Skip to content
CenseRisk

See every SaaS and AI application in use.

Discover Shadow IT, Shadow AI and hidden data exposure across your organization · before they become security and compliance incidents.

  • SaaS Discovery
  • Shadow AI Detection
  • Risk Scoring
  • KVKK & GDPR Monitoring
  • Access Reviews
app.censecloud.com/censerisk
CenseRisk

Risk inventory

AllHighPending
Critical Risk
2
Urgent action required
High risk
1
Review this week
Pending
3
Awaiting approval

Pending Discoveries

Sorted by risk level · awaiting inventory or enforcement decision

Critical
All Sources
🔍SaaS or domain…
PDF24 ToolsPending
tools.pdf24.org
Cloud StorageCritical1
Unmanaged accountForeign data+3 more
2 days ago
ChatGPTPending
chatgpt.com
AI ToolCritical1
Foreign dataPersonal data+14 more
4 days ago
Microsoft CopilotPending
copilot.microsoft.com
AI ToolHigh0
Foreign dataPersonal data+5 more
2 days ago
Apply Policy
Block file sharing
Block paste
Block access
Whitelist (safe)
Policy applied
The visibility gap

You can't govern what you can't see.

Employees adopt AI and SaaS tools faster than IT can track them. Procurement contracts, SSO directories and finance reports show what you bought · not what is actually being used.

  • Shadow AI
    ChatGPT, Claude, Copilot, Gemini, Cursor · new AI tools land on a weekly cycle. Most never pass through procurement and none show up in your SSO.
  • Shadow SaaS
    Free tiers, personal accounts, browser-only signups. Modern SaaS is one click and a corporate email away. You contracted for a dozen; your endpoints see hundreds.
  • Hidden data exposure
    Customer data pasted into AI prompts. Files uploaded to foreign cloud. OAuth scopes that give third-parties read-write access to your mailboxes.
app.censecloud.com/discovery/gap
The visibility gap

Contracted vs actually in use

REVIEW
Contracted12
Actually in use142
New AI / 30 days47
OAuth grants · write scope8
What slipped through
Claude.ai
9 users · personal account
Notion AI
14 users · workspace add-on
ElevenLabs
3 users · foreign + personal
+ 89 more this month
Step 1 · Discovery

See every AI and SaaS application in use.

Three independent signals correlated into one inventory: the endpoint agent watches foreground applications, the browser extension watches SSO redirects and OAuth grants, identity sync watches who logs in where. Whatever evades one signal is caught by another.

  • Endpoint agent
    Watches foreground applications on Windows desktops. Sees what users actually opened · not what finance contracted for.
  • Browser extension
    Watches SSO redirects, OAuth consents and direct sign-in events. Catches personal-account signups and consumer-AI usage that bypass SSO entirely.
  • Identity correlation
    Active Directory / Azure AD / LDAP sync. Every detected SaaS is attributed to a known directory identity · or flagged as an unknown account on a managed device.
app.censecloud.com/discovery/feed
Live discovery

Caught last week

last 7d
ChatGPT (personal)
18 users · 4d ago · personal account
CRITICAL
Cursor IDE
4 users · 1d ago · embedded AI
HIGH
PDF24 Tools
1 user · 2d ago · foreign + unmanaged
CRITICAL
Linear
12 users · 1d ago · sanctioned
OK
+ 38 more this week
Step 2 · Risk engine

Understand the risk behind every application.

Three independent risk layers · compliance, security posture and behavioral signals, scored separately, then composited. Every score traces to a rule, every rule to a signal, every signal to a piece of evidence you can hand to a regulator.

  • Compliance
    KVKK, GDPR, ISO 27001, NIST AI RMF · scored as independent dimensions, not buried in an aggregate.
  • Security posture
    Encryption, MFA, breach history, data residency, account type, authentication mode (SSO vs password).
  • Behavioral
    Volume of use, sensitivity of data shared, OAuth scope risk, paste & upload patterns from the endpoint.
● Risk decomposition

ChatGPT · CenseRisk score

Composite · HIGH
Compliance18 / 25
KVKKGDPR · Art. 30AI Act · limited
Security11 / 15
foreign cloudpersonal accountno SSO
Behavior24 / 30
high paste freqbroad OAuthtraining opt-in
Composite
53/ 70

Every number is defendable. Trace any score back to the rule that fired and the evidence behind it.

Step 3 · Data flow

Know where your data is going.

Every detected SaaS is annotated with the data it touches and the jurisdiction it lives in. Foreign cloud, personal data and AI training · you see the combination before the regulator does.

  • Jurisdiction map
    Which countries store your data, which sub-processors are involved, where the legal entity actually lives.
  • OAuth permission audit
    Every OAuth grant catalogued by scope risk: read-mail, write-files, full impersonation. Reviewable per app and per user.
  • AI training opt-in
    Does the AI tool's default tier train on customer prompts? Flagged automatically; mitigations surfaced · enterprise tier, no-train clause, paste block.
● OAuth audit · third-party app

OAuth scope risk

REVIEW
Mail · read + write
HIGH
Files · read + write
HIGH
Calendar · read
MEDIUM
Directory · read
LOW
4 scopes granted · 2 high-riskRevoke →
Step 4 · Compliance

Stay compliant without chasing spreadsheets.

RoPA, VERBİS, KVKK Article 12, GDPR Article 30, ISO 27001 A.5.23 · every artefact is pulled from the live inventory, not assembled by hand the week before the audit.

KVKKGDPRRoPAVERBİSISO 27001NIST AI RMF

Live RoPA

Records of Processing Activities auto-derived from the inventory. Updates the moment your stack changes · not the moment the deadline does.

VERBİS export

Turkish data-controller register columns mapped 1:1. Quarterly updates take minutes, not weeks.

Evidence per app

Every classification traces to a rule, every rule to a piece of evidence. Auditors verify · they don't have to take your word.

Step 5 · Access governance

Verify access continuously.

Joiner, mover and leaver derived from directory signals. Five lifecycle states surfaced as three concrete action queues · and an access review workflow that completes in days, not quarters.

AD / LDAP / Azure AD

Multi-DC lastLogon read with MAX semantics. Replication delay never lies about who's still active.

SSO + OAuth visibility

Who signed into what, with which scopes, via which IdP. Personal-account sign-ins on managed devices are flagged separately.

Access review workflow

Per-app, per-user attestation campaigns with evidence packs, deadlines and reminders. Reviewers see what they're approving.

Joiner / Mover / Leaver

Five lifecycle categories surfaced as three action buckets: new hires to onboard, dormant accounts to reclaim, leavers to confirm.

Step 6 · Enforcement

Move from visibility to action.

Most SSPMs report. CenseRisk enforces. The policy engine runs where the user is · at the endpoint agent and inside the browser extension, so the block happens before the action completes, not via a ticket two days later.

Step 01
Sanctioned

Approved tool. Free use, full inventory presence.

Step 02
Monitored

Allowed with logging · every interaction recorded for review.

Step 03
Conditional

Allowed with constraints · paste blocked, upload throttled, justification required.

Step 04
Blocked

Hard block at the endpoint and the extension. The user sees the block before the action completes.

Why CenseRisk is different

Built for the operators, not the dashboard.

Four things that don't show up on the feature checklist but separate CenseRisk from the generic SSPM.

01 ·

Built for KVKK first

Not a GDPR product with a KVKK appendix. KVKK has its own scoring layer, VERBİS gets a 1:1 export, RoPA derives from the live inventory.

02 ·

Enforcement at the endpoint

Most SSPMs raise alerts. CenseRisk blocks · at the agent and at the extension, on the user's screen, in real time. Not a ticket to IT.

03 ·

Three-signal access decisions

Device trust + directory identity + browser session mode · combined at every access event. The same SaaS carries different risk on a corporate vs personal account.

04 ·

Audit-ready by design

Every score traces to a rule, every rule to a signal. Defendable in front of a regulator · not just on a board slide.

Built for the AI era

AI governance, not just AI detection.

Detection is week one. Governance is what you ship when the auditor asks how personal data is handled inside ChatGPT, Copilot or Cursor · and whether you've classified them under the EU AI Act risk tiers.

Four-state guardrail ladder

Sanctioned · Monitored · Conditional · Blocked. Move tools along the ladder as your policy matures. One-click escalation.

AI Act risk tier

Tools classified by EU AI Act risk category · unacceptable, high, limited, minimal. Surfaces in compliance reports.

Embedded AI detection

IDE extensions, CLI tools, locally-running models · caught by the endpoint collector, not just by network sniffing.

Paste & upload control

Block paste into a specific AI tool. Require justification. Allow only via corporate SSO. Enforced at the agent and the extension.

See CenseRisk against your own SaaS surface in 30 minutes.

Bring 20 devices and a domain controller. We'll show you what's actually in use · and what to do about it.