Internal · shadow AI levels redesign

Six reworked + three new directions

The first six (V1, V2, V3, V5, V6, V7) replace the earlier Claude-y versions and now follow the de-claude-ified grammar from the open graphics-improvements PR: edge-to-edge rows separated by thin slate-200 rules, mono category codes in the gutter, no pastel pills, no rounded floaty cards. V8, V9, V10 are net-new.

V1V2V3V5V6V7V8V9V10
Reworked
V1

V1 · Editorial radar

Single axis, real tick marks, no rounded gradient bars. Plotted nodes carry their level code; bodies live in an editorial flat list below.

Blast radius · lowCritical
LV01 · Naive
LV02 · Convenience
LV03 · Defiant
LV04 · Embedded
LV05 · Agentic
LV06 · Supply Chain
  • LV01LOW 1/5
    Naive

    Employees use ChatGPT, Claude, and Gemini because no one told them not to. Roughly 25 to 30 percent of all shadow AI usage. Data leakage risk stays substantial even when intent is harmless.

    Modulos directDetection: SaaS discovery
  • LV02MED 2/5
    Convenience

    Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. 30 to 35 percent of usage. Sensitive data leaves the corporate perimeter under different governance.

    Modulos orchestratesDetection: DLP / data flow
  • LV03MED 3/5
    Defiant

    Senior staff who know the policy and bypass it anyway. Leadership often the heaviest user. Training stops working. Only infrastructure enforcement plus regulatory urgency changes behaviour.

    Modulos orchestratesDetection: SSE / CASB
  • LV04HIGH 4/5
    Embedded

    Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never assessed. By 2026 ~70% of enterprise AI happens inside previously-approved SaaS.

    Modulos orchestratesDetection: Embedded-AI SPM
  • LV05CRIT 5/5
    Agentic

    Autonomous agents act on systems, data, and decisions at machine speed. 47 percent of enterprises report an agent security incident in the past year. CVE-2025-53773 showed how prompt injection could enable full system compromise.

    Modulos with partnersDetection: Agent runtime trust
  • LV06HIGH 4/5
    Supply Chain

    Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless.

    Modulos directDetection: TPRM
Reworked
V2

V2 · Severity ladder

Vertical thin meter on the left rule fills with severity. Right column reads like a journal byline: detection, Modulos code, prose.

  • LV01LOW 1/5

    Naive

    I didn't know there was a policy.”

    Employees use ChatGPT, Claude, and Gemini because no one told them not to. Roughly 25 to 30 percent of all shadow AI usage. Data leakage risk stays substantial even when intent is harmless.

    DetectionSaaS discovery
    ModulosDIR

    EU AI Act Article 4 literacy training, policy management, intake form for declared use cases, and Scout discovery across GitHub, cloud, and Atlassian.

  • LV02MED 2/5

    Convenience

    The approved path is too slow.”

    Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. 30 to 35 percent of usage. Sensitive data leaves the corporate perimeter under different governance.

    DetectionDLP / data flow
    ModulosORC

    Quantifies the monetary risk of unapproved usage. Intake plus Scout analysis makes the approved path fast enough to compete with shadow usage.

  • LV03MED 3/5

    Defiant

    The policy is wrong.”

    Senior staff who know the policy and bypass it anyway. Leadership often the heaviest user. Training stops working. Only infrastructure enforcement plus regulatory urgency changes behaviour.

    DetectionSSE / CASB
    ModulosORC

    Regulatory framing compliance officers need to escalate (EU AI Act fines, board liability) and an audit trail of override-with-justification events.

  • LV04HIGH 4/5

    Embedded

    The tool was approved. The AI inside it wasn't.”

    Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never assessed. By 2026 ~70% of enterprise AI happens inside previously-approved SaaS.

    DetectionEmbedded-AI SPM
    ModulosORC

    Embedded-AI signals feed into intake. Scout risk-classifies each newly-surfaced capability and re-maps controls without waiting for procurement.

  • LV05CRIT 5/5

    Agentic

    The agent was approved. Its actions weren't.”

    Autonomous agents act on systems, data, and decisions at machine speed. 47 percent of enterprises report an agent security incident in the past year. CVE-2025-53773 showed how prompt injection could enable full system compromise.

    DetectionAgent runtime trust
    ModulosPRT

    Agent trust scores ingest as risk evidence. Modulos classifies agents under EU AI Act high-risk categories and continuously monitors them.

  • LV06HIGH 4/5

    Supply Chain

    Our vendor is using AI on our data.”

    Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless.

    DetectionTPRM
    ModulosDIR

    Third-party AI risk handled inside the same control framework. A single control satisfies obligations across the EU AI Act, ISO 42001, NIST AI RMF, NIS2, and DORA in parallel.

Reworked
V3

V3 · Reality / Modulos columns

No dark/light card split. Three editorial columns per row separated by thin rules: level meta, the reality, the Modulos response.

  • LV01LOW 1/5

    Naive

    I didn't know there was a policy.”

    The reality

    Employees use ChatGPT, Claude, and Gemini because no one told them not to. Roughly 25 to 30 percent of all shadow AI usage. Data leakage risk stays substantial even when intent is harmless.

    Detection layer · Shadow-app surfacing
    Modulos · DIR

    EU AI Act Article 4 literacy training, policy management, intake form for declared use cases, and Scout discovery across GitHub, cloud, and Atlassian.

    Regulatory · EU AI Act Art. 4
  • LV02MED 2/5

    Convenience

    The approved path is too slow.”

    The reality

    Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. 30 to 35 percent of usage. Sensitive data leaves the corporate perimeter under different governance.

    Detection layer · DLP / data flow
    Modulos · ORC

    Quantifies the monetary risk of unapproved usage. Intake plus Scout analysis makes the approved path fast enough to compete with shadow usage.

    Regulatory · EU AI Act Art. 4 · GDPR
  • LV03MED 3/5

    Defiant

    The policy is wrong.”

    The reality

    Senior staff who know the policy and bypass it anyway. Leadership often the heaviest user. Training stops working. Only infrastructure enforcement plus regulatory urgency changes behaviour.

    Detection layer · SSE / CASB
    Modulos · ORC

    Regulatory framing compliance officers need to escalate (EU AI Act fines, board liability) and an audit trail of override-with-justification events.

    Regulatory · EU AI Act fines · Board liability
  • LV04HIGH 4/5

    Embedded

    The tool was approved. The AI inside it wasn't.”

    The reality

    Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never assessed. By 2026 ~70% of enterprise AI happens inside previously-approved SaaS.

    Detection layer · Embedded-AI SPM
    Modulos · ORC

    Embedded-AI signals feed into intake. Scout risk-classifies each newly-surfaced capability and re-maps controls without waiting for procurement.

    Regulatory · EU AI Act Art. 50 · Annex III
  • LV05CRIT 5/5

    Agentic

    The agent was approved. Its actions weren't.”

    The reality

    Autonomous agents act on systems, data, and decisions at machine speed. 47 percent of enterprises report an agent security incident in the past year. CVE-2025-53773 showed how prompt injection could enable full system compromise.

    Detection layer · Agent runtime trust
    Modulos · PRT

    Agent trust scores ingest as risk evidence. Modulos classifies agents under EU AI Act high-risk categories and continuously monitors them.

    Regulatory · EU AI Act high-risk · NIS2
  • LV06HIGH 4/5

    Supply Chain

    Our vendor is using AI on our data.”

    The reality

    Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless.

    Detection layer · TPRM
    Modulos · DIR

    Third-party AI risk handled inside the same control framework. A single control satisfies obligations across the EU AI Act, ISO 42001, NIST AI RMF, NIS2, and DORA in parallel.

    Regulatory · EU AI Act value chain · DORA · NIS2
Reworked
V5

V5 · Dense data sheets

V3-C dense card grammar without the pastel pills. Each cell shows the hero metric, the level's short quote, body, and a small definition list of detection + Modulos role.

LV01LOW 1/5

Naive

I didn't know there was a policy.”

25–30%of shadow AI usage

Employees use ChatGPT, Claude, and Gemini because no one told them not to. Roughly 25 to 30 percent of all shadow AI usage. Data leakage risk stays substantial even when intent is harmless.

Detection
SaaS discovery
Modulos
DIR · direct
LV02MED 2/5

Convenience

The approved path is too slow.”

30–35%of shadow AI usage

Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. 30 to 35 percent of usage. Sensitive data leaves the corporate perimeter under different governance.

Detection
DLP / data flow
Modulos
ORC · orchestrates
LV03MED 3/5

Defiant

The policy is wrong.”

5–10%leadership-heavy

Senior staff who know the policy and bypass it anyway. Leadership often the heaviest user. Training stops working. Only infrastructure enforcement plus regulatory urgency changes behaviour.

Detection
SSE / CASB
Modulos
ORC · orchestrates
LV04HIGH 4/5

Embedded

The tool was approved. The AI inside it wasn't.”

~70%of AI interactions

Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never assessed. By 2026 ~70% of enterprise AI happens inside previously-approved SaaS.

Detection
Embedded-AI SPM
Modulos
ORC · orchestrates
LV05CRIT 5/5

Agentic

The agent was approved. Its actions weren't.”

47%had incidents

Autonomous agents act on systems, data, and decisions at machine speed. 47 percent of enterprises report an agent security incident in the past year. CVE-2025-53773 showed how prompt injection could enable full system compromise.

Detection
Agent runtime trust
Modulos
PRT · with partners
LV06HIGH 4/5

Supply Chain

Our vendor is using AI on our data.”

Everymodern vendor

Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless.

Detection
TPRM
Modulos
DIR · direct
Reworked
V6

V6 · Compliance worksheet

Edge-to-edge worksheet, thin slate-200 rules between rows, tabular-nums everywhere. Designed to be scanned by a compliance officer, not a marketing buyer.

LV01LOW 1/5
Naive

Employees use ChatGPT, Claude, and Gemini because no one told them not to. Roughly 25 to 30 percent of all shadow AI usage. Data leakage risk stays substantial even when intent is harmless.

Shadow-app surfacing
1/5
DIR
EU AI Act Art. 4
LV02MED 2/5
Convenience

Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. 30 to 35 percent of usage. Sensitive data leaves the corporate perimeter under different governance.

DLP / data flow
2/5
ORC
EU AI Act Art. 4 · GDPR
LV03MED 3/5
Defiant

Senior staff who know the policy and bypass it anyway. Leadership often the heaviest user. Training stops working. Only infrastructure enforcement plus regulatory urgency changes behaviour.

SSE / CASB
3/5
ORC
EU AI Act fines · Board liability
LV04HIGH 4/5
Embedded

Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never assessed. By 2026 ~70% of enterprise AI happens inside previously-approved SaaS.

Embedded-AI SPM
4/5
ORC
EU AI Act Art. 50 · Annex III
LV05CRIT 5/5
Agentic

Autonomous agents act on systems, data, and decisions at machine speed. 47 percent of enterprises report an agent security incident in the past year. CVE-2025-53773 showed how prompt injection could enable full system compromise.

Agent runtime trust
5/5
PRT
EU AI Act high-risk · NIS2
LV06HIGH 4/5
Supply Chain

Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless.

TPRM
4/5
DIR
EU AI Act value chain · DORA · NIS2
Reworked
V7

V7 · Architectural split rows

Three columns: level meta, detection (third-party), Modulos governance. Thin ticks under each side show coverage strength; visually proves the thesis without pastel pill noise.

LV01LOW 1/5

Naive

I didn't know there was a policy.”

Shadow-app surfacing

Identity-aware SaaS discovery and shadow-app surfacing.

DIR · Modulos direct88%

EU AI Act Article 4 literacy training, policy management, intake form for declared use cases, and Scout discovery across GitHub, cloud, and Atlassian.

LV02MED 2/5

Convenience

The approved path is too slow.”

DLP / data flow

DLP and data-flow inspection at the perimeter.

ORC · Modulos orchestrates62%

Quantifies the monetary risk of unapproved usage. Intake plus Scout analysis makes the approved path fast enough to compete with shadow usage.

LV03MED 3/5

Defiant

The policy is wrong.”

SSE / CASB

SSE and CASB with AI tool categorisation and network-level enforcement.

ORC · Modulos orchestrates62%

Regulatory framing compliance officers need to escalate (EU AI Act fines, board liability) and an audit trail of override-with-justification events.

LV04HIGH 4/5

Embedded

The tool was approved. The AI inside it wasn't.”

Embedded-AI SPM

Embedded-AI security posture management.

ORC · Modulos orchestrates62%

Embedded-AI signals feed into intake. Scout risk-classifies each newly-surfaced capability and re-maps controls without waiting for procurement.

LV05CRIT 5/5

Agentic

The agent was approved. Its actions weren't.”

Agent runtime trust

Agent trust scoring and runtime policy enforcement.

PRT · Modulos with partners38%

Agent trust scores ingest as risk evidence. Modulos classifies agents under EU AI Act high-risk categories and continuously monitors them.

LV06HIGH 4/5

Supply Chain

Our vendor is using AI on our data.”

TPRM

Third-party risk management with AI-specific assessment.

DIR · Modulos direct88%

Third-party AI risk handled inside the same control framework. A single control satisfies obligations across the EU AI Act, ISO 42001, NIST AI RMF, NIS2, and DORA in parallel.

New
V8

V8 · Editorial flat list

FAQ-style flat list. Big titles, byline-style detail rail on the right (detection layer, Modulos role, regulatory hit, severity). Reads like a published taxonomy.

  • LV01

    Naive

    I didn't know there was a policy.”

    Employees use ChatGPT, Claude, and Gemini because no one told them not to. Roughly 25 to 30 percent of all shadow AI usage. Data leakage risk stays substantial even when intent is harmless.

    Modulos response. EU AI Act Article 4 literacy training, policy management, intake form for declared use cases, and Scout discovery across GitHub, cloud, and Atlassian.

    Detection layer
    Shadow-app surfacing
    Modulos role
    DIRModulos direct
    Regulatory
    EU AI Act Art. 4
    Severity
    LOW · 1/5
  • LV02

    Convenience

    The approved path is too slow.”

    Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. 30 to 35 percent of usage. Sensitive data leaves the corporate perimeter under different governance.

    Modulos response. Quantifies the monetary risk of unapproved usage. Intake plus Scout analysis makes the approved path fast enough to compete with shadow usage.

    Detection layer
    DLP / data flow
    Modulos role
    ORCModulos orchestrates
    Regulatory
    EU AI Act Art. 4 · GDPR
    Severity
    MED · 2/5
  • LV03

    Defiant

    The policy is wrong.”

    Senior staff who know the policy and bypass it anyway. Leadership often the heaviest user. Training stops working. Only infrastructure enforcement plus regulatory urgency changes behaviour.

    Modulos response. Regulatory framing compliance officers need to escalate (EU AI Act fines, board liability) and an audit trail of override-with-justification events.

    Detection layer
    SSE / CASB
    Modulos role
    ORCModulos orchestrates
    Regulatory
    EU AI Act fines · Board liability
    Severity
    MED · 3/5
  • LV04

    Embedded

    The tool was approved. The AI inside it wasn't.”

    Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never assessed. By 2026 ~70% of enterprise AI happens inside previously-approved SaaS.

    Modulos response. Embedded-AI signals feed into intake. Scout risk-classifies each newly-surfaced capability and re-maps controls without waiting for procurement.

    Detection layer
    Embedded-AI SPM
    Modulos role
    ORCModulos orchestrates
    Regulatory
    EU AI Act Art. 50 · Annex III
    Severity
    HIGH · 4/5
  • LV05

    Agentic

    The agent was approved. Its actions weren't.”

    Autonomous agents act on systems, data, and decisions at machine speed. 47 percent of enterprises report an agent security incident in the past year. CVE-2025-53773 showed how prompt injection could enable full system compromise.

    Modulos response. Agent trust scores ingest as risk evidence. Modulos classifies agents under EU AI Act high-risk categories and continuously monitors them.

    Detection layer
    Agent runtime trust
    Modulos role
    PRTModulos with partners
    Regulatory
    EU AI Act high-risk · NIS2
    Severity
    CRIT · 5/5
  • LV06

    Supply Chain

    Our vendor is using AI on our data.”

    Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless.

    Modulos response. Third-party AI risk handled inside the same control framework. A single control satisfies obligations across the EU AI Act, ISO 42001, NIST AI RMF, NIS2, and DORA in parallel.

    Detection layer
    TPRM
    Modulos role
    DIRModulos direct
    Regulatory
    EU AI Act value chain · DORA · NIS2
    Severity
    HIGH · 4/5
New
V9

V9 · Coverage scatter

A real scatter plot. X = blast radius, Y = visibility to existing controls. Risk color encoded. Modulos governance shown as a continuous band across the top. Data is the visual.

Visibility to existing controls
Blast radius
MODULOS GOVERNANCELV01 NaiveLV02 ConvenienceLV03 DefiantLV04 EmbeddedLV05 AgenticLV06 Supply Chain
LOWMEDHIGHCRITModulos governance · continuous coverage

Read this chart.

Up and to the right is worst case. Blast radius is the harm a single incident can do. Visibility is what your existing controls can see today.

Levels 04 and 05 sit deep in the low-visibility, high-blast quadrant. That is where shadow AI gets dangerous and where third-party detection is most fragmented.

Modulos governance is the continuous band across the top: every level lands inside a control framework, even when detection is split across five vendor categories.

New
V10

V10 · Vendor stack diagram

Systems-architecture aesthetic. Continuous Modulos governance band sits on top, third-party detection stack below it, level coverage badges per layer. Levels listed below as a reference rail.

Governance layer · continuous
Modulos · single control framework, all six levels
LV01LV02LV03LV04LV05LV06
  • NETNetwork
    SSE / CASB · DLP
    LV02 ConvenienceLV03 Defiant
  • IDPIdentity
    IdP · SSO · shadow-app discovery
    LV01 NaiveLV02 Convenience
  • SAASSaaS surface
    Embedded-AI SPM · Scout
    LV01 NaiveLV04 Embedded
  • RUNRuntime
    Agent trust scoring
    LV05 Agentic
  • TPRMVendor risk
    TPRM · AI-specific assessment
    LV06 Supply Chain
The six levels
  • LV01LOW 1/5
    Naive
    Employees use ChatGPT, Claude, and Gemini because no one told them not to. Roughly 25 to 30 percent of all shadow AI usage. Data leakage risk stays substantial even when intent is harmless.
    DIR · Modulos direct
  • LV02MED 2/5
    Convenience
    Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. 30 to 35 percent of usage. Sensitive data leaves the corporate perimeter under different governance.
    ORC · Modulos orchestrates
  • LV03MED 3/5
    Defiant
    Senior staff who know the policy and bypass it anyway. Leadership often the heaviest user. Training stops working. Only infrastructure enforcement plus regulatory urgency changes behaviour.
    ORC · Modulos orchestrates
  • LV04HIGH 4/5
    Embedded
    Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never assessed. By 2026 ~70% of enterprise AI happens inside previously-approved SaaS.
    ORC · Modulos orchestrates
  • LV05CRIT 5/5
    Agentic
    Autonomous agents act on systems, data, and decisions at machine speed. 47 percent of enterprises report an agent security incident in the past year. CVE-2025-53773 showed how prompt injection could enable full system compromise.
    PRT · Modulos with partners
  • LV06HIGH 4/5
    Supply Chain
    Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless.
    DIR · Modulos direct