — without it leaving the building.
On-premise data preparation with full audit trail. No data egress. No fragmented toolchains. EU AI Act Article 30 compliance built in.
Keep reading
Shadow AI: The $19.5M Enterprise Risk Your Security Team Can't See
77% of employees paste company data into unsanctioned AI tools. The average cost of insider risks tied to shadow AI is $19.5M per organization — a 20% spike in two years. Here's what's being leaked, why it's happening, and the structural fix.
77% of Employees Are Leaking Data to AI Tools: What CISOs Need to Know
Most employees are pasting sensitive company data into external AI tools. The numbers are worse than you think, and blocking access only pushes usage underground. Here's what actually works.
Shadow AI Policy Template for Regulated Industries
A practical, immediately usable AI acceptable use policy template for healthcare, financial services, and other regulated organizations. Includes data classification tables, regulatory overlays, and enforcement frameworks.