Shadow AI Discovery Checklist.
Five discovery categories for finding unapproved AI use in your organization. Network signals, expense reports, SSO and OAuth grants, browser extensions, and a voluntary employee interview script. Discovery questions — not employee surveillance. Pair the findings with the AI Vendor Intake Form for going-forward approval, and the AI System Card to document what you choose to keep.
What this is — and is not
What it is: a structured set of discovery questions for IT and security teams to find AI tools in use that were never formally approved. Output is a working list with owners and next actions — not a verdict on individual employees.
What it isn't: a surveillance tool, a license to monitor individual employees beyond your existing acceptable-use policy, or legal advice. The employee-interview category is voluntary and anonymized by design — running it differently in EU/UK/California jurisdictions may carry GDPR/UK GDPR/CPRA exposure. Consult your privacy counsel before any employee-facing portion.
Categories chosen to mirror what surfaces in real shadow-AI audits. Pairs with NIST AI RMF 1.0 (Govern + Map functions) and ISO/IEC 42001:2023 (Annex A.5 AI policy + intended use).