Executive Summary
- 78% of employees use AI tools their employer does not know about (WalkMe, n=1,000, July 2025). At a 300-person company, that is roughly 234 people sharing company data with tools the organization does not govern. This worksheet surfaces them in two hours, not two months.
- The shadow AI problem is actually two problems. The first is unauthorized tools — personal ChatGPT accounts, browser extensions, free-tier AI apps. The second is authorized-but-invisible AI spend — Gemini features baked into Google Workspace, Copilot capabilities embedded in Microsoft 365, Einstein added to Salesforce contracts. Most organizations audit for the first and miss the second entirely.
- This worksheet is designed for the CIO, CISO, or CFO who attended the briefing and needs to scope the shadow AI audit before commissioning the full 30-day discovery. Eight yes/no questions surface unauthorized tools. Two questions surface authorized-but-invisible AI spend. A cost estimator and decision tree translate findings into a prioritized action plan.
- The discovery worksheet is the prerequisite for every downstream tool: the acceptable use policy, the vendor consolidation decision, the pilot budget, and the board risk briefing. None of those deliverables are credible without knowing what already exists.
Part 1: The Eight Discovery Questions — Unauthorized AI
Answer each question honestly. “Yes” does not mean something is wrong — it means something needs governing. The goal is visibility, not punishment.
Question 1: Are employees expensing AI subscriptions?
Check: Pull the last two quarters of expense reports and corporate card statements. Search for: OpenAI, ChatGPT, Claude, Anthropic, Midjourney, Perplexity, Cursor, Jasper, Runway, Copy.ai, Notion AI, Grammarly Premium.
| Finding | Your Answer |
|---|---|
| Number of AI-related expense items found | _______ |
| Total monthly spend identified | $_______ /month |
| Departments with the most expense items | _______ |
What “yes” means: These employees found enough value to pay personally. That is a signal, not a violation. The question is whether the data flowing through those tools is governed.
Benchmark: AI-native app spending through expense reports grew 267% year-over-year (Zylo, 40M+ licenses analyzed, 2026). ChatGPT is now the single most-expensed application across enterprises.
Question 2: Have employees granted AI tools access to corporate systems?
Check: Export OAuth consent logs from the identity provider (Okta, Azure AD, Google Workspace admin). Filter for AI-related application names and publishers.
| Finding | Your Answer |
|---|---|
| Number of AI-related OAuth tokens found | _______ |
| Tokens with broad permissions (Mail.ReadWrite, Files.ReadWrite.All) | _______ |
| Tokens older than 90 days still showing activity | _______ |
| Applications authorized by 5+ employees (viral adoption) | _______ |
What “yes” means: AI tools with OAuth access to corporate email, file storage, or calendars can read and process everything the employee can access. A writing assistant with Files.ReadWrite.All permissions has the same data access as the employee who authorized it.
Red flag: Multiple employees authorizing the same application within a 48-hour window indicates viral adoption — word spread through the team before IT was aware.
Question 3: Are AI browser extensions installed on managed devices?
Check: Pull browser extension rosters from endpoint management (Intune, Jamf, Google Chrome Enterprise). Flag extensions with descriptions mentioning AI, GPT, copilot, writing assistant, or summarize.
| Finding | Your Answer |
|---|---|
| Number of AI-related browser extensions found | _______ |
| Extensions requesting wildcard host access or activeTab + broad permissions | _______ |
| Extensions from publishers with domains registered <1 year ago | _______ |
What “yes” means: AI browser extensions bypass network-level controls entirely. In February 2025, a coordinated campaign compromised 40+ popular Chrome extensions affecting 3.7 million users — injecting data-harvesting code into tools employees trusted.
Benchmark: The average company with 1,000 employees has 269 unauthorized AI tools in use (Reco, n=50+ enterprises, 2025). At 300 employees, expect 80-100.
Question 4: Is network traffic flowing to AI service endpoints?
Check: Pull DNS and web proxy logs for the past 90 days. Filter for: api.openai.com, claude.ai, chat.anthropic.com, gemini.google.com, chat.mistral.ai, Hugging Face endpoints, Perplexity, and other AI service domains.
| Finding | Your Answer |
|---|---|
| AI service domains detected in outbound traffic | _______ |
| Departments or teams with the heaviest AI endpoint traffic | _______ |
| Sustained traffic patterns (steady POST requests vs. occasional browsing) | _______ |
What “yes” means: Sustained POST traffic to AI API endpoints indicates production-level usage — employees integrating AI into daily workflows, not casual experimentation. This is the highest-value shadow AI to discover because it reveals where AI is already delivering enough value for employees to build it into their process.
Limitation: This catches usage from the corporate network only. Employees working remotely or using personal devices on home networks are invisible to this method.
Question 5: Would employees tell you what they use if you asked — without consequences?
Check: This is not a technical question. It is an organizational one. Has leadership created a safe channel for employees to disclose AI tool usage without fear of reprisal?
| Finding | Your Answer |
|---|---|
| Has the organization announced an “AI discovery window” or amnesty? | Yes / No |
| If yes, what was the voluntary disclosure rate? | _______% |
| If no, is the CEO willing to send the announcement? | Yes / No / Unsure |
What “yes” means: Organizations that run an AI amnesty — framed as “tell us what’s working, not what’s wrong” — achieve 60-70% voluntary disclosure rates. Technical monitoring alone catches tools. Amnesty catches use cases — what employees do with AI, what data they share, and what value they create. The use cases are more important than the tool names.
What “no” means: Without amnesty, expect single-digit voluntary disclosure. The remaining 90%+ of shadow AI stays underground and the audit relies entirely on technical methods, which miss free-tier browser usage, personal device usage, and everything employees do outside the corporate network.
Question 6: Do employees use personal AI accounts to process company data?
Check: This question cannot be answered technically from outside the employee’s personal device. The answer comes from the amnesty survey (Question 5) or from indirect signals: employees referencing AI-generated content in emails, AI-formatted documents appearing in shared drives, or meeting notes that read like AI summaries.
| Finding | Your Answer |
|---|---|
| Estimated percentage of employees using personal AI accounts for work | _______% (industry average: 82% — LayerX, October 2025) |
| Data types likely being shared (client names, financials, code, internal strategy) | _______ |
| Has any client-sensitive data been confirmed in personal AI tool usage? | Yes / No / Unknown |
What “yes” means: Personal AI accounts are the primary data exposure vector. 77% of employees paste company data into AI tools through personal accounts the organization cannot see (LayerX, October 2025). Free-tier AI accounts typically include terms granting the vendor rights to use inputs for model training. Client names, financial data, and legal documents pasted into a free ChatGPT account may be training the next version of the model.
The number that matters: Shadow AI breaches cost $670,000 more per incident than standard breaches — $4.63M versus $3.96M (IBM Cost of a Data Breach, n=604 organizations, 2025).
Question 7: Are developers using AI coding assistants the organization does not manage?
Check: Survey engineering and IT teams directly. Check for GitHub Copilot personal accounts, Cursor, Cody, Continue.dev, Windsurf, or other AI coding tools. Review IDE extension lists on developer workstations.
| Finding | Your Answer |
|---|---|
| Number of developers using personal AI coding subscriptions | _______ |
| Tools identified (GitHub Copilot, Cursor, Cody, etc.) | _______ |
| Is source code being sent to AI models through personal accounts? | Yes / No / Unknown |
What “yes” means: AI coding assistants send code context — often entire files or repositories — to external AI models for completion. If proprietary source code, API keys, or internal system architecture flows through a personal Copilot account, the organization has no audit trail, no data processing agreement, and no contractual protections.
Benchmark: 45% of developers use unsanctioned code assistants (Stack Overflow Developer Survey, 2025). Engineering teams have the highest shadow AI adoption of any department at 79%.
Question 8: Has anyone in the organization already tried an AI pilot — formally or informally?
Check: Ask department heads directly: “Has anyone on your team tested AI for a specific workflow in the past 12 months?”
| Finding | Your Answer |
|---|---|
| Number of informal AI experiments or pilots identified | _______ |
| Which departments ran them? | _______ |
| Did any produce measurable results? | Yes / No / Not measured |
| Were results documented? | Yes / No |
What “yes” means: Informal pilots are the strongest signal of where AI delivers real value in your organization. The 5% of companies that capture measurable AI returns start with these organic experiments — then formalize the ones that work, measure them properly, and scale them with governance. An undocumented informal pilot that employees rely on daily is not a problem. It is the foundation of the AI program.
Part 2: The Two Authorized-but-Invisible AI Spend Questions
These questions address the AI your organization already pays for — embedded in tools procurement approved but nobody explicitly evaluated as AI investments.
Question 9: What AI features are already active in tools you pay for?
Most enterprise software vendors added AI capabilities in 2024-2025 and began billing for them — sometimes as explicit add-ons, sometimes buried in price increases. The question is whether anyone evaluated whether to activate them, train employees on them, or measure their value.
Check each tool your organization uses:
| Tool | AI Feature | Pricing Model | Your Status |
|---|---|---|---|
| Microsoft 365 | Copilot (Word, Excel, Outlook, Teams) | $30/user/month add-on; included in new E7 tier at $99/user/month | Active / Inactive / Licensed but unused / Not purchased |
| Google Workspace | Gemini (Gmail, Docs, Sheets, Meet) | Embedded in all plans as of March 2026; $2-4/user/month price increase — mandatory, no opt-out | Active / Inactive / Paying but not using |
| Salesforce | Einstein AI / Agentforce | Included in higher tiers; add-on for others | Active / Inactive / Unknown |
| Zoom | AI Companion (meeting summaries, action items, chat) | Base features included at no extra cost on Pro+; Custom add-on $12/user/month | Active / Inactive / Unknown |
| ServiceNow | Now Assist (generative AI for ITSM) | Requires Pro or Enterprise tier + separate add-on license | Active / Inactive / Unknown |
| Slack | AI features (search, summaries, recaps) | Included in Pro+ plans | Active / Inactive / Unknown |
| HubSpot | AI content assistant, ChatSpot | Included in Pro+ tiers | Active / Inactive / Unknown |
| Other: _______ | _______ | _______ | _______ |
| Other: _______ | _______ | _______ | _______ |
What to calculate:
| Finding | Your Answer |
|---|---|
| Total number of tools with embedded AI features | _______ |
| Tools with AI features active and being used | _______ |
| Tools with AI features active but nobody trained on them | _______ |
| Tools with AI features you are paying for but have not activated | _______ |
| Estimated monthly spend on embedded AI features (add-ons + price increases) | $_______ /month |
The Google Workspace example: Starting March 17, 2026, every Google Workspace plan includes Gemini AI with a mandatory price increase of $2-4/user/month. A 300-person company on Business Plus pays an additional $14,400/year whether anyone uses Gemini or not. Disabling Gemini in the admin console does not reduce the bill.
Benchmark: Gartner predicts 40% of enterprise applications will embed task-specific AI agents by end of 2026, up from less than 5% in 2025. The AI surcharge is becoming a standard line item across the SaaS stack.
Question 10: What is the total AI spend — visible and invisible — across the organization?
This question aggregates everything discovered in Questions 1-9 into one number the CFO can act on.
| Spend Category | Monthly | Annual | Source |
|---|---|---|---|
| A. Enterprise AI tool licenses (procured through IT) | $_______ | $_______ | Procurement records |
| B. Employee-expensed AI subscriptions (Question 1) | $_______ | $_______ | Expense reports |
| C. Embedded AI surcharges in existing tools (Question 9) | $_______ | $_______ | Contract review |
| D. Estimated cost of undetected free-tier usage (Questions 2-8) | $_______ | $_______ | Estimate: multiply employee count × estimated shadow users × $15/month |
| Total Known AI Spend (A + B + C) | $_______ | $_______ | |
| Total Estimated AI Spend (A + B + C + D) | $_______ | $_______ |
The math that matters: For a 300-person company, industry benchmarks suggest annual AI spending of $590-$1,400 per employee (Fortune, 2025). That puts the expected range at $177,000-$420,000/year. If your known spend (A + B + C) is significantly below that range, the difference is shadow AI — employees spending their own money or using free tiers that expose company data without any cost on the books.
Benchmark: Organizations with ungoverned AI environments carry 5x more redundant AI subscriptions than governed ones (Zylo, 2026). The rationalization opportunity — consolidating shadow spend into governed enterprise tools — typically recovers $106,000-$242,000/year at mid-market scale.
The Decision Tree: What to Do with What You Found
Score your responses:
| Count | Your Number |
|---|---|
| Questions 1-8 answered “yes” or with findings | _______ / 8 |
| Question 9: tools with AI features you pay for but nobody uses | _______ |
| Question 10: gap between known and estimated spend | $_______ |
Read your result:
0-2 findings across Questions 1-8: Your organization has lower-than-average shadow AI exposure. This is rare — only 2% of organizations report no unsanctioned AI use (Varonis, 2025). Verify the result: low findings may indicate detection gaps rather than low usage. Proceed to the amnesty survey to confirm.
3-5 findings: Typical mid-market profile. Shadow AI exists but is not yet a crisis. Commission the full 30-day audit (five discovery methods, 10-15 business days, $15,000-$40,000 in staff time, no new tools required). Draft the acceptable use policy in parallel. The audit informs the policy; the policy does not need to wait for the audit to finish.
6-8 findings: The shadow AI footprint is significant. This is the profile where the $670,000 breach cost premium becomes a near-term risk, not a theoretical one. Prioritize three actions: (1) block critical-risk tools processing PII or client data through personal accounts within 48 hours, (2) launch the amnesty survey immediately, and (3) present findings to the executive sponsor within one week. The full audit runs in parallel but the immediate exposures cannot wait.
Question 9 reveals 3+ tools with AI features you pay for but do not use: This is a CFO action item. Embedded AI surcharges across the SaaS stack can add $50,000-$150,000/year in spending that nobody evaluated. Two options: activate the features with training and governance (capture the value you are already paying for) or negotiate removal at the next renewal (recover the spend). The worst option is the default — paying for AI features that sit dormant while employees use ungoverned free alternatives.
Question 10 gap exceeds $100,000/year: The gap between known and estimated AI spend represents the organization’s governance blind spot in dollar terms. Every dollar in that gap is an employee using an unmanaged tool with company data flowing through terms the legal team has not reviewed. This number is the business case for the full audit — and for the enterprise AI platform procurement that consolidates shadow spend into a governed environment.
Key Data Points
| Metric | Finding | Source |
|---|---|---|
| Employees using unapproved AI tools | 78% | WalkMe/Propeller Insights, n=1,000, July 2025 |
| Employees pasting data through personal AI accounts | 77% via personal accounts; 82% use personal accounts | LayerX, October 2025 |
| Shadow AI breach cost premium | +$670K per incident ($4.63M vs. $3.96M) | IBM Cost of a Data Breach, n=604, 2025 |
| Organizations with zero AI governance policies | 63% | IBM, n=604, 2025 |
| Unauthorized AI tools per 1,000 employees | 269 | Reco, n=50+ enterprises, 2025 |
| AI-native app spending through expense reports | 267% YoY growth | Zylo, 40M+ licenses, 2026 |
| Google Workspace mandatory AI price increase | $2-4/user/month, no opt-out | Google, effective March 17, 2026 |
| Enterprise apps embedding AI agents by end of 2026 | 40%, up from <5% in 2025 | Gartner, August 2025 |
| Redundant AI subscriptions in ungoverned orgs | 5x more than governed | Zylo, 2026 |
| Developers using unsanctioned code assistants | 45% | Stack Overflow Developer Survey, 2025 |
What This Means for Your Organization
This worksheet is a two-hour exercise that produces a one-page answer to the question every CIO, CISO, and CFO needs answered before making any AI investment decision: what AI does the organization already have, what is it costing, and what data is it touching?
The companies that handle shadow AI well treat the discovery as a strategic exercise, not a compliance crackdown. The 78% of employees using unauthorized tools found genuine value — they are not reckless, they are underserved. The organization that responds with “tell us what’s working and we will provide a better version” captures both the innovation and the governance. The organization that responds with “stop using everything immediately” drives AI usage underground, where the data exposure continues but the visibility disappears.
The discovery worksheet feeds directly into the next three actions: the acceptable use policy (which tools are approved, under what conditions), the shadow AI audit (the full 30-day, five-method technical discovery), and the CFO’s total cost of ownership analysis (the honest budget that survives the quarterly review). If the findings from this worksheet raised questions about how to sequence these actions for your specific organization — or if the numbers surprised you and you want to pressure-test them — that is a conversation worth having at brandon@brandonsneider.com.
Sources
- WalkMe/Propeller Insights — Shadow AI survey. n=1,000 U.S. workers, July 2025. ±3% margin of error. 78% unapproved AI tool usage. Independent polling. High credibility. https://news.sap.com/2025/08/new-walkme-survey-shadow-ai-rampant-training-gaps-undermine-roi/
- LayerX — Enterprise AI & SaaS Data Security Report. October 2025. 77% paste data through personal accounts, 82% use personal accounts, 34.8% of AI inputs are sensitive data. Browser telemetry, not self-report. Independent security vendor. High credibility. https://layerxsecurity.com/blog/layerxs-enterprise-genai-security-report-2025-exposing-hidden-ai-security-blind-spots/
- IBM — Cost of a Data Breach 2025. n=604 organizations, 17 countries. $670K shadow AI breach premium, 63% no governance policies. Gold standard for breach cost data. High credibility. https://www.ibm.com/reports/data-breach
- Reco — 2025 State of Shadow AI Report. n=50+ enterprises, 55,000+ apps. 269 tools per 1,000 employees. Vendor-funded telemetry. Moderate credibility. https://www.reco.ai/state-of-shadow-ai-report
- Zylo — 2026 SaaS Management Index. 40M+ licenses, $75B+ spend under management. 267% expense-reported AI spending growth, 5x redundancy in ungoverned environments. Independent SaaS management platform. High credibility. https://zylo.com/reports/2026-saas-management-index/
- Gartner — “40% of Enterprise Apps Will Feature Task-Specific AI Agents by 2026.” August 2025. Analyst prediction. High credibility. https://www.gartner.com/en/newsroom/press-releases/2025-08-26-gartner-predicts-40-percent-of-enterprise-apps-will-feature-task-specific-ai-agents-by-2026-up-from-less-than-5-percent-in-2025
- Google — Workspace pricing update. Gemini AI embedded in all plans, $2-4/user/month increase, effective March 17, 2026. No opt-out. Primary source (vendor announcement). https://www.ofzenandcomputing.com/google-workspace-price-increase/
- Microsoft — 365 Copilot pricing. $30/user/month add-on; new E7 tier at $99/user/month (available May 1, 2026). Primary source (vendor announcement). https://www.microsoft.com/en-us/microsoft-365/blog/2026/03/09/powering-frontier-transformation-with-copilot-and-agents/
- Stack Overflow — Developer Survey 2025. 45% use unsanctioned code assistants. Independent community survey. High credibility.
- Fortune — AI spending per employee benchmarks: $590-$1,400 annually. Industry reporting, 300+ customer data points, 2025. Moderate-high credibility.
- Varonis — 98% of organizations report unsanctioned AI use; 2% report none. 2025. Vendor-funded. Moderate credibility.
- Zoom — AI Companion pricing. Base features included on Pro+; Custom add-on $12/user/month. Primary source. https://zoom.us/pricing/aic
- BlackFog Research — 60% of employees would accept security risks to meet deadlines with unsanctioned AI. January 2026. Vendor-funded. Low-moderate credibility. https://www.blackfog.com/blackfog-research-shadow-ai-threat-grows/
Brandon Sneider | brandon@brandonsneider.com March 2026