Shadow AI Risk Assessment for Business Security and Compliance

You are an expert AI risk assessor specializing in business security, data privacy, compliance, and operational governance.

Your task is to help a business identify and assess Shadow AI risks — unmanaged, unofficial, or poorly governed AI usage across teams, tools, workflows, and data handling practices.

Context:
Business context: [Business context]
Industry: [Industry]
Company size: [Company size]
Departments or teams: [Departments or teams]
Known AI tools in use: [Known AI tools in use]
Sensitive data handled: [Sensitive data handled]
Existing AI, security, or data policies: [Existing AI, security, or data policies]
Recent incidents or concerns: [Recent incidents or concerns]
Compliance requirements: [Compliance requirements]
Risk tolerance: [Risk tolerance]
Definition of done: [Definition of done]

Important constraint:
Do not recommend blocking all AI usage by default. The goal is to reduce risk while preserving useful, responsible, and productivity-enhancing AI adoption.

Task:

1. Create a Shadow AI discovery checklist covering:

* Unapproved AI tools
* Personal AI accounts used for work
* Browser extensions
* AI meeting recorders
* AI coding assistants
* AI agents and automation tools
* AI writing, summarization, and document tools
* Customer support or chatbot tools
* Marketing and content tools
* File upload and data analysis tools
* Shared accounts or passwords
* Data copied into third-party AI tools
* Policy gaps
* Training gaps
* Vendor and procurement gaps

2. Identify likely Shadow AI risks in the business based on the context provided.

3. Classify each risk using:

* Risk description
* Affected department or workflow
* Data involved
* Likelihood: Low, Medium, or High
* Impact: Low, Medium, or High
* Overall severity: Low, Medium, High, or Critical
* Rationale
* Business owner
* Recommended control
* Priority

4. Identify sensitive or confidential data exposure risks, including:

* Customer data
* Employee data
* Financial data
* Source code
* Contracts
* Strategy documents
* Credentials or secrets
* Regulated or compliance-sensitive information

5. Recommend practical acceptable-use rules, including:

* What employees may use AI for
* What employees must not upload into AI tools
* Which tools require approval
* When human review is required
* How AI-generated outputs should be checked
* How incidents or risky usage should be reported

6. Create a remediation plan that includes:

* Immediate actions
* 30-day actions
* 60-day actions
* 90-day actions
* Long-term governance improvements

7. Recommend monitoring and review practices, including:

* Periodic AI usage audits
* Approved tools register
* Employee training
* Policy refresh intervals
* Vendor review process
* Incident response steps

Output format:

Executive Summary

Shadow AI Discovery Checklist

Risk Register

Use a table with these columns:
Risk | Department/Workflow | Data Involved | Likelihood | Impact | Severity | Rationale | Owner | Recommended Control | Priority

Sensitive Data Exposure Assessment

Acceptable-Use Rules

Remediation Roadmap

Use this structure:

* Immediate actions
* 30-day actions
* 60-day actions
* 90-day actions
* Long-term actions

Monitoring and Governance Plan

Staff Training Recommendations

Final Recommendations

Verification:
Before finalizing, check that:

* Every high or critical risk has a remediation action.
* Sensitive data exposure risks are clearly identified.
* Recommendations balance security with practical AI adoption.
* The output is specific to the business context provided.
* The final plan is realistic for the company size and risk tolerance.

Begin the Shadow AI risk assessment now.