Shadow AI refers to AI tools used within an organisation without formal approval, risk assessment, or governance oversight. This includes employees using ChatGPT, Copilot, or other AI tools for work tasks without IT or compliance awareness.

Why does the EU AI Act require a Shadow AI inventory?

Article 26 of the EU AI Act requires deployers to implement risk management measures for high-risk AI systems. You cannot manage risk for systems you do not know exist. A Shadow AI inventory is the prerequisite for any compliance programme.

How long does a Shadow AI Protocol engagement take?

A standard Shadow AI Protocol engagement takes 2-3 weeks, covering automated scanning, employee surveys, and vendor contract review. The output is a complete AI inventory with risk classification for every discovered system.

Services → Shadow AI Protocol

Shadow AI Protocol

Know what AI your organisation is actually running — the starting point for strategy, governance, and compliance.

◆ Fixed scope

◆ EU AI Act Article 26 compatible

Get in touch →

The problem

"Shadow AI is the rule, not the exception."

Someone in your organisation is using ChatGPT on company data. Your marketing team is generating content with AI tools that have never been reviewed. Operations built an LLM-powered automation that IT doesn't know exists. You cannot govern what you haven't mapped.

Risk 1

Data leakage

Client data and IP transmitted to external AI models without legal, CISO, or DPO awareness. A GDPR breach waiting to be discovered.

Risk 2

Compliance exposure

EU AI Act Article 26 requires an AI system inventory as the first step. Most organisations don't have one. August 2026 is approaching.

Risk 3

Invisible dependencies

Business processes built on unsanctioned AI tools. When those tools change policy or disappear, operations stop with no warning.

Shadow AI is unpaid R&D. The job isn't to shut it down — it's to find it, learn from it, and pave the road.

Method

Three layers of discovery.

We start with facts, not policy. Three discovery layers overlap to ensure nothing is missed.

Technical discovery

DNS/proxy logs, SaaS spend data, SSO logs — what is actually flowing through your infrastructure.

Process discovery

Anonymous employee survey (15 questions) and up to 10 stakeholder interviews — what people actually do, not what they think they should.

Policy discovery

Review of existing documentation and gap analysis — what policies say versus what they actually enforce.

What you get

Facts, not recommendations.

→
AI System Register
Article 26-compatible, machine-readable, ready to feed directly into a Readiness Sprint.
→
Risk-tier classification
Every identified AI system classified by data sensitivity and business criticality.
→
Exposure assessment
Which areas require immediate action, which can wait, which can be accepted.
→
Executive summary
Board, audit committee, and regulator-ready presentation. No technical jargon.

Who it's for

The problem owner.

CRO

Owns regulatory risk. Needs facts to know what to manage.

CISO

Owns data security. Shadow AI is an invisible attack vector.

CCO

Owns compliance. Article 26 requires an inventory as the mandatory first step.

DPO

Owns GDPR. Unauthorised AI model data processing is an Article 22 exposure.

Regulatory deadline

EU AI Act enforcement — August 2026.

An inventory is an Article 26 requirement for high-risk systems. A proposed Digital Omnibus amendment may extend the deadline to December 2027 — but it is not yet adopted. The original August 2026 date remains legally binding.

Book a slot →

What comes next

Shadow AI Protocol opens the door.

AI Risk Model

→

Your organisation's AI risks mapped and ranked in 5 working days.

Readiness Sprint

→

From AI governance gap to audit-ready in four weeks.

Compliance Audit

→

Article 26 posture verification. Keep your position defensible — quarterly, one-off, or on demand.

Ready to find out what's actually running?

Every engagement starts with a short conversation. No commitment, just specifics.

Let's talk →