Comparison
ShadowLock vs Control D for shadow AI
Control D is a transparently priced DNS filter. ShadowLock is a transparently priced shadow AI control across three layers — endpoint, browser, and Microsoft 365 tenant. Both publish their pricing — but only one of them can read pastes and scan your tenant for AI OAuth grants.
The wedge
Control D blocks the resolver request. ShadowLock blocks the paste. If your shadow AI policy is binary (allow / deny by domain) and your devices reliably resolve through Control D, the DNS layer is enough. The moment policy needs to be content-aware, you need the endpoint.
Side by side
| Dimension | ShadowLock | Control D |
|---|---|---|
| Where it sees AI | Endpoint clipboard + browser + M365 tenant via Microsoft Graph. | DNS resolver only. |
| M365 tenant / Copilot OAuth | Graph integration scans for AI OAuth grants and Copilot plugins; alerts on new consent. | Not visible at the DNS layer — OAuth consent never produces a resolver query from the endpoint. |
| Embedded AI inside approved SaaS | Caught at the paste layer. | Not caught — same blind spot as any DNS filter. |
| Data classification | Local Shannon entropy + Luhn + tiered confidence on every paste. | None — DNS is categorical, not content-aware. |
| Pricing | Public $0.80–$1.00/device/month, no minimum. | Transparent — $2/endpoint/month; MSP $150/month minimum. |
Two transparent prices, two different layers
What ShadowLock and Control D share is procurement transparency — both publish their pricing in an MSP market where most browser-security and DLP competitors don\'t. What they don\'t share is layer.
Control D resolves a name, decides allow or block, and the rest of the stack never sees the request. ShadowLock runs after the connection — inside the device — and decides allow or block based on what the user actually pastes. The two are complementary far more than they\'re competitive: most shops that take shadow AI seriously run a DNS layer for the easy categorical wins and an endpoint layer for the nuanced ones.
Which one fits your situation?
Choose ShadowLock when…
- ✓You need content-level enforcement — "allow ChatGPT but block sensitive pastes."
- ✓You use Copilot, Notion AI, or any embedded AI inside approved SaaS that DNS can't separate.
- ✓You need clipboard-level classification for HIPAA, SOC 2, or GDPR.
- ✓You can't guarantee every device routes through the Control D client every time.
Control D still fits if…
- •You want a transparently priced DNS filter as a baseline network-edge layer.
- •Your AI threat model is "block every AI domain at the resolver" and that genuinely satisfies your governance team.
Frequently asked questions
Do ShadowLock and Control D conflict on the same endpoint?+
No. Different layers — Control D is a DNS resolver / roaming client; ShadowLock is a Windows service. They run alongside cleanly.
Can Control D block AI features embedded in approved SaaS?+
No — same blind spot as any DNS filter. Copilot, Notion AI, and Einstein all resolve to allowed domains. ShadowLock catches them at the paste layer.
How does the pricing compare?+
Control D is $2/endpoint/month with a $150/month MSP minimum. ShadowLock is $1.00 → $0.80/device/month with no minimum. Different layers, similar transparency.
Compare ShadowLock to other shadow AI tools
Researching alternatives? Honest side-by-side comparisons against every MSP-channel shadow AI tool.