Skip to content
← Back to research
Research

Detecting Shadow AI in the Enterprise

Mayur GajareResearcher at Pulse AI12 min read

Every enterprise now runs on AI it cannot see. Employees paste sensitive contracts into consumer chatbots to "summarise" them, engineers wire up unreviewed model endpoints to ship features faster, and copilots quietly embed themselves into email, code editors, and spreadsheets. Individually, each of these is a small productivity win. Collectively, they form an invisible, ungoverned attack surface that grows every single day. We call this Shadow AI — and at Pulse AI it is the problem we wake up to solve.

The scale is easy to underestimate. In the first week of a typical deployment, Pulse surfaces an average of 14 distinct unsanctioned AI tools already in active use inside the organisation — most of which no one in security had heard of. The data flowing through them includes source code, customer records, financial models, and legal documents. None of it is logged, none of it is governed, and much of it never should have left the building.

Why traditional controls miss it

Classic data-loss prevention was built for a world of files and a short, stable list of known SaaS domains. AI traffic breaks every assumption behind it. To a network monitor, a request to a frontier model looks like ordinary HTTPS to yet another endpoint, indistinguishable from a thousand benign API calls. The set of endpoints is not stable either — new models, wrappers, browser extensions, and desktop clients appear faster than any blocklist can be maintained.

Signature-based tooling therefore fails in two directions at once: it misses the new (anything not yet on the list) and it over-blocks the legitimate (coarse domain bans that push employees toward even less visible workarounds). The harder truth is that blocking is rarely the right goal. The tools are popular because they genuinely help people do their jobs. Security’s task is not to stop AI adoption — it is to make safe adoption the path of least resistance.

A detection framework built for AI

Pulse treats Shadow AI as a live inventory problem rather than a static filtering problem. Three ideas do most of the work:

  • Behavioural fingerprinting of model-bound traffic — we classify interactions by the shape of the exchange (prompt/completion patterns, token cadence, streaming behaviour) rather than by domain, so newly appeared endpoints are caught on day one.
  • On-device inspection and redaction — prompts and completions are inspected at the edge, with sensitive entities detected and redacted before they ever leave the perimeter, preserving both privacy and productivity.
  • Continuous discovery — the system constantly reconstructs a map of every model touchpoint across the organisation, so the AI surface is always known, not periodically audited.

You cannot govern what you cannot see. Visibility is the first control, not the last.

From detection to graduated response

Once an interaction is identified and scored for risk, the interesting question is what to do about it. A blunt allow/deny switch is almost always the wrong answer. Pulse supports a graduated response: low-risk usage is simply observed and logged; medium-risk usage is allowed but redacted and flagged for review; only genuinely dangerous patterns — credential leakage, regulated-data exfiltration, prompt-injection attempts — are blocked outright, with a clear explanation to the user and a one-click path to a sanctioned alternative.

This graduated model matters because it changes the relationship between security and the rest of the business. Instead of being the team that says no, security becomes the team that makes the safe option effortless. Adoption of sanctioned tools rises precisely because the friction of the unsafe ones is made visible and gently redirected.

What we measure

We hold ourselves to operational, not theoretical, metrics: time-to-discovery for a newly introduced tool (target: same day), added inference latency from inline inspection (kept under 50ms so it never becomes a reason to route around the control), and the proportion of sensitive interactions redacted before egress. These are the numbers a CISO actually has to defend, so they are the numbers we optimise.

Shadow AI is not going away — if anything, the rate of new tools is accelerating. The organisations that thrive will not be the ones that banned it, but the ones that brought it into the light, understood it, and made trust the default. That is the work.

Want to go deeper?

Talk to the team building this. We'd love to hear about the problems you're trying to solve.

Get in touch →