Shadow AI Audit — Human in the Loop Services

// 01

What It Is

Most leadership teams underestimate their AI footprint by 3–5x.

Every department is using something. Marketing is using ChatGPT for copy. Sales is using a meeting transcription tool. Engineering has Copilot and Cursor. HR is testing a hiring assistant. Finance pasted last quarter's actuals into Claude to "see what it would say." None of it is in your CIO's inventory.

A Shadow AI Audit fixes that — without forcing you to run it yourself or wait six months for an internal initiative to spin up.

// 02

What You Get

Five named, structured deliverables. Not a deck.

Every Shadow AI Audit produces the same artifacts so you can compare engagements quarter over quarter and your team can act without asking.

[ 01 ]

Full inventory spreadsheet. Every AI tool actually in use, by department, with metadata: intended use, who's using it, what data flows through it, monthly cost, contract terms, and owner. Searchable. Maintained as a deliverable, not a one-off scan.
[ 02 ]

Written report (~25 pages). Findings, risk ranking, prioritized recommendations. Written for an executive reader — your CEO can finish it in one sitting.
[ 03 ]

Risk-ranked findings map. Each discovered tool plotted on a two-axis matrix (data sensitivity × oversight gap). Makes the "what should we worry about first" question answerable in 30 seconds.
[ 04 ]

Executive deck (~15 slides). Board-ready presentation summarizing the report. Use it for your next leadership review or hand it to your audit committee.
[ 05 ]

12-month roadmap. Specific, prioritized recommended next steps. Not "consider adopting AI governance" — actual project-level recommendations with effort estimates and expected impact.

// 03

How It Works

Four weeks. Four phases. One readout.

Same playbook every engagement — you know exactly what's happening and when. Senior advisor sign-off at every gate.

Kickoff & setup

60-min kickoff call. Confirm scope, name stakeholders, schedule department-head interviews, draft the employee comms message.

Day 1 · Senior advisor leads

Data collection

Pull SaaS spend reports, procurement records, browser extension inventory, DLP/CASB logs. Anonymous 5-question employee survey goes out.

Week 1 · Analyst-led

Interviews + categorization

30-min structured interviews with each department head. Categorize discovered tools by use case, data class, oversight gap. Apply risk-ranking rubric.

Weeks 2–3 · Senior advisor sits in

Drafting + readout

Analyst drafts the deliverables. Senior advisor reviews and signs off. 90-minute live readout with your leadership team. Q&A.

Week 4 · Senior advisor delivers

// 04

Common Findings

What we usually surface. You're not the exception.

Three patterns show up in nearly every audit. Knowing this in advance doesn't make the audit less valuable — it makes the conversation faster.

[ 01 ]

Customer data is leaking into LLMs.

In every audit we've run, at least one team is pasting customer-identifiable data into a consumer ChatGPT account or similar. Usually not malicious — usually someone trying to be helpful and doesn't know the data terms.

[ 02 ]

Two or three teams are paying for the same capability.

Marketing has Jasper, Sales has Copy.ai, Operations has ChatGPT Team. Three subscriptions, similar feature set, no shared learning. Consolidation typically pays for the audit within 90 days.

[ 03 ]

High-risk use case nobody is monitoring.

Often a hiring AI, a customer service bot, or a financial document automation that one team rolled out, that materially affects people, and that has zero oversight. Not deliberately hidden — it just never came up at leadership.

[ 04 ]

Cost growth that isn't being attributed.

AI line items are growing 10–25% month-over-month, charged on department credit cards, never landing in your IT budget. Procurement has no view. Finance treats it as miscellaneous SaaS.

// 05

Who It's For

Mid-market companies. Operationally serious. Not yet under regulatory pressure.

// GOOD FIT IF

↗ 50–2,000 employees, deploying AI across multiple departments.
↗ COO, VP Ops, or CIO has been asked "what's our AI strategy" by the board.
↗ You suspect there's more AI use than you can name.
↗ You want a defensible answer before something embarrassing happens.

// NOT THE RIGHT FIT IF

↘ You're already in active EU AI Act conformity work — go to GovernMy.ai.
↘ You want a deck and a strategy session — go to a strategy consultancy.
↘ You want a software dashboard, not a human review — go to a governance SaaS vendor.
↘ You're a 5-person startup — see For Startups.

// 06

After the Audit

No high-pressure upsell. Just options.

After the readout you'll have a clear roadmap. Most clients pick one of three paths from there:

// PATH A

Take the roadmap and run it yourselves.

No retainer, no follow-on. We hand off completely. Some clients have the internal capacity and prefer this. We don't push back.

// PATH B

Move to an Operate retainer.

We become your standing operational layer — quarterly reviews, training cadence, vendor work, hotline access. Most common path.

// PATH C

Pick one Implement project.

Often Acceptable Use Policy, Tooling Architecture, or a specific Use Case Rollout flagged in the audit. Project-based, contained.

Shadow AI Audit.