See every SaaS and AI application in use.
Discover Shadow IT, Shadow AI and hidden data exposure across your organization · before they become security and compliance incidents.
- SaaS Discovery
- Shadow AI Detection
- Risk Scoring
- KVKK & GDPR Monitoring
- Access Reviews
Risk inventory
Pending Discoveries
Sorted by risk level · awaiting inventory or enforcement decision
You can't govern what you can't see.
Employees adopt AI and SaaS tools faster than IT can track them. Procurement contracts, SSO directories and finance reports show what you bought · not what is actually being used.
- Shadow AIChatGPT, Claude, Copilot, Gemini, Cursor · new AI tools land on a weekly cycle. Most never pass through procurement and none show up in your SSO.
- Shadow SaaSFree tiers, personal accounts, browser-only signups. Modern SaaS is one click and a corporate email away. You contracted for a dozen; your endpoints see hundreds.
- Hidden data exposureCustomer data pasted into AI prompts. Files uploaded to foreign cloud. OAuth scopes that give third-parties read-write access to your mailboxes.
Contracted vs actually in use
See every AI and SaaS application in use.
Three independent signals correlated into one inventory: the endpoint agent watches foreground applications, the browser extension watches SSO redirects and OAuth grants, identity sync watches who logs in where. Whatever evades one signal is caught by another.
- Endpoint agentWatches foreground applications on Windows desktops. Sees what users actually opened · not what finance contracted for.
- Browser extensionWatches SSO redirects, OAuth consents and direct sign-in events. Catches personal-account signups and consumer-AI usage that bypass SSO entirely.
- Identity correlationActive Directory / Azure AD / LDAP sync. Every detected SaaS is attributed to a known directory identity · or flagged as an unknown account on a managed device.
Caught last week
Understand the risk behind every application.
Three independent risk layers · compliance, security posture and behavioral signals, scored separately, then composited. Every score traces to a rule, every rule to a signal, every signal to a piece of evidence you can hand to a regulator.
- ComplianceKVKK, GDPR, ISO 27001, NIST AI RMF · scored as independent dimensions, not buried in an aggregate.
- Security postureEncryption, MFA, breach history, data residency, account type, authentication mode (SSO vs password).
- BehavioralVolume of use, sensitivity of data shared, OAuth scope risk, paste & upload patterns from the endpoint.
ChatGPT · CenseRisk score
Every number is defendable. Trace any score back to the rule that fired and the evidence behind it.
Know where your data is going.
Every detected SaaS is annotated with the data it touches and the jurisdiction it lives in. Foreign cloud, personal data and AI training · you see the combination before the regulator does.
- Jurisdiction mapWhich countries store your data, which sub-processors are involved, where the legal entity actually lives.
- OAuth permission auditEvery OAuth grant catalogued by scope risk: read-mail, write-files, full impersonation. Reviewable per app and per user.
- AI training opt-inDoes the AI tool's default tier train on customer prompts? Flagged automatically; mitigations surfaced · enterprise tier, no-train clause, paste block.
OAuth scope risk
Stay compliant without chasing spreadsheets.
RoPA, VERBİS, KVKK Article 12, GDPR Article 30, ISO 27001 A.5.23 · every artefact is pulled from the live inventory, not assembled by hand the week before the audit.
Live RoPA
Records of Processing Activities auto-derived from the inventory. Updates the moment your stack changes · not the moment the deadline does.
VERBİS export
Turkish data-controller register columns mapped 1:1. Quarterly updates take minutes, not weeks.
Evidence per app
Every classification traces to a rule, every rule to a piece of evidence. Auditors verify · they don't have to take your word.
Verify access continuously.
Joiner, mover and leaver derived from directory signals. Five lifecycle states surfaced as three concrete action queues · and an access review workflow that completes in days, not quarters.
AD / LDAP / Azure AD
Multi-DC lastLogon read with MAX semantics. Replication delay never lies about who's still active.
SSO + OAuth visibility
Who signed into what, with which scopes, via which IdP. Personal-account sign-ins on managed devices are flagged separately.
Access review workflow
Per-app, per-user attestation campaigns with evidence packs, deadlines and reminders. Reviewers see what they're approving.
Joiner / Mover / Leaver
Five lifecycle categories surfaced as three action buckets: new hires to onboard, dormant accounts to reclaim, leavers to confirm.
Move from visibility to action.
Most SSPMs report. CenseRisk enforces. The policy engine runs where the user is · at the endpoint agent and inside the browser extension, so the block happens before the action completes, not via a ticket two days later.
Approved tool. Free use, full inventory presence.
Allowed with logging · every interaction recorded for review.
Allowed with constraints · paste blocked, upload throttled, justification required.
Hard block at the endpoint and the extension. The user sees the block before the action completes.
Built for the operators, not the dashboard.
Four things that don't show up on the feature checklist but separate CenseRisk from the generic SSPM.
Built for KVKK first
Not a GDPR product with a KVKK appendix. KVKK has its own scoring layer, VERBİS gets a 1:1 export, RoPA derives from the live inventory.
Enforcement at the endpoint
Most SSPMs raise alerts. CenseRisk blocks · at the agent and at the extension, on the user's screen, in real time. Not a ticket to IT.
Three-signal access decisions
Device trust + directory identity + browser session mode · combined at every access event. The same SaaS carries different risk on a corporate vs personal account.
Audit-ready by design
Every score traces to a rule, every rule to a signal. Defendable in front of a regulator · not just on a board slide.
AI governance, not just AI detection.
Detection is week one. Governance is what you ship when the auditor asks how personal data is handled inside ChatGPT, Copilot or Cursor · and whether you've classified them under the EU AI Act risk tiers.
Four-state guardrail ladder
Sanctioned · Monitored · Conditional · Blocked. Move tools along the ladder as your policy matures. One-click escalation.
AI Act risk tier
Tools classified by EU AI Act risk category · unacceptable, high, limited, minimal. Surfaces in compliance reports.
Embedded AI detection
IDE extensions, CLI tools, locally-running models · caught by the endpoint collector, not just by network sniffing.
Paste & upload control
Block paste into a specific AI tool. Require justification. Allow only via corporate SSO. Enforced at the agent and the extension.
See CenseRisk against your own SaaS surface in 30 minutes.
Bring 20 devices and a domain controller. We'll show you what's actually in use · and what to do about it.
