Free Tool
Shadow AI Risk Calculator
Answer seven questions about your organization and current controls. Get a directional risk score, the top gaps in your shadow AI program, and the recommended next steps. Runs entirely in your browser. No inputs leave your device.
How the score works
Methodology
The risk score combines two factors: exposure (driven by organization size and industry, where more employees and more regulated industries increase the volume and severity of likely shadow AI activity), and control gaps (driven by which of the five foundational controls are missing).
The five controls assessed are: written AUP, technical monitoring, blocking of sensitive data, AI vendor inventory with DPAs, and employee training. These map cleanly to SOC 2 CC6.1 / CC7.2 / CC9.2 and to HIPAA / GDPR equivalents.
This is a directional score, not a formal audit. Useful for board-level risk conversations and for prioritizing your governance roadmap. For a formal assessment, consult a qualified auditor.
Frequently asked
Calculator FAQ
What is a shadow AI risk assessment?
A shadow AI risk assessment evaluates an organization's exposure to data leakage and compliance failures from employee use of unsanctioned AI tools. The assessment typically considers two factors: how likely shadow AI activity is in your environment (driven by org size and industry), and how complete your existing controls are (policy, monitoring, blocking, vendor inventory, training).
How accurate is this shadow AI risk calculator?
This calculator gives you a directional score, useful for board-level risk conversations and for prioritizing your governance roadmap. It is not a substitute for a full risk assessment by a qualified auditor. The model weights are based on patterns we see across hundreds of customer environments; your specific situation may vary.
What is considered a high shadow AI risk score?
A score above 50 indicates high risk: your exposure is meaningful and your controls are not yet covering it. Above 75 is critical, typically organizations with no written policy, no monitoring, and either large headcount or a regulated industry. Most organizations starting their AI governance program score between 60 and 90 on first assessment.
How do I lower my shadow AI risk score?
The fastest path to lowering the score is to close the five control gaps in order: written policy first (low effort, high impact), then technical monitoring, then blocking of the highest-risk data categories, then vendor inventory with DPAs, then training. ShadowLock customers typically move from critical to moderate within a single quarter.
Does this calculator store my inputs?
No. The entire calculation runs in your browser. No inputs are sent to ShadowLock or any third party. Refresh the page and the inputs are gone. Feel free to use it for sensitive internal risk conversations.
From score to working program
Knowing your risk is the first step. ShadowLock closes the technical control gap, in under an hour.