Doodle illustration of SaaS app icons with a hidden AI sparkle being discovered by a magnifying glass
Cybersecurity

How to Audit Your SaaS Stack for Shadow AI (Before It Audits You)

Daniel Voss June 19, 2026 · 11 min read 10 Verified Sources
Independent Analysis 10 Verified Sources Updated June 2026

Shadow AI added $670,000 to the average cost of a data breach in 2025 — and most security teams don’t know which AI tools are already inside the SaaS stack they already approved.

Definition
Shadow AI
Shadow AI is the use of AI tools, features, or models inside a company’s systems without IT or security approval.
What Is Shadow AI?

Shadow AI is the use of AI tools, features, or models inside a company’s systems without IT or security approval. Nudge Security and IBM both define it this way: employees pasting data into public chatbots, AI features enabled inside approved SaaS apps, and browser extensions or agents accessing company data through inherited permissions — all outside formal oversight.

Shadow AI Audit in 30 Seconds
What you need to know before reading further
Shadow AI mostly hides inside SaaS tools you already approved, not in new apps IT would catch. A shadow AI breach costs $670,000 more than average and takes 247 days to detect. The Four-Layer Shadow AI Audit below finds and fixes this in a single day, with no new software required.
670000
Extra cost added to a breach when shadow AI is involved
70
Percent of AI interactions projected to run through approved SaaS apps by 2026
20
Percent of all breaches that involve shadow AI
247
Average days to detect a shadow AI breach
At a Glance — Who Is This For?
A one-day, no-budget audit for teams without a dedicated security function.
IF
You’re a founder or ops lead at a small SaaS company without a security team, this gives you a process you can run yourself.
IF
You’ve added three or more new SaaS tools in the past year, this shows you exactly where to check for AI features you never approved.
IF
You have a SOC 2, HIPAA, or GDPR audit coming up, this maps your shadow AI findings directly to the compliance clauses that matter.

Why Does Shadow AI Hide Inside SaaS Tools You Already Approved?

Shadow AI hides inside SaaS tools you already approved because it arrives as a feature update, not a new purchase. By 2026, JumpCloud projects that 70% of employee interactions with AI will occur through features embedded in existing, sanctioned SaaS applications — not standalone tools IT would recognize and block.

This is what makes shadow AI structurally different from shadow IT. Shadow IT meant an employee signed up for a new, unapproved app. Shadow AI means an approved app — Notion, Canva, Slack, HubSpot — ships an AI feature in a routine update, and a single user enables it from a settings menu, with no procurement step, no security review, and no new line item for IT to notice.

Doodle comparing blocked new app approval versus AI features slipping through unchecked updates
New apps face an IT review checkpoint. Feature updates inside approved tools usually don’t.
70%
Of employee AI interactions are projected to happen through features already embedded in approved SaaS apps by 2026 — not new tools IT would catch.

Already running AI agents in production? The inventory step below gets more urgent once agents are involved.

Read why 96% of companies can’t control their AI agents →

This is why a shadow AI audit can’t be a one-time app-discovery scan. It has to check what’s running inside the tools you already trust.


The Four-Layer Shadow AI Audit

A shadow AI audit fails for one of two reasons: it never starts, because it sounds like a project that needs a security team and a budget. Or it never finishes, because it tries to catalog every possible risk before taking any action. The Four-Layer Shadow AI Audit avoids both traps — it’s sequential, it’s scoped to one day, and each layer produces a decision, not just a list.

Framework
The Four-Layer Shadow AI Audit
A one-day, no-budget process for finding every AI tool in your stack and deciding what to do with it.
01 Inventory (1–2 hrs) — Pull every AI-touching connection from the admin consoles you already have access to.
02 Permissions (2–3 hrs) — Check what each tool can actually access, not just that it exists.
03 Data Flow (1 hr) — Confirm what’s actually moving through each connection, including AI agents and MCP servers.
04 Policy (1 hr) — Sort every tool into Approved, Restricted, Replaced, or Blocked.
Doodle diagram of the Four-Layer Shadow AI Audit framework: Inventory, Permissions, Data Flow, Policy
The Four-Layer Shadow AI Audit — run in sequence, scoped to roughly one working day.
LayerGoalTime
01 — InventoryFind every AI-touching tool1–2 hrs
02 — PermissionsReview what each tool can access2–3 hrs
03 — Data FlowTrack what’s actually moving, including AI agents1 hr
04 — PolicySort into Approved, Restricted, Replaced, Blocked1 hr

Layer 1 — Inventory

You can’t audit what you haven’t found. Start by pulling every AI-touching connection from the admin consoles you already have access to — no new software required.

  • Google Workspace: Admin console → Security → API Controls → App Access Control. Lists every third-party app with OAuth access to company data.
  • Microsoft 365: Microsoft Entra admin center → Enterprise Applications → All Applications. Filter by “User consent” to surface apps employees connected themselves.
  • Slack: Workspace Settings → Apps → Manage Apps. Lists every integration with workspace access.

Layer 2 — Permissions

Inventory tells you what exists. Permissions tell you what it can actually touch — and this is where most of the real risk lives. For every tool on your Layer 1 list, check the OAuth scopes it was granted.

Red FlagWhy It Matters
Broad scopes (full Gmail/Drive read-write) for a narrow taskTool can access far more than its function requires
No identifiable business ownerNo one can confirm why it’s connected or what it’s used for
Granted in the last 90 days with high-level accessRecent, unreviewed, and likely unapproved
Personal email domains linked to work accountsData may be flowing outside company-controlled infrastructure
Doodle showing admin console click-paths and red flag warning signs for a shadow AI audit
Where to look and what to flag — Layers 1 and 2 in one reference.

Layer 3 — Data Flow

Permissions show what a tool can access. Data flow shows what it actually does. This layer matters more in 2026 than it did even a year ago, because shadow AI no longer just means an employee pasting text into a chatbot.

Orca Security’s research found that shadow AI increasingly runs through IDE extensions, AI agents, and Model Context Protocol (MCP) servers that inherit the permissions of the service accounts they’re attached to — bypassing the web gateways and DLP tools that monitor traditional traffic.

Key Insight
An agent doesn’t need a new login to reach sensitive data. It inherits whatever the account it’s attached to can already touch.
Doodle showing how AI agents inherit permissions and bypass web gateways to reach sensitive data
Agents bypass gateways by inheriting permissions — they don’t need to get past anything.

For this layer, ask one question per tool: does this connection touch customer PII, financial data, source code, or contracts? See our breakdown of real AI agent use cases in SaaS for what legitimate agent activity looks like by comparison.

Layer 4 — Policy

This is where most audits stop short — they produce a list of risky tools and nothing else. The Policy layer turns that list into decisions. Sort every tool from Layers 1–3 into one of four outcomes:

  • Approved — acceptable with current controls in place; document and move on
  • Restricted — usable for low-risk tasks only, never with sensitive or regulated data
  • Replaced — the use case is valid, but the tool needs to be swapped for an approved alternative
  • Blocked — too much risk, no workable controls, removed immediately

This sorting step also closes your compliance gap directly, per Netwrix’s mapping of shadow AI to regulatory clauses. Check any tool processing regulated data against the specific clauses your industry answers to:

  • PCI DSS Requirement 10 — mandates logging of access to cardholder data environments
  • HIPAA audit controls (45 CFR §164.312(b)) — requires tracking PHI access
  • SOC 2 CC7.2 — requires monitoring system components for anomalies
  • GDPR Article 28 — requires a documented data processing agreement with any processor handling personal data
Doodle mapping PCI DSS, HIPAA, SOC 2, and GDPR compliance clauses for shadow AI audits
Layer 4: matching each regulated tool to the specific clause it needs to satisfy.

A tool that fails its compliance check moves straight to Blocked, no matter how useful it is. For the policy itself, our AI governance readiness breakdown covers what a complete policy document needs beyond this audit.

Key Insight

The Four-Layer Audit only works if Layer 4 actually produces decisions — a list of risky tools with no action attached is the most common reason shadow AI audits stall before they help anyone.


Which Common SaaS Tools Have Hidden AI Features?

So far: shadow AI hides inside tools you already approved, and the Four-Layer Audit above is how you find it. Next: which everyday SaaS tools are most likely hiding it, and what it actually costs if you don’t look.

Notion, Salesforce, HubSpot, and Tableau have hidden AI features that most teams never explicitly approved. Vendors are adding these capabilities by default, not because anyone requested them — and your own Layer 1 inventory likely contains more.

ToolAI FeatureWhat It Can Access
NotionNotion AI — summarization, autofill, flowchart generation, and an AI agent that can run workflows across documentsDocument content, meeting notes, connected databases
SalesforceEinstein and Agentforce — predictive insights, automated outreach, autonomous agents that manage customer conversationsCRM records, customer data, sales pipeline, connected channels
HubSpotAI-powered lead scoring, content assistants, and chatbots for first-line customer supportCRM contact data, email engagement history, conversation logs
TableauTableau Pulse and Ask Data — natural-language querying of business data without SQLConnected databases, spreadsheets, cloud data sources
Doodle showing Notion, Salesforce, HubSpot, and Tableau with hidden AI feature badges and data access labels
Four widely-used tools, four AI features most teams never explicitly approved.

A pattern is worth noting here: three of the four tools above route data through the same parent company’s AI layer (Salesforce, Tableau) or function as the connective tissue between CRM and communication tools (HubSpot — see our full HubSpot vs Salesforce comparison for how they differ). Auditing one tool in isolation can miss the fact that its AI features are pulling from — or feeding into — several others on your list.


What Does a Shadow AI Breach Actually Cost (If You Don’t Audit)?

A shadow AI breach costs $670,000 more than a standard data breach, according to IBM’s 2025 Cost of a Data Breach Report. That premium pushes the average shadow-AI-linked incident to $4.63 million, compared to $3.96 million for breaches without unauthorized AI involved, per Kiteworks’ analysis of the same data.

Suja Viswesan, VP of Security and Runtime Products at IBM, said shadow AI “added an extra USD 670,000 to the global average breach cost.”

Doodle stat cards showing shadow AI breach cost, frequency, PII exposure, and detection time from IBM 2025 data
What inaction costs — all four figures from IBM’s 2025 Cost of a Data Breach Report.

The same report found that shadow AI was a factor in one in five breaches studied — 20% of all incidents, drawn from organizations across 16 countries and 17 industries. These breaches also expose more sensitive data than average: 65% of shadow AI incidents involved customer PII, compared to 53% across all breaches generally.

247
Average days to detect a shadow AI breach — well past the point where damage is contained quickly, since the traffic moves through tools security teams don’t monitor.

None of this requires a sophisticated attack. IBM’s data shows that 97% of organizations with an AI-related breach had no real access controls around the tool involved — meaning the exposure wasn’t a failure of defense, it was the absence of any defense at all. For a sense of what proactive agent governance costs by comparison, see our breakdown of what agentic AI actually costs when budgeted properly.

Key Insight
An audit converts “we don’t know what’s connected” into a documented list with a decision attached to every entry.

The Shadow AI Audit Checklist

Everything above, condensed into a single run-through. Each item maps to a layer from the Four-Layer Shadow AI Audit.

  • ☐ Pull every connected app from Google Workspace, Microsoft 365, and Slack admin consoles
  • ☐ Cross-reference against expense reports and credit card statements for unlisted tools
  • ☐ Check OAuth scopes for every tool — flag broad permissions, no owner, recent grants, or personal email domains
  • ☐ Identify which tools touch customer PII, financial data, source code, or contracts
  • ☐ Check for AI agents or MCP servers with inherited service-account permissions
  • ☐ Match every regulated-data tool to the specific compliance clause it needs to satisfy
  • ☐ Sort every tool into Approved, Restricted, Replaced, or Blocked
Doodle preview of the Shadow AI Audit Worksheet spreadsheet with four tabs and an example row
Free Download
The Worksheet Version of This Audit

Four tabs — Inventory, Permissions, Data Flow, Policy — with a filled-in example on every one, so you’re never staring at a blank row.

Download the Audit Worksheet (.xlsx) →

Frequently Asked Questions

What is a shadow AI audit?

A shadow AI audit is the process of inventorying every AI-enabled tool connected to a company’s SaaS stack, reviewing what data and permissions each one has, and deciding which tools to approve, restrict, replace, or block. It identifies AI usage that exists outside formal IT or security oversight.

How long does a shadow AI audit take?

A shadow AI audit takes approximately 5–7 hours when run as a single-day exercise using the Four-Layer model: 1–2 hours for inventory, 2–3 hours for permissions review, 1 hour for data flow analysis, and 1 hour for policy decisions. Larger organizations with more SaaS tools may need additional time for the inventory layer.

What is the difference between shadow IT and shadow AI?

Shadow IT is any unapproved technology an employee adopts without IT review — a new app, a new subscription. Shadow AI is more specific: it’s AI capability operating without oversight, which often hides inside tools that were already approved, since vendors add AI features through routine updates rather than new purchases.

How do I find shadow AI in my company without buying software?

You find shadow AI without buying software by checking the admin consoles you already have access to — Google Workspace’s API Controls, Microsoft Entra’s Enterprise Applications list, and Slack’s App Management page all show third-party AI tools with existing access, at no additional cost.

What is the first step in auditing my SaaS stack for shadow AI?

The first step in auditing your SaaS stack for shadow AI is building an inventory: pull every AI-touching connection from your admin consoles and cross-reference it against expense reports and credit card statements, since many AI tools are paid for as small recurring charges that never go through formal procurement.

How do I check OAuth permissions for AI tools in Google Workspace?

You check OAuth permissions for AI tools in Google Workspace through Admin console → Security → API Controls → App Access Control, which lists every third-party app with API access to company data, including the specific scopes each one was granted.

How often should I audit my SaaS stack for shadow AI?

You should audit your SaaS stack for shadow AI quarterly at minimum, and immediately after onboarding any new SaaS tool. AI features are added to existing software through routine vendor updates, so a one-time audit becomes outdated as soon as the next update ships.

What happens if I find an unapproved AI tool during the audit?

If you find an unapproved AI tool during the audit, sort it into one of four categories: approved (acceptable with current controls), restricted (low-risk use only), replaced (swap for an approved alternative), or blocked (removed immediately due to unmanageable risk).

Do AI agents and MCP servers count as shadow AI?

AI agents and MCP servers count as shadow AI when they operate without security review, particularly because they inherit the permissions of the service accounts they’re attached to. Orca Security’s research found this lets agents bypass traditional web gateways and DLP tools entirely, since they don’t require a new login to access sensitive data.

How much does a shadow AI breach cost?

A shadow AI breach costs $670,000 more than a standard data breach, according to IBM’s 2025 Cost of a Data Breach Report, pushing the average incident to $4.63 million. These breaches also expose customer PII at a higher rate — 65% of cases, compared to 53% across all breaches.

What should an AI usage policy include after the audit?

An AI usage policy should include a list of approved tools, the specific data types each is permitted to process, the compliance requirements it must meet (PCI DSS, HIPAA, SOC 2, or GDPR depending on the data involved), and a clear process for requesting new tool approval.

Is Notion AI or Salesforce Einstein considered shadow AI?

Notion AI and Salesforce Einstein are not shadow AI when used through an officially approved company account with documented oversight. They become shadow AI only if an individual employee enables the feature without IT review, or if the account processing company data isn’t centrally managed.


Conclusion

The Four-Layer Shadow AI Audit turns a vague concern into a documented, defensible position: every AI tool in your stack inventoried, its permissions checked, its data flow understood, and a clear decision attached to it — approved, restricted, replaced, or blocked.

IBM’s data makes the stakes explicit: shadow AI adds $670,000 to the average breach cost, and 97% of affected organizations had no access controls in place when it happened. You don’t need a six-figure security platform to close that gap.

You need one day, your existing admin consoles, and this framework — or the worksheet above if you’d rather work from a spreadsheet. Run it this quarter.

Doodle summary of the Four-Layer Shadow AI Audit framework, tools, and Approved/Restricted/Replaced/Blocked outcomes
The Four-Layer Shadow AI Audit, start to finish.
DV
Daniel Voss
Technology Writer & Analyst
Daniel Voss is a technology writer and analyst with 6+ years of experience covering enterprise software, cybersecurity, and the emerging AI infrastructure redefining how SaaS is built and discovered. He writes for technical decision-makers — product leaders, engineers, and founders who want rigorous analysis with a clear point of view. His work at The SaaS Library focuses on the standards, shifts, and structural changes that most coverage reduces to hype.
Thought Leadership Cybersecurity AI in the Wild GEO

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top