Shadow AI: what's actually happening inside the firm

Traditional SaaS management tools cannot solve the AI problem because they look in the wrong place. Most CASB / SSPM tools draw from three sources:

• Finance integrations — only contract-visible AI (e.g. ChatGPT Enterprise, Copilot for M365). Personal or team subscriptions bought on a corporate card don't appear in this report.
• SSO logs — only AI apps that have been wired into SSO. A developer who signs into ChatGPT with a Google account never lands in the SSO log.
• Network proxy / DLP — domain-level visibility exists, but you can't see which user, which device, which account type. And proxy/DLP inspects content. We don't believe in that.

All three share the same blind spot: they don't see what's actually happening on the endpoint. Not the IDE extension (Cursor, Copilot), not the CLI tool (ollama, Claude Code), not the personal-account browser session.

AI usage in an organisation happens across three to four distinct layers. Each requires a different discovery method:

1. Browser-based AI (the most visible one)

ChatGPT.com, claude.ai, gemini.google.com, perplexity.ai, copilot.microsoft.com. A browser extension can see every visit; the account type (corporate SSO vs personal) and the page's target score (personal data / foreign / no SSO) can be captured. We track the action, not the content.

2. IDE-extension AI

GitHub Copilot, Cursor, Continue, Codeium. This category escapes classic SaaS management entirely — because these aren't SaaS, they're IDE extensions. Catching them requires scanning the installed-extension inventory on the endpoint.

3. CLI / local AI tools

ollama, llama.cpp, lm-studio, Claude Code, Cursor agent mode. Developers are now running local models — uncontrolled data flow begins here. Again, only endpoint discovery sees it.

4. Embedded AI inside suites

M365 Copilot, Notion AI, Slack AI, Zoom AI Companion, Adobe Firefly. These activate via opt-in inside an existing corporate subscription; one admin clicks once, IT never finds out. They don't show up in licence data because they aren't a new purchase.

Once the shadow AI inventory exists, the second trap is to assume "block" is the only available action. In practice that fails, because employees route around it. CenseCloud's AI governance page→ offers a four-tier control ladder:

• Sanctioned — approved by IT/security, used with a corporate account. Risk score suppressed, usage monitored.
• Monitored — not banned but watched. The user stays visible, no alert, but behaviour telemetry flows.
• Conditional — conditional access (e.g. corporate account only, certain roles only). The browser extension warns on any session that violates the condition.
• Blocked — last resort. The user gets a coaching screen explaining why, and pointing to the sanctioned alternative.

This ladder makes real governance possible without falling into the binary of "ban / free for all".

• Build the list of known corporate AI contracts (M365 Copilot, ChatGPT Enterprise, Gemini Business, etc.). Add them to your "sanctioned" list.
• Run an IDE-extension inventory scan across endpoints. See how many AI extensions are installed, how many have a corporate contract behind them.
• For browser-side AI visits, collect the account-type signal (corporate SSO vs personal). Domain alone is not enough.
• Before reaching for "block", create room for coaching and redirection — the answer to "why is the user using this tool" is sometimes "we need a new corporate subscription".

"We banned AI" is now a meaningless sentence, because which AI is almost never an answered question. The right order is: first, inventory the four layers; second, tier the control; third, train the user. People who reverse this order live the same blind spot today on AI that they lived two years ago on SaaS.

CenseCloud builds this inventory from the endpoint up. See the Shadow AI solution page→ or the platform architecture→ for the full picture.