Shadow AI · Policy vs. Reality
Shadow AI is the #1 compliance blind spot auditors find. Fencia detects every tool, checks it against your policy, and surfaces every gap — automatically.
The problem
Shadow AI refers to artificial intelligence tools, models and applications that employees use within an organization without the knowledge, approval or oversight of IT, legal or compliance teams. It happens because AI adoption is fast and frictionless — a developer installs an SDK, a marketer pastes data into ChatGPT, a designer uses an AI image generator — all without a formal review.
The problem isn't that employees want to break rules. The problem is that AI tools are now as easy to adopt as a browser extension, and the compliance review process hasn't caught up. By the time IT finds out, the tool has been in production use for months.
Shadow AI exposes your organization to serious regulatory risk. The EU AI Act, in force since August 2024, holds deployers accountable for every AI system in use — including the ones that were never officially approved. Auditors will ask for a complete AI inventory. If you can't produce one, that's a finding.
“The EU AI Act holds you accountable for every AI system you deploy — including the ones you didn't officially approve.”
Real examples we detect every week: ChatGPT used to summarize customer support tickets (personal data processed without consent mechanism), OpenAI SDK imported directly into production codebase (no security review), Perplexity used for competitive research on confidential product strategy.
of employees use AI tools their company hasn't approved
Gartner 2024EU AI Act requires operators to document ALL AI systems in use
EU AI Actunauthorized AI tools active in the average enterprise
Industry avg.Policy vs. Reality
Left: what your AI policy says. Right: what Fencia found in Slack and GitHub.
How it works
Link Slack, Google Drive and GitHub in one click. No agents installed, no IT tickets required. Read-only OAuth — Fencia never writes or deletes anything.
Fencia scans every message, document and repository for AI tool mentions and usage patterns. Runs continuously on a schedule — not just when you remember to check.
Every detected tool is cross-referenced against your uploaded AI policy. Unapproved tools become findings with article reference, severity rating and a concrete remediation step.
Detection sources
AI tool mentions in public channels, shared links, bot integrations and workflow automation.
ChatGPT, Claude, Midjourney, Perplexity, Notion AI…
AI tool names referenced in documents, contracts, meeting notes, spreadsheets and presentations.
Tool names in strategy docs, vendor agreements, product specs…
SDK imports and dependencies in package.json, requirements.txt, Cargo.toml and direct API calls in source code.
openai, anthropic, langchain, huggingface, replicate…
What happens next
When Fencia detects a tool, it doesn't just log it. It classifies the tool (approved / unapproved / unknown), cross-references it against your uploaded AI policy, and generates a structured finding.
Each finding includes: the tool name and version, the source where it was found, the EU AI Act article it potentially violates, a severity rating (Critical, High, Medium, Low), and a recommended remediation action — not a generic suggestion, but a specific step you can take today.
Findings are grouped into your AI inventory automatically. New tools discovered after your last scan appear as new findings. The inventory stays current without any manual effort.
Regulatory context
Article 28 of the EU AI Act establishes clear obligations for deployers — organizations that use AI systems in their operations. Deployers must ensure that AI systems are used in accordance with their intended purpose, that appropriate human oversight is maintained, and that all AI systems in use are documented.
The key phrase is 'all AI systems in use.' Not 'all AI systems your IT department approved.' If your team uses ChatGPT to process customer data and you haven't documented it, you're in breach of deployer obligations — even if the tool is technically compliant on its own.
Auditors under the EU AI Act will request an AI inventory as one of their first steps. They want to see what you operate, how you classified each system, what oversight mechanisms you have in place, and what your AI use policy says. Shadow AI is the gap between what your policy says and what your inventory actually contains.