When approved AI tooling is slow or absent, employees route around it — pasting source code, customer records, or strategy documents into whatever consumer chatbot is fastest. That is shadow AI, and it is one of the most common ways sensitive data now leaves organizations. This quiz estimates your exposure and points to the controls that close the biggest gaps.
How it works
Tell the tool your organization size and industry, then rate ten controls as yes, partially, or no. The controls span the full shadow-AI lifecycle: whether you have a communicated policy and an approved-tool list, whether requesting a new tool is easy enough that people don’t bypass procurement, whether you monitor egress to AI domains, whether DLP flags sensitive data heading to AI services, whether staff are trained, and whether there is a no-blame way to report accidental exposure.
Each control is weighted by how much risk it mitigates. Missing controls add weighted exposure, partial controls add half, and the tool reports a percentage of weighted controls missing along with a low, moderate, or high band. For regulated industries it raises the priority of monitoring and DLP, since unsanctioned AI use there can create reporting obligations.
Tips and notes
The two cheapest high-impact moves are usually a clearly communicated AI acceptable use policy and visibility into traffic going to AI domains through your existing proxy, CASB, or DNS logs — you often already have the tooling and just need the AI destinations added.
Pair detection with a fast approval path. The reason shadow AI thrives is friction: if getting a useful AI tool approved takes weeks, people will use the unapproved one today. A lightweight intake form plus an enterprise-tier option with no-training terms removes most of the incentive. The quiz is an indicative self-assessment that runs entirely in your browser; use the gap list to brief security and leadership, not as a formal audit.