Shadow-AI discovery sprint

The hardest part of AI governance is knowing what exists. This guide runs a focused sprint to surface shadow AI, GenAI tools, vendor AI and emerging agentic workflows in use but never registered, and bring it under governance.

When to use this

You suspect (or know) that AI is being used across the organisation faster than governance can track, and you need an honest inventory before you can govern anything.

What you will produce

A reviewed set of discovered AI, with the real systems promoted into the registry, tiered and routed, and a clear picture of coverage.

Steps

1. Set up sources. In Discovery, configure discovery sources, connector-based collectors or manual imports, with an owner and cadence.
2. Run discovery. Each run produces candidates (suspected AI in use) and artifacts (the underlying usage signals), normalised against rules into canonical apps and vendors.
3. Triage candidates. Review each candidate’s confidence, signal and guessed owner, and decide: promote, dismiss or investigate. Artifacts carry a reconciliation status so each signal is tied to a known asset or flagged.
4. Promote the real ones. Promote confirmed candidates into AI System Records, where they enter intake and risk tiering like any other system.
5. Tier and route. Run intake on the newly registered systems and route the higher-risk ones to GTSAF and the EU AI Act.
6. Report coverage. Use reporting to show leadership what was found, what was registered, and where coverage still has gaps.

Modules and frameworks involved

Registry & Discovery, intake & risk tiering, GTSAF, EU AI Act and reporting.

Note

Discovery is an enterprise capability. Availability depends on your plan & entitlements.

Next

• Govern a GenAI chatbot: a common discovery find.
• Vendor AI due diligence: for the vendor tools you surface.
• Scenario guides: the full set.