Colorado AI Act in · EU AI Act (High-Risk) in · ISO 42001 + NIST AI RMF + Agentic AI — organized into editable implementation artifacts
HomeTools › Shadow AI Exposure Check

Shadow AI Exposure Check

A short screening tool for unmanaged AI tool usage across the enterprise. It shows whether procurement records, policy, visibility, and ownership are strong enough to keep hidden AI use from turning into a governance problem.

3-4 minutes 9 scored questions No login
  • Checks inventory quality, unmanaged public-tool access, acceptable-use coverage, confidential-data exposure, usage visibility, ownership, and incident history.
  • Escalates exposure when structural blind spots exist even if the numeric score looks moderate.
  • Stops before any inventory workbook, policy draft, or remediation tracker so it complements the paid AI Controls Toolkit instead of replacing it.
Run the check Compare Tier 1 & Tier 2
Corporate scene showing approved and hidden AI tool usage across an enterprise environment
Question 1 of 9

Informational only. Not legal advice. This tool does not determine compliance with any law, regulation, or standard.
Result state A

Low exposure

Final score
0
Out of 108
Critical triggers
0
Override conditions hit
Exposure status
Low exposure
Operational classification

Top 5 likely blind spots

The tool surfaces the highest-value gaps first so the next step is obvious.

Escalation warnings

    Shadow AI becomes expensive when nobody can see it.

    AI Controls Toolkit (ACT) Tier 1 gives you the cross-framework inventory, gap analysis, and risk register foundation this quick screen does not create. AI Controls Toolkit (ACT) Tier 2 adds the full acceptable use policy and implementation documents once the governance baseline is in place.

    See AI Controls Starter Run the full readiness assessment

    PDF generation runs locally in your browser. Your answers are not sent to Move78 to create the report.

    What a high score normally means

    A high score does not mean the organization is "bad at AI." It usually means AI adoption is moving faster than governance. Public tools are already in use, procurement records do not reflect reality, policy coverage is weak, and nobody can say with confidence what data has already passed through unmanaged systems.

    Where the exposure usually comes from

    Shadow AI usually starts with convenience, not malice. Teams paste drafts, meeting notes, code, contracts, or customer data into public tools because the approved workflow is slower or unclear. Once that behavior spreads, inventories, policies, and procurement records become partially fictional.

    Related Move78 resources

    Free Readiness Assessment

    Run the broader 50-question screen across governance, agentic AI, documentation, and evidence readiness.

    Pricing

    Compare AI Controls Toolkit (ACT) Tier 1 Starter and Tier 2 Professional before buying.

    Guides

    Read practical implementation guides on ISO 42001, NIST AI RMF, AIBOM, and agentic AI governance.

    Blog

    See the operational view on shadow AI, acceptable use, vendor diligence, and governance blind spots.

    Frequently asked questions

    What does this tool assess?

    It screens how exposed your organization is to unsanctioned or weakly governed AI usage. The focus is operational visibility: inventory accuracy, approval workflow, SSO controls, policy coverage, data-handling restrictions, third-party onboarding discipline, and incident reporting readiness.

    Does a lower score mean there is no real problem?

    No. A lower score means the most obvious governance gaps are less severe. It does not prove your inventory is complete or that staff behavior matches policy. Shadow AI risk is often underreported until procurement, security, or compliance reviews catch it late.

    Why does inventory accuracy matter so much?

    Because most governance reporting collapses if the underlying AI inventory is incomplete. If teams are using unsanctioned chatbots, copilots, agents, or browser extensions, your risk register, vendor list, and approval records are already partially fictional.

    Why is incident history treated as a major signal?

    Because past AI misuse, data leakage, or policy bypass usually indicates a structural control weakness rather than a one-off mistake. If incidents happened before and the operating model did not change, the exposure is still there.

    Does this tool store anything I enter?

    No. The scoring runs in the browser only. Answers are not transmitted, synchronized, or stored by Move78. Once the page is refreshed or the browser closes, the run is gone.

    Use this workbook after the Shadow AI check

    If the assessment shows unmanaged use, the next useful artifact is not another policy paragraph. Start with a discovery workbook that helps teams find tools, owners, data exposure, and remediation priorities.

    View ACT-2 ProfessionalRun the full readiness assessment

    Source and review note: This page was last reviewed on 6 May 2026 against the current Move78 public site baseline and relevant official or authoritative sources where laws, standards, frameworks, cybersecurity controls, product scope, pricing, support policy, or implementation guidance are discussed. It provides operational implementation guidance and product information only; it is not legal advice, tax advice, audit assurance, certification assurance, conformity-assessment advice, buyer-approval assurance, or security assurance. Validate legal, regulatory, contractual, tax, audit, and security decisions with qualified professionals.