Shadow AI Discovery Checklist
A shadow AI discovery checklist helps identify AI tools and workflows used outside approved governance, security, procurement, or data protection processes.
Primary Audience & Scope
Security, IT, Privacy, data owners, AI governance
When to Use
- •Building or reviewing the related program activity.
- •Preparing a repeatable workflow.
- •Creating site-downloadable working content.
Interactive Work Area
Fill or track items interactively and copy out to your Clipboard
Template Table Structure
| Field | Working prompt | Template field | Reader input |
|---|---|---|---|
| Resource owner | — | Review date | — |
| Scope | — | Relevant system/data/process | — |
| Business owner | — | Control or procedure link | — |
| Evidence location | — | Action owner | — |
| Status | Not started / in progress / complete / exception | — | — |
Checklist Audit List
Review browser/security logs for AI domains.
Review CASB/SSE/SaaS discovery for AI services.
Review DLP events involving prompts, uploads, and AI domains.
Review expense and procurement data for AI subscriptions.
Survey teams for business AI use cases.
Classify discovered tools by data sensitivity and business need.
Assign owner and remediation path.
Update approved AI catalog and training.
What Completion Looks Like
- 1Required inputs complete.
- 2Action owners assigned.
- 3Evidence retained.
- 4Related risk/control/procedure linked.
- 5Review cadence established.
Insider Risk Capability Framework™ (IRCF™) Alignment
Operationalize This Template in RiskTKO®
Use RiskTKO® or request ITMG® support to adapt this template, align it to the Insider Risk Capability Framework™, and connect the output to measurable exposure reduction. DLP Policy Review Checklist