Skip to main content
Back to Shop
Shadow AI Discovery & Risk Report preview
CYBERSECURITY

Shadow AI Discovery & Risk Report

Discover unsanctioned AI tools in your organisation. EU AI Act classification and governance policy included.

shadow-AIEU-AI-ActGDPRNIS2AI-governanceCE-2026MFA-mandatoryCyber-Essentials-2026NCSC-2026

🛡️ CYBER ESSENTIALS 2026 UPDATE — EFFECTIVE 28 APRIL 2026

The Cyber Essentials scheme is updated from 28 April 2026 with stricter criteria: mandatory multi-factor authentication (MFA) for all cloud services and admin accounts, tighter password policies, expanded scope for home workers and BYOD devices, and new vulnerability management timelines. All UK government suppliers must meet the updated standard. This product is aligned with the CE 2026 requirements.

🤖 YOUR EMPLOYEES ARE USING 5-15 AI TOOLS YOU DON'T KNOW ABOUT

Microsoft Work Trend Index 2025: 78% of employees use AI tools at work. Over half bring their own — uploading company data, customer information, and source code to tools the organisation has never assessed. EU AI Act requires AI system inventories from December 2027 (high-risk obligations, pending formal adoption under the EU Digital Omnibus). ICO GDPR enforcement for uncontrolled AI data processing is active now. Shadow AI is not a future risk — it is happening today.

Shadow AI Discovery — Find Every AI Tool Your Team Uses

Shadow AI is shadow IT on steroids. Employees paste customer data into ChatGPT, upload financial reports to Claude, use Midjourney with proprietary assets, and connect AI tools to company email via OAuth — often with good intentions but no governance. This assessment finds them all.

  • AI Tool Discovery: Identify all AI tools in use across your organisation — browser extensions, mobile apps, desktop tools, API integrations, OAuth connections
  • Data Flow Mapping: What company data is being sent to which AI services — PII, financial data, IP, customer information, source code
  • Risk Classification: Each discovered AI tool classified by data sensitivity, regulatory exposure, and organisational risk
  • EU AI Act Impact: Which discovered tools are high-risk under Annex III — recruitment, credit scoring, medical, and other regulated contexts
  • GDPR Data Transfer Assessment: Where is AI-processed data stored? International transfer implications for each tool
  • Employee AI Usage Survey: Structured questionnaire to identify AI tools that technical discovery cannot find — personal accounts, mobile-only tools
  • AI Acceptable Use Policy: Based on discovery findings — what is permitted, what is prohibited, what requires approval
  • Governance Recommendations: Approve, restrict, or block — decision framework for each discovered tool with implementation guidance

💷 THE MATHS

£249 one-time. EU AI Act high-risk non-compliance: €15M or 3% of turnover. GDPR breach via uncontrolled AI data transfer: up to £17.5M. One employee pasting customer PII into an unvetted AI tool = potential regulatory breach. Discovery is the first step — you cannot govern what you cannot see.

📅 How this subscription works — month-1 to month-12

  • Day 1 onboarding: instant portal access, automated onboarding checklist and baseline assessment intake — getting started guide delivered automatically.
  • First week setup: integrations wired, first report generated, MLRO / DPO / IT lead invited to the portal.
  • Ongoing monthly delivery: updated compliance report, new-regulation tracker delta, audit-trail snapshot, continuous regulatory updates aligned to your sector.
  • Cancellation: cancel any time from the portal — no contract lock-in; 30-day data export window after cancellation.

⚠️ Legal disclaimer (COMPLIANCE): This product is provided for information and compliance documentation only; it is not regulatory advice. Read the full disclaimer below or in our Terms of Service before purchase.

NIS2 + EU AI Act Article 23 Incident Reporting (Shadow AI Lens)

Unsanctioned ("shadow") AI tool use creates a class of incident that can trigger reporting obligations under both NIS2 Article 23 and the EU AI Act post-market monitoring regime. The discovery pack covers the reporting dimension:

  • Shadow AI data exfiltration incident classification — when staff feeding confidential data into unsanctioned AI tools becomes a reportable NIS2 cyber incident or AI Act serious incident
  • 24-hour early warning trigger — guidance on when shadow AI incidents (sensitive data fed to consumer AI, prompt injection of business-critical agent) trigger the 24-hour early warning
  • 72-hour formal notification template — pre-filled template for shadow AI-originated incidents, including AI tool identification, data category, and remediation
  • EU AI Act Article 73 serious incident reporting overlap — for high-risk AI systems, additional reporting obligations under AI Act Article 73 (15-day window for serious incidents); guide covers single-intake workflow
  • One-month follow-up reporting — Article 23(4) one-month follow-up report template adapted to shadow AI incident class

Cyber Essentials 2026 Coverage (Shadow AI Lens)

Unsanctioned AI tools create CE 2026 control gaps because the organisation cannot apply the five controls to systems it does not know about. The discovery pack maps shadow AI risk to CE 2026:

  • Firewalls — Detection of shadow AI traffic crossing the network boundary (DNS analysis, perimeter logs)
  • Secure configuration — Shadow AI tools cannot meet secure configuration baselines because they're not in your CIS-benchmark scope; hardening report identifies uncovered tools
  • User access control + MFA mandate — Shadow AI accounts often bypass corporate MFA (CE 2026 mandate 28 April 2026); discovery report flags AI accounts without MFA-via-SSO enrollment; least-privilege review
  • Malware protection — Shadow AI browser extensions and desktop tools fall outside endpoint protection / EDR scope; discovery report flags uncovered surfaces
  • Security update management — Shadow AI tools miss organisational patch management cycles; vulnerability management gap report

£49.00/mo

MONTHLY SUBSCRIPTION · No VAT (not registered)

💎 Save with bundle

Get this in AI Compliance Starter Bundle

Save £48/mo (49%) vs standalone →

Delivery: Instant on payment
Refund: 14-day satisfaction guarantee
Instant download after payment
UK GDPR compliant
Secure checkout via Stripe
Not VAT registered — no VAT charged

Trust & Delivery

ICO registered ZC112810

UK Information Commissioner's Office data controller registration.

Companies House 16419201

SummitBridge Horizon Ltd — registered 30 April 2025, London.

14-day satisfaction guarantee

See refund policy for full terms.

Sample materials available

Request a sample

Compare with the market

5 direct and adjacent competitors tracked.

VendorTheir priceThreatvs SBHTheir advantagesOur advantages
Lasso Security

IL

HIGHpricier
Harmonic Security

US

HIGHpricier
Securiti.ai

US

MEDIUM
Holistic AI

GB

MEDIUM
Credo AI

US

MEDIUM

Compliance Snapshot

Regulatory posture for this product — for procurement and security teams.

General-purpose (limited- or minimal-risk)

Conformity scaffold in place — formal record not yet published