Shadow AI discovery
Before you can govern shadow AI, you have to find it. Shadow AI discovery inventories every AI tool, browser extension, and Microsoft 365 AI OAuth grant already in use — the baseline you build an allow-list from, and the starting point for ongoing detection.
What is shadow AI discovery?
Shadow AI discovery is the point-in-time inventory of every unsanctioned AI tool already in use across an organization — desktop apps, browser tools and extensions, and Microsoft 365 AI OAuth grants. It is the audit that answers "what AI is already here?" before you decide what to allow and what to block.
Discovery — “what AI is already here?”
A one-time inventory that sizes the problem: which tools, how many users, where each was found, and how risky each is. You hand this to leadership and use it to draw up the allow-list.
Detection — “what is happening now?”
Continuous monitoring that enforces the allow-list and catches risky pastes as they happen. See shadow AI detection →
What discovery inventories.
Three layers, one ranked inventory.
Desktop AI applications
The Windows agent fingerprints installed and running desktop AI apps via signed binary hashes — Claude, ChatGPT, Ollama front-ends, and the rest — so you get a per-device inventory of what is already on disk, not just what is running today.
Browser AI tools & extensions
The managed browser extension enumerates AI tools reached in the browser and AI-related extensions installed, including the niche tools an IT team has never heard of. This is where most shadow AI lives, and where a network scan sees the least.
Microsoft 365 AI OAuth grants
Via Microsoft Graph, ShadowLock surfaces AI apps and Copilot add-ins that users have consented into the tenant — the OAuth grants that quietly give a third-party AI access to mail and files. These never touch the endpoint, so an agent-only tool misses them entirely.
A ranked inventory you can act on
Discovery rolls up into a single multi-tenant view: every AI tool, where it was found, how many users, and a risk read on each. That inventory is the baseline you hand to leadership — and the starting point for the allow-list that detection then enforces.
Shadow AI discovery FAQ
What is the difference between shadow AI discovery and detection?
Discovery answers "what AI is already here?" — a point-in-time inventory of every AI tool, extension, and OAuth grant across your org. Detection answers "what is happening now?" — ongoing monitoring that catches AI use and risky data as it occurs. You discover first to size the problem and build an allow-list, then detection enforces it continuously.
What does a shadow AI inventory include?
A complete shadow AI inventory spans three layers: desktop AI applications installed on Windows endpoints, browser-based AI tools and AI extensions, and Microsoft 365 AI OAuth grants (third-party AI apps and Copilot add-ins consented into the tenant). A tool that only watches one layer produces a partial inventory.
Can you discover shadow AI without installing an agent?
For a one-time look, yes — ShadowLock offers a lightweight scan that inventories installed AI apps, browser extensions, and AI browsing history on a machine without admin rights or a permanent install. For continuous discovery and Microsoft 365 OAuth visibility, the managed agent and Graph integration give the complete, always-current picture.
How long does shadow AI discovery take?
Endpoint and browser discovery begins reporting within an hour of rolling out the agent and extension via RMM and enterprise browser policy. Microsoft 365 OAuth discovery is available as soon as the Graph integration is connected. You typically have a usable first inventory the same day.
How ShadowLock compares
Researching alternatives? Honest side-by-side comparisons against every MSP-channel shadow AI tool.
Browser-only. We add endpoint and M365 tenant.
Blocks AI apps. We inspect the prompt content.
Resolver-layer only. Blind to embedded AI and M365 OAuth.
Browser isolation. We are purpose-built for shadow AI.
Governs shadow AI inside the E5 stack. We need no E5 license.
Find every AI tool already in your environment
Free 14-day trial. First inventory the same day, then detection takes over.