Table of Contents
Summary
Shadow AI enters the enterprise through seven simultaneous vectors, and most programs detect only one or two. Endpoint agents, IdP integration analysis, and network or browser inspection each surface different categories.
- Consumer browser tools are most visible but not the highest-risk vector
- OAuth-connected AI apps often hold broad access to corporate email and files
- Developer API integrations are the highest-surprise vector for security teams
- AI features inside approved software require a separate security review
- No single detection method provides full coverage — all three are required
Most shadow AI governance conversations start in the wrong place. They focus on whether employees are using AI tools they shouldn’t — as if the core problem is a handful of employees sneaking onto ChatGPT during business hours.
The actual problem is structural. AI is entering your enterprise through at least seven distinct vectors simultaneously, and the detection methods most organizations have deployed are built to find only one or two of them. That gap between what’s running and what’s visible is where your real exposure lives.
This post maps each entry vector, explains why it matters, and connects it to the detection methods that can actually surface it.
The 7 Entry Vectors
1. Consumer AI Tools Accessed via Browser
The most visible category, and the one most organizations discover first. ChatGPT, Claude, Gemini, Perplexity, and hundreds of specialized AI tools are accessible directly through any browser without installation, procurement, or IT involvement of any kind.
The risk profile isn’t uniform. An employee using a paid enterprise-tier account with strong data protection terms is a very different situation from an employee on a free tier where submitted data may be used for model training. Most organizations have employees in both situations — and no visibility into which is which.
Why it’s hard to catch: Browser-based tool access on personal accounts doesn’t require corporate authentication. It doesn’t show up in your identity provider logs. It doesn’t install anything on the endpoint that triggers alerts. It looks, from a monitoring standpoint, like ordinary web traffic.
2. AI Features Embedded in Already-Approved Software
This vector is harder to detect than browser-based consumer tools and, in many ways, represents higher aggregate risk because the scale of exposure is larger.
Microsoft Copilot, Salesforce Einstein, Notion AI, Slack AI, GitHub Copilot — these are products your organization licensed. But the AI features layered on top of those products may have been activated for all users without any security review of the AI-specific data handling terms. You approved the base product. The AI layer came along for the ride.
Why it’s hard to catch: There’s no new vendor to evaluate, no new procurement event to trigger a review. The AI capability is surfaced as a product feature update, often with minimal announcement, inside software employees already use every day.
3. Browser Extensions with AI Capabilities
Grammarly, Jasper, various meeting assistant tools, and AI writing aids operate as browser extensions that can access page content, clipboard data, and in some cases the full text of documents a user has open. Most were installed by individual employees without IT involvement and have never been evaluated for data exfiltration risk.
The permissions model for browser extensions is permissive by default. An extension that has “read and change all data on websites you visit” — a common permission request — has, in practice, access to everything a user does in that browser, including content pasted into internal tools, proprietary documents, and confidential communications.
Why it’s hard to catch: Extensions don’t require corporate authentication. Many don’t generate distinctive network traffic. Without dedicated browser extension cataloging, they’re largely invisible to standard monitoring.
4. AI-Powered SaaS via Decentralized Procurement
Marketing teams buy AI content generation tools. Sales teams subscribe to AI-powered prospecting platforms. HR teams adopt AI-assisted hiring and screening software. Finance teams use AI-powered forecasting tools. None of these procurement decisions necessarily involve IT security review, and many of the data handling terms attached to these products would concern your legal team if anyone read them carefully.
Why it’s hard to catch: Business unit procurement that bypasses central IT is a well-established challenge. AI tools have made it faster and cheaper, reducing the friction that occasionally caused deals to surface for review. A department head can have a team of 20 using an AI-powered tool within days of a purchase decision.
5. Developer and Data Science API Integrations
This is the vector that most consistently catches security teams off guard. Developers, data scientists, and technically sophisticated business unit employees are building internal tools, scripts, and automations that call OpenAI, Anthropic, Cohere, or other model provider APIs directly. Some of those tools are small experiments. Some are running in production, processing real data, integrated into workflows that the business depends on.
In most organizations, nobody in security has a complete list of these integrations. API keys are provisioned individually, tools are built outside of formal development cycles, and the connections to external AI providers are invisible to monitoring systems not specifically configured to look for them.
Why it’s hard to catch: API calls blend into general outbound traffic. There’s no installation event, no procurement record, and no authentication to corporate identity. Without specific network inspection configured for AI service endpoints, these integrations are functionally invisible.
6. Mobile Device AI Tool Usage
Employees using AI tools on personal mobile devices — whether through apps or mobile browsers — represent a coverage gap that most technical detection methods don’t close. AI assistant apps, mobile productivity tools with AI features, and consumer AI applications are all readily accessible outside of any corporate monitoring infrastructure.
Why it’s hard to catch: Without a mobile device management solution that extends to personal devices, mobile usage is largely invisible. This is a coverage gap that technical controls can only partially address.
7. Contractor and BYOD Device Usage
Contractors, consultants, and employees using personal devices for work represent the final major entry vector. Any AI tool usage on a non-managed device falls entirely outside the reach of endpoint-based detection. In organizations with significant contractor populations or flexible BYOD policies, this represents a meaningful share of total AI tool usage.
Why it’s hard to catch: By definition, unmanaged devices are outside your monitoring perimeter. Conditional access policies and network-level controls can create some friction, but they don’t provide the same coverage as managed endpoint agents.
The Three Detection Methods — And What Each One Finds
No single detection method surfaces all seven entry vectors. Effective shadow AI discovery requires running three approaches in parallel and mapping their combined coverage against your vector landscape.
Method 1: Endpoint Agent Deployment
Endpoint agents deployed on managed corporate devices provide visibility into locally installed AI applications, browser-based AI tool access on managed devices, and usage patterns across the device fleet. They’re the strongest signal for locally installed tools and browser activity on managed hardware — and they have no visibility into BYOD, contractor devices, or mobile usage.
Method 2: Identity Provider and SSO Integration Analysis
Your identity provider logs every authentication event for applications accessed via corporate SSO. For AI tools connected to corporate identity — particularly OAuth-connected applications that have been granted access to corporate email, calendar, or file storage — IdP analysis is your strongest signal. It surfaces AI-enabled SaaS applications employees are authenticating to using corporate identity, and it reveals the scope of data access those applications have been granted. It has no visibility into tools accessed via personal accounts.
Method 3: Browser Extension and Network Traffic Inspection
Network traffic inspection and browser extension cataloging surface what the other two methods miss: browser extensions installed without IT involvement, consumer AI tool usage via personal accounts, and developer API integrations generating outbound calls to AI service endpoints. SSL inspection capability at the proxy or firewall layer is required for full visibility into encrypted traffic. DNS-level analysis provides a lower-fidelity but still useful view where SSL inspection isn’t feasible.
Coverage Is a Map, Not a Checklist
Running all three methods gives you significantly better coverage than any one alone — but it’s important to be honest about what the combined approach doesn’t find. Mobile device usage, contractor device usage, and BYOD activity represent genuine gaps that technical controls only partially close. Organizational approaches — clear sanctioning pathways, communication that makes employees want to work within the governance program rather than around it — are the complement that addresses what detection methods can’t reach.
The goal isn’t a perfect inventory on day one. The goal is a complete enough picture to prioritize risk intelligently and start closing the gap between what’s running and what’s visible.
Want to see how Airia maps shadow AI across all seven entry vectors from a single platform? Book a Demo and we’ll show you what’s running across your environment.
