Shadow AI Detection

How Foresight by Realis automatically discovers AI tools your employees are already using — without waiting for them to self-report.

What is Shadow AI?

Shadow AI refers to AI tools that employees adopt on their own — outside of IT approval, procurement, or security review. A developer signs up for GitHub Copilot on a personal account. A marketer pastes customer data into ChatGPT. A data scientist uploads proprietary models to Hugging Face. None of these appear in your software inventory, but all of them carry real risk.

Shadow AI is the AI equivalent of Shadow IT, and it's growing faster. Unlike traditional software, most AI tools are consumer-grade web apps that require no installation — just a browser and a credit card. That makes them nearly invisible to conventional discovery methods.

Why it matters: Employees routinely share confidential data, source code, customer PII, and internal documents with AI tools that have no DPA, no audit log, and no enterprise data controls. A single incident can trigger GDPR fines, IP loss, or regulatory action.

How Detection Works

Foresight by Realis includes a detection API that receives telemetry events from your environment and matches them against a built-in database of known AI vendor domains. When a match is found, the tool is automatically added to your Asset Inventory and flagged for scoring.

The detection endpoint accepts a simple JSON payload:

POST /api/events/detect
Headers: X-API-Key: <your telemetry API key — see Settings → API Key>
{
"url": "https://chat.openai.com/chat",
"hashed_user_id": "a3f5c8...",
"timestamp": "2025-01-15T14:32:00Z"
}

The response tells you whether the URL matched a known vendor:

{ "matched": true, "asset_id": "uuid", "category": "Generative AI" }
Privacy by design: The API never stores employee names or email addresses. You must hash user identifiers (SHA-256 recommended) before sending them. The system stores only the hash, making it impossible to reverse-identify individuals from the detection logs.
Impact on scoring: Every detection event automatically updates the asset's user count and event count, which feeds into the engagement penalty applied to the security score. A tool used by 1 person carries less risk than one used by 200 people with thousands of interactions. Scores are recalculated in real time as events arrive — no manual re-scoring needed.

How to Integrate

There are several ways to send detection events to the API depending on your environment. Choose the approach that fits your infrastructure.

Browser Extension

Recommended

A lightweight browser extension monitors URLs visited by employees and posts matching events to the detection API. This is the most comprehensive approach — it catches web-based AI tools regardless of how employees access them.

  1. 1.Build or deploy a Chrome/Firefox extension that intercepts navigation events.
  2. 2.On each page load, POST the URL + hashed user ID to /api/events/detect.
  3. 3.The extension only needs to fire for URLs — no page content is read.
  4. 4.Deploy via your MDM (Jamf, Intune) to all managed devices.

Network Proxy / DNS Logging

Enterprise

If your organization routes traffic through a proxy (Zscaler, Netskope, Palo Alto) or has DNS logging enabled, you can forward matching domain hits to the detection API via a log pipeline.

  1. 1.Configure your proxy or SIEM to export DNS/HTTP logs.
  2. 2.Run a lightweight forwarder that filters for known AI domains and calls /api/events/detect.
  3. 3.Hash employee identifiers (email or AD username) before forwarding.
  4. 4.This approach covers all devices including unmanaged BYOD.

SSO / Identity Provider Logs

Partial coverage

If employees use SSO (Okta, Azure AD, Google Workspace) to access AI tools, your IdP logs will show which tools are being accessed. This only catches tools that are SSO-integrated — it misses direct sign-ups.

  1. 1.Export application access logs from your IdP.
  2. 2.Map application names to vendor domains.
  3. 3.POST detection events for each access event.
  4. 4.Combine with browser extension for full coverage.

Manual Registration

Always available

Any AI tool can be manually registered via the Register Asset page, even without automated detection. Use this for tools discovered through employee surveys, expense reports, or IT helpdesk tickets.

  1. 1.Go to Register Asset in the navigation.
  2. 2.Enter the tool name, vendor URL, and scoring inputs.
  3. 3.The system calculates the Realis Score immediately.
  4. 4.No detection event is required — the asset is created directly.

Built-in Vendor Database

The detection engine currently recognizes 18 AI vendor domains across all three categories. When a URL matches any of these domains (including subdomains), the tool is automatically identified and categorized.

ToolDomainCategory
OpenAIopenai.comGenerative AI
ChatGPTchat.openai.comGenerative AI
Anthropic Claudeanthropic.comGenerative AI
Claudeclaude.aiGenerative AI
Google Geminigemini.google.comGenerative AI
Perplexity AIperplexity.aiGenerative AI
Mistral AImistral.aiGenerative AI
Coherecohere.comGenerative AI
GitHub Copilotgithub.com/copilotDeveloper Tool
Cursorcursor.shDeveloper Tool
Tabninetabnine.comDeveloper Tool
Codeiumcodeium.comDeveloper Tool
Replit AIreplit.comDeveloper Tool
Hugging Facehuggingface.coData Science Platform
Kagglekaggle.comData Science Platform
Databricksdatabricks.comData Science Platform
Weights & Biaseswandb.aiData Science Platform
Scale AIscale.comData Science Platform

To add vendors not in this list, register them manually via the Register Asset page. Custom vendor support can be added by updating the vendor database on the backend.

Questions? See the User Guide for scoring and remediation guidance.