Tactical Guide

How to Discover Shadow AI

Practical methods to inventory unauthorized AI usage across your healthcare organization

The Discovery Challenge

Shadow AI is designed to be invisible. These are web-based SaaS tools accessed through personal accounts, personal credit cards, and consumer-grade services.

Traditional IT discovery methods (network monitoring, procurement records, endpoint management) won't catch them. You need a different approach.

5 Discovery Methods

Combine multiple approaches to get a complete picture of shadow AI usage

Anonymous Staff Surveys

Easy 1-2 weeks

Send organization-wide surveys asking staff to self-report AI tool usage in a non-punitive, anonymous way

How to do it:

  • Frame it as "helping us enable AI safely" not "catching violations"
  • Ask: What AI tools do you use? How often? For what tasks?
  • Promise no individual consequences — focus on organizational learning
  • Offer small incentive (gift card raffle) for completion
Effectiveness 70-80% of usage discovered
Pros: Fast, cheap, builds trust
Cons: Self-reported data may be incomplete

Department Interviews

Medium 2-4 weeks

Conduct structured interviews with department leaders and frontline staff across clinical, administrative, and revenue cycle teams

How to do it:

  • Interview 2-3 people from each major department
  • Ask about productivity pain points and workarounds
  • Listen for AI tool mentions (ChatGPT, Claude, Grammarly, transcription services)
  • Document workflows where AI could be or is being used
Effectiveness 60-70% of usage discovered
Pros: Deep qualitative insights, relationship building
Cons: Time-intensive, requires skilled interviewer

Network Traffic Analysis

Hard 1 week

Analyze DNS logs and firewall traffic to identify connections to known AI service domains

How to do it:

  • Pull 30 days of DNS logs from your firewall/proxy
  • Search for domains: openai.com, anthropic.com, claude.ai, gemini.google.com, etc.
  • Look for unusual traffic spikes to AI service providers
  • Correlate by department, time of day, user segments
Effectiveness 40-50% of usage discovered
Pros: Objective data, hard evidence
Cons: Misses personal devices, VPNs, encrypted traffic

Browser Extension Audit

Medium 1 week

If you use endpoint management, audit installed browser extensions for AI writing assistants and productivity tools

How to do it:

  • Export list of all Chrome/Edge extensions from endpoint management
  • Flag AI-related extensions: Grammarly, Jasper, Copy.ai, Notion AI, etc.
  • Check for ChatGPT desktop apps, Claude desktop apps
  • Document which departments have highest adoption
Effectiveness 30-40% of usage discovered
Pros: Specific tool identification
Cons: Only catches managed devices, misses web-only usage

Credit Card & Expense Review

Easy 1 week

Review corporate credit card statements and expense reports for AI tool subscriptions

How to do it:

  • Pull 6 months of expense data
  • Search for merchant names: OpenAI, Anthropic, Jasper, Copy.ai, etc.
  • Look for recurring monthly charges ($20-50 range)
  • Note: Most shadow AI is on personal cards, so this catches <10%
Effectiveness 10-20% of usage discovered
Pros: Easy to run, identifies paid subscriptions
Cons: Misses majority of personal-account usage

What to Document

Create a shadow AI inventory with these key data points

  • 1

    AI Tool Name

    ChatGPT, Claude, Gemini, Grammarly — track this for each discovered AI tool to build a complete shadow AI inventory.

  • 2

    Department/Team

    Clinical Documentation, Revenue Cycle, Admin — identify which teams are using which tools.

  • 3

    Number of Users

    Estimated count or percentage of staff using each tool in each department.

  • 4

    Use Case

    Summarizing notes, drafting appeals, patient education — document how each tool is being used.

  • 5

    Data Shared

    Patient names, diagnosis codes, treatment details — what information is being entered into AI tools.

  • 6

    PHI Exposure Level

    High, Medium, or Low — assess the sensitivity of data being shared with each tool.

  • 7

    Account Type

    Personal account, free tier, or paid subscription — determines data retention and privacy policies.

  • 8

    Frequency of Use

    Daily, weekly, or occasional — helps prioritize governance efforts by usage volume.

What Happens After Discovery?

Discovery is just the first step. Here is what to do with what you learned.

Step 1

Prioritize Risk

Focus governance efforts where they matter most

  • Rank discovered tools by PHI exposure level, number of users, and business criticality.
  • Focus governance efforts on highest-risk areas first.
Step 2

Communicate Findings

Make shadow AI visible to leadership

  • Present shadow AI inventory to leadership with risk assessment, compliance gaps, and recommended actions.
  • Make the invisible visible.
Step 3

Build Governance Plan

Create a roadmap for safe AI enablement

Use discovery insights to create a roadmap: establish policies, deploy PHI protection, provide approved alternatives, and enable teams safely.

Need Help Discovering Shadow AI?

Our Shadow AI Risk Check includes a complete discovery process with expert facilitation and a detailed inventory report

Book Your Risk Check Explore Shadow AI Hub

Concerned about Shadow AI in your organization?

3 Minutes. 16 Questions. No Fluff.

Quick Online Risk Check