AI Shadow Use Detection Quiz

Identify unauthorized AI tool use patterns in your organization

Answer questions about your controls, data handling, and tool procurement to gauge your exposure to shadow AI — employees using unapproved AI tools with company data — and get prioritized detection and governance recommendations. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is shadow AI?

Shadow AI is the use of AI tools that have not been approved or vetted by the organization — typically employees pasting company data into consumer chatbots or installing AI browser extensions without oversight.

When approved AI tooling is slow or absent, employees route around it — pasting source code, customer records, or strategy documents into whatever consumer chatbot is fastest. That is shadow AI, and it is one of the most common ways sensitive data now leaves organizations. This quiz estimates your exposure and points to the controls that close the biggest gaps.

How it works

Tell the tool your organization size and industry, then rate ten controls as yes, partially, or no. The controls span the full shadow-AI lifecycle: whether you have a communicated policy and an approved-tool list, whether requesting a new tool is easy enough that people don’t bypass procurement, whether you monitor egress to AI domains, whether DLP flags sensitive data heading to AI services, whether staff are trained, and whether there is a no-blame way to report accidental exposure.

Each control is weighted by how much risk it mitigates. Missing controls add weighted exposure, partial controls add half, and the tool reports a percentage of weighted controls missing along with a low, moderate, or high band. For regulated industries it raises the priority of monitoring and DLP, since unsanctioned AI use there can create reporting obligations.

Tips and notes

The two cheapest high-impact moves are usually a clearly communicated AI acceptable use policy and visibility into traffic going to AI domains through your existing proxy, CASB, or DNS logs — you often already have the tooling and just need the AI destinations added.

Pair detection with a fast approval path. The reason shadow AI thrives is friction: if getting a useful AI tool approved takes weeks, people will use the unapproved one today. A lightweight intake form plus an enterprise-tier option with no-training terms removes most of the incentive. The quiz is an indicative self-assessment that runs entirely in your browser; use the gap list to brief security and leadership, not as a formal audit.

What shadow AI actually looks like in practice

Shadow AI does not typically look like an employee deliberately circumventing security. It looks like:

  • A developer pasting error logs into ChatGPT to debug faster, because the approved tool is slower
  • A salesperson uploading a customer’s proposal to an AI writing tool to draft a response
  • An analyst copying financial data into a browser-based AI to run quick calculations
  • A manager summarising a confidential strategy document in a consumer chatbot to prepare a presentation

Each of these feels like ordinary productivity to the person doing it. None of them have been approved. Each creates a record in a third-party system that may be retained, may be used for model training (under default consumer terms), and may contain data that triggers regulatory obligations if disclosed.

The high-risk categories in regulated industries are the clearest: a healthcare employee who pastes patient notes into an unapproved AI may have triggered a breach-reporting obligation. A financial services employee who uploads trading strategy to a consumer tool may have violated market sensitivity rules. But shadow AI creates real risk in any industry where confidential data has value — source code, unreleased product roadmaps, customer lists, merger discussions.

The control gap most organisations overlook

Most shadow AI governance programmes focus on policy (what employees are and are not allowed to do) and procurement (establishing an approved tools list). These are necessary but not sufficient, because neither gives you visibility into what is actually happening.

The detection gap is the missing piece: without monitoring for traffic to AI domains, you cannot know whether the policy is being followed. Employees who would never intentionally break security rules will use unapproved AI tools if they do not know those tools are unapproved, if the approved alternatives are significantly slower or more cumbersome, or if there is no visible consequence for using the unapproved tool.

DNS-level visibility is often the fastest path to detection without requiring new tooling — AI services like ChatGPT, Claude, Copilot, and Gemini have identifiable hostnames, and many organisations already log DNS queries for security purposes. Adding those domains to a watchlist creates immediate visibility into whether AI traffic is occurring and from which parts of the network.

Building the approval path that reduces shadow use

The goal is not to eliminate employees’ use of AI — it is to channel that use through safe routes. An approved tool that works slightly less well than the unapproved alternative will be bypassed; an approved tool that works equally well and has the right enterprise terms (no-training data processing agreement, SSO, audit logging) will be used.

Organisations that successfully reduce shadow AI typically offer: a clear list of approved tools with guidance on use cases, an enterprise-tier account on at least one major AI assistant that covers most text tasks, a lightweight intake process for teams that want a specialist tool (a form, a two-week review, not a committee and a six-month wait), and regular communication reminding employees that the policy exists and why it matters.