Colorado AI Act in · EU AI Act (High-Risk) in · ISO 42001 + NIST AI RMF + OpenClaw + Agentic AI — organized into editable implementation artifacts
HomeTools › Shadow MCP Exposure Check
Shadow MCP governance check

Shadow MCP Exposure Check

Find out in under 4 minutes whether unapproved MCP servers are already operating inside your enterprise perimeter.

3-4 minutes 12 scored questions No login

This is a governance visibility screen for unmanaged, local, containerized, or otherwise unapproved MCP deployments. It is not a network scanner, gateway, or telemetry product.

  • Screens discovery coverage, registry discipline, local or containerized MCP spread, auth quality, reachable systems, logging, credential handling, disable readiness, and approval workflow maturity.
  • Separates controlled MCP footprint from material shadow exposure before hidden deployments turn into a larger governance or incident problem.
  • Routes to AI Controls Starter when the immediate need is visibility, inventory, and gap analysis, and escalates to AI Controls Professional when formal governance, evidence, and response controls are missing.
Start assessment See ACT pricing
Enterprise scene showing hidden and approved MCP servers across controlled and uncontrolled environments with allowlist, logging, disable controls, and oversight visibility.
Shadow MCP visibility across allowlists, local or containerized deployments, auth control, logging, and disable readiness.
Shadow MCP

This screen classifies shadow MCP exposure quickly. It does not scan your network, enumerate servers, or export an inventory.

Interactive screen

Assessment

Use this to classify whether MCP usage is tightly controlled, drifting into shadow deployment, materially exposed, or already in an uncontrolled state.

Question 1 of 12 0% complete
Question 1 of 12

What this result should change

This section classify shadow MCP exposure quickly, surface the most significant gaps, and recommend an appropriate implementation path.

What this tool classifies as shadow MCP

Shadow MCP means unmanaged, local, containerized, unapproved, or weakly governed MCP usage that sits outside a defendable registry, ownership model, logging baseline, or disable path.

What a green result does not mean

A green result does not prove shadow usage is impossible. It means the current footprint appears more governable than the other states and still needs discipline to stay that way.

Why AI Controls Professional changes by severity

Green and amber results usually need baseline visibility, inventory, and gap analysis first, which sit in AI Controls Starter. Severe red states need formal governance, evidence, and response controls, which sit in AI Controls Professional.

Where to go next

When the assessment reveals structural visibility gaps, control drift, or containment weakness, AI Controls Professional provides the full implementation evidence pack.

AI Controls Starter

Structure the visibility baseline, inventory, gap analysis, and dashboard layer for shadow MCP cleanup.

AI Controls Professional

Move to the formal governance, evidence, incident, and implementation layer when shadow MCP is materially exposed or uncontrolled.

MCP Server Approval Gate

Use the approval-focused screen when the issue is vetting a proposed server rather than discovering unmanaged MCP usage.
This page is informational only. It does not provide legal advice, compliance certification, or an audit conclusion.

Frequently asked questions

What does this tool classify as shadow MCP?

It classifies unmanaged, local, containerized, unapproved, or weakly governed MCP usage that sits outside a defendable enterprise registry, ownership model, logging baseline, or disable path.

Does a green result mean shadow usage is impossible?

No. It means the current MCP footprint appears more governable than the other states. Drift can still emerge if visibility, registry discipline, or approval controls weaken.

Why are local and containerized deployments weighted so heavily?

Because they can spread faster than central governance, especially when teams run MCP locally, in containers, or through personal setups that bypass registry and ownership controls.

Why is this tool routed to AI Controls Starter for some results and AI Controls Professional for others?

Earlier-maturity results usually need baseline visibility, inventory, and gap analysis first, which sit in AI Controls Starter. Severe red states need formal governance, evidence, and response controls, which sit in AI Controls Professional.

Does this tool store anything I enter?

No. The assessment runs entirely in the browser. Answers are not stored, synced, or submitted to a server.

Source and review note: This page was last reviewed on 6 May 2026 against the current Move78 public site baseline and relevant official or authoritative sources where laws, standards, frameworks, cybersecurity controls, product scope, pricing, support policy, or implementation guidance are discussed. It provides operational implementation guidance and product information only; it is not legal advice, tax advice, audit assurance, certification assurance, conformity-assessment advice, buyer-approval assurance, or security assurance. Validate legal, regulatory, contractual, tax, audit, and security decisions with qualified professionals.