Detect, document, and govern every AI tool your team is using — before the regulator asks.
The EU AI Act requires you to document every AI system in your organisation. Shadow AI — tools adopted by employees without IT approval — is the #1 compliance blind spot. We find it, catalogue it, and give you an audit-ready report.
Scans your network, browser history patterns, API call logs, and SaaS admin consoles to identify every AI tool in use — including personal accounts used for work.
Builds a complete register of every AI system: model family, data flows, risk classification (high-risk vs. limited), deployer vs. provider role, and documentation status.
Each AI system mapped against EU AI Act obligations: risk management, data governance, technical docs, human oversight, accuracy, transparency, and logging requirements.
Generates a board-ready compliance report with: AI inventory table, risk classification matrix, compliance gaps, vendor contract recommendations, and remediation priorities.
Shadow AI evolves fast. New tools appear weekly. We re-scan every quarter and update your register automatically, so you stay compliant as your tooling changes.
For each shadow AI tool found, we provide a playbook: approve & formalise, replace with an approved equivalent, or block & remove. SLA-tracked to closure.
From sign-up to audit-ready report in under two weeks.
We deploy a non-invasive scanner across your SaaS admin logs, browser telemetry, API usage, and procurement records. No agent install required.
Every AI system found is classified by risk level (EU AI Act Annex III), data sensitivity, and compliance documentation gap. High-risk systems flagged immediately.
You receive a full compliance report, AI register, and remediation roadmap. Quarterly re-scans keep your inventory current as new shadow tools emerge.
Real risks your organisation faces right now.
Attackers used Claude Code and GPT-4.1 to exfiltrate 195M taxpayer records from Mexican agencies. AI agents amplified the speed 10× — exploiting permissions, not creating vulnerabilities.
CVSS 9.3 critical. A single crafted email triggered Copilot to extract OneDrive, SharePoint, and Teams data through a trusted Microsoft domain — no user interaction.
Anthropic documented Chinese state-sponsored actors running AI agents that autonomously handled 80-90% of cyber espionage operations against 30+ targets.
Italy's Law 132/2025 imposes fines up to €774,685 per violation. Without a documented AI inventory, you cannot demonstrate compliance — and the burden of proof is on you.
Any AI tool used by employees without IT or compliance approval. ChatGPT personal accounts used for work data, Claude Code installed on dev laptops, Copilot in unsanctioned repos, AI writing tools processing customer info — all of it.
Yes. A policy without detection is a wish. The EU AI Act requires verifiable technical evidence of your AI inventory — not just a signed document. Our scanner finds what your policy doesn't cover.
No. It uses existing logs (SaaS admin consoles, API gateways, browser telemetry if you use a managed browser, procurement records). No endpoints, no agents, no employee monitoring of personal devices.
Potentially yes. The EU AI Act applies to any organisation whose AI outputs affect EU residents. Plus, similar laws are emerging: Colorado AI Act, California A.B. 331, New York — shadow AI is a global compliance risk.
We re-scan quarterly and update your AI register automatically. If a major new AI tool enters your ecosystem between scans (e.g., a team adopts Cursor or Claude Code), we flag it within the quarter and provide a remediation playbook.
The EU AI Act service handles the full compliance programme (risk management, technical documentation, conformity assessment). Shadow AI Risk Assessment focuses specifically on discovery and inventory — the detection layer that most compliance programmes miss.
£2,000/month. Full discovery, AI register, compliance report + quarterly re-scan.