Platform Overview
Shadow AI

Shadow AI Governance
Govern what you didn't approve

Shadow AI is everywhere. Employees use unsanctioned AI tools. Vendors embed AI in software you already approved. Autonomous agents take actions no one signed off on. Modulos turns each of these signals into a governed AI inventory, mapped to the EU AI Act, ISO 42001, NIST AI RMF, NIS2, and DORA.

Request a Demo
49%

of workers at large enterprises admit to using AI tools without employer approval.

BlackFog Shadow AI Research, 2026
47%

of enterprises had an AI agent security incident in the past twelve months.

Cloud Security Alliance, 2026
70%

of AI interactions in 2026 happen via features embedded in already-approved SaaS tools.

JumpCloud, 2026
Definition

What is shadow AI?

Shadow AI is any AI system, tool, or capability used inside an organisation without being formally registered, assessed, or governed by the people responsible for compliance and risk.

It spans employees pasting confidential data into consumer chatbots, autonomous agents running production workloads no one signed off on, and AI quietly embedded in software that was originally approved as something else. Under the EU AI Act, ISO/IEC 42001, and NIST AI RMF, an incomplete AI inventory makes compliance impossible: you cannot demonstrate what you cannot see.

The Six Levels of Shadow AI

The six surfaces of shadow AI

Each one has different actors, different detection vendors, and a different governance answer. Any single vendor claiming to cover all of it is selling positioning, not capability.

LV01LOW 1/5

Naive

I didn't know there was a policy.”

25–30%of shadow AI usage

Employees use ChatGPT, Claude, and Gemini because no one told them not to. Data leakage risk stays substantial even when intent is harmless, as Samsung learned in 2023.

Detection
SaaS discovery
Modulos
DIR · direct
LV02MED 2/5

Convenience

The approved path is too slow.”

30–35%of shadow AI usage

Enterprise Copilot exists, but staff default to consumer ChatGPT because it is faster. Sensitive data leaves the corporate perimeter under entirely different governance rules.

Detection
DLP / data flow
Modulos
ORC · orchestrates
LV03MED 3/5

Defiant

The policy is wrong.”

5–10%leadership-heavy

Senior staff who know the policy and bypass it anyway. Leadership is often the heaviest user. Training stops working at this level. Only infrastructure enforcement plus regulatory urgency changes the behaviour.

Detection
SSE / CASB
Modulos
ORC · orchestrates
LV04HIGH 4/5

Embedded

The tool was approved. The AI inside it wasn't.”

~70%of AI interactions

Notion AI, Copilot in Excel, Zoom summaries, Grammarly were all approved before they added AI. The AI itself was never separately assessed.

Detection
Embedded-AI SPM
Modulos
ORC · orchestrates
LV05CRIT 5/5

Agentic

The agent was approved. Its actions weren't.”

47%had incidents

Autonomous agents act on systems, data, and decisions at machine speed. CVE-2025-53773 showed how prompt injection through code comments could enable full system compromise.

Detection
Agent runtime trust
Modulos
PRT · with partners
LV06HIGH 4/5

Supply Chain

Our vendor is using AI on our data.”

Everymodern vendor

Your legal vendor summarises contracts with AI. Your CRM added AI insights. EU AI Act value-chain provisions, DORA, NIS2, and customer commitments turn these into governable risk regardless of who deployed them.

Detection
TPRM
Modulos
DIR · direct
The Modulos Workflow

How Modulos Handles Shadow AI End-to-End

Four connected steps, not four products. Each feeds the next.

  1. STEP 01Educate

    AI Literacy Training

    Native EU AI Act Article 4 literacy training, with role-based curricula for general staff, technical practitioners, and Modulos power users.

  2. STEP 02Collect

    AI Intake Form

    A single intake form for new and existing AI use cases. Ownership stays with the requesting team. Compliance reviews. Full audit trail. The bottleneck that historically drove convenience-shadow AI disappears.

  3. STEP 03Assess

    Scout Analysis

    Scout risk-classifies each submission as low, medium, or high against your existing control framework. Maps to the EU AI Act risk tier and Annex III category. Review time drops from weeks to hours.

  4. STEP 04Catch the rest

    Detection Integrations

    Modulos plugs into the security stack you already run, so signals from SSE, identity, SaaS, and agent platforms flow into the same intake workflow. Whatever employees fail to declare still ends up governed.

The Orchestrator Layer

Detection is fragmented. Governance is one layer.

Modulos sits above the detection layer. Whatever your SSE vendor, identity provider, or agent security platform discovers ingests into Modulos, where it is risk-assessed, mapped to your control framework, and turned into the evidence regulators will ask for.

A single control maps across the EU AI Act, ISO 42001, NIST AI RMF, NIS2, and DORA simultaneously. No duplicate work. No separate audit trails. And Modulos does not have to pretend to be a network security company to deliver it.

Explore the Platform
MODGovernance · continuous

One control framework, all six levels

LV01LV02LV03LV04LV05LV06
Third-party detection · fragmented by design
  • NETNetwork
    SSE · CASB
    LV02LV03
  • IDPIdentity
    IdP · SSO · shadow-app discovery
    LV01LV02
  • SAASSaaS surface
    Embedded-AI SPM · Scout
    LV01LV04
  • DLPData flow
    DLP · perimeter inspection
    LV02
  • RUNRuntime
    Agent trust scoring
    LV05
  • TPRMVendor risk
    TPRM · AI-specific assessment
    LV06
Frequently Asked Questions

Shadow AI, answered

The questions compliance officers, CISOs, and AI leads ask most when shadow AI moves from an edge case to a board-level topic.

Q01What is shadow AI?

Shadow AI is any AI system, tool, or capability used inside an organisation without being formally registered, assessed, or governed by the people responsible for compliance and risk. It spans employees pasting confidential data into consumer chatbots, autonomous agents running production workloads no one signed off on, and AI quietly embedded in software that was originally approved as something else.

Q02How is shadow AI different from shadow IT?

Shadow IT historically meant unapproved SaaS, cloud services, or hardware that bypassed procurement. Shadow AI is structurally different: AI systems make autonomous decisions, learn from inputs that often include sensitive data, and increasingly run inside tools that were approved as non-AI software. Traditional shadow IT controls miss most of the real AI risk surface.

Q03Does shadow AI violate the EU AI Act?

Shadow AI does not violate the EU AI Act by itself. It can make compliance impossible. The Act requires you to identify, classify, document, and govern every AI system in scope. Article 4 literacy and Article 50 transparency obligations require you to train your workforce on the AI you actually use, not the AI you think you use. Without a complete inventory, demonstrating compliance to an auditor is not possible.

Q04How does shadow AI affect ISO 42001 compliance?

ISO/IEC 42001 is the international management system standard for AI. Its core requirement is a documented AI Management System covering every AI system in scope. Any shadow AI sitting outside that inventory falls outside the management system, and any audit will flag the gap between what is registered and what is actually in use as a certification finding.

Q05Does Modulos detect shadow AI directly?

Modulos discovers AI systems in code repositories and cloud environments via Scout, which connects to GitHub, Azure, and Atlassian. It governs whatever AI is surfaced through that discovery plus the intake form employees complete for declared use cases. For network-level, identity-level, and embedded-SaaS detection, Modulos sits above the specialist platforms that already operate in those layers and turns the signals they produce into governed evidence mapped to your regulatory frameworks.

Q06What is agentic shadow AI?

Agentic shadow AI is autonomous AI agents taking actions on systems, data, or decisions without being formally governed. It spans approved agents acting outside their intended scope and fully unapproved agents running on production infrastructure. As of 2026 nearly half of large enterprises have experienced an agent security incident in the past twelve months because agents move faster than traditional review cycles can keep up with.

Related reading from Modulos
What is Shadow AI? Five definitions, one Governance Problem
May 6, 2026

What is Shadow AI? Five definitions, one Governance Problem

AI governance tools in 2026: one category is splitting in two
Apr 18, 2026

AI governance tools in 2026: one category is splitting in two

The 4 Stages of the AI governance maturity model: Where Are You on This Journey?

The 4 Stages of the AI governance maturity model: Where Are You on This Journey?

Sources
  1. BlackFog Shadow AI Research, 2026 — “of workers at large enterprises admit to using AI tools without employer approval.
  2. Cloud Security Alliance, 2026 — “of enterprises had an AI agent security incident in the past twelve months.
  3. JumpCloud, 2026 — “of AI interactions in 2026 happen via features embedded in already-approved SaaS tools.

Four Pillars. One Platform.

Everything you need for enterprise AI governance — integrated, not bolted together.

Pillar

Governance

Run AI governance like an operating system

Draft
12
Review
5
Active
47
Archived
8

Project dashboards, AI lifecycle tracking, ownership workflows, and complete audit trails.

Project & org dashboardsOwnership workflowsAI lifecycle stages
Pillar

Risk

Quantify AI risk, allocate budgets, track mitigation

Bias
82K
Hallucination
48K
Drift
31K
Leakage
22K

Organization-wide risk overview, taxonomy limits, and risk-to-control mapping.

Risk appetite limitsQuantification methodsExecutive reporting
Pillar

Compliance

Multi-framework compliance without duplicate work

EU AI ActISO 42001NIST AI RMFISO 27001GDPRDORANIS2

One control satisfies many frameworks. Evidence browser with full audit trail.

Framework libraryContinuous complianceAudit-ready exports
Pillar

Agents

Human-in-the-loop AI agents for GRC work

+312 agent runs this week

Scout Assistant, evidence automation, control assessments — all with human oversight.

Scout AssistantEvidence triageControl assessments

See Shadow AI Governance in Action

Book a demo to see how Modulos turns shadow AI signals into a governed inventory, mapped to the EU AI Act, ISO 42001, and NIST AI RMF.

Request a Demo