ZaunDocs

Shadow AI / SaaS

Discover unsanctioned AI and SaaS usage and what data it can touch.

Zaun's Shadow AI / SaaS module finds unsanctioned AI tools and SaaS applications across your organization, shows what data they can access, and surfaces the risks they introduce.

Why It Matters

AI adoption is moving faster than security teams can track. Employees adopt new AI tools daily, often without IT or security awareness. Each unsanctioned tool represents:

  • Data exposure risk: sensitive data shared with third-party AI models
  • Compliance gaps: unvetted tools processing regulated data
  • OAuth over-permissioning: broad API access granted via OAuth flows
  • Supply chain risk: unknown third-party dependencies

What Zaun Detects

Unsanctioned AI Tools

  • AI assistants and copilots used outside approved channels
  • Browser extensions with AI capabilities
  • AI-powered SaaS applications accessing corporate data

SaaS Sprawl

  • New SaaS applications adopted without security review
  • Shadow IT applications with corporate SSO access
  • Dormant SaaS accounts with active API credentials

Data Exposure

  • Sensitive documents shared with AI services
  • Corporate data uploaded to unsanctioned cloud storage
  • API keys and credentials exposed in AI tool prompts

Specific Use Cases

Source Code Leakage via AI Assistants

An engineer pastes proprietary source code into ChatGPT, Google Gemini, or Perplexity to debug a production issue. Zaun detects the OAuth grant or DNS query to the AI service, correlates it with DLP signals from Microsoft Purview or Google Workspace DLP, and flags the data exposure.

Unauthorized AI Coding Tools

A developer installs Cursor, Codeium, or Tabnine without IT approval. These tools index the full codebase and send code snippets to external inference endpoints. Zaun picks up the new OAuth authorization in Okta or Entra ID and alerts your security team before the tool gets access to private repositories.

Marketing Team SaaS Sprawl

Your marketing team signs up for Jasper AI, Copy.ai, Canva AI, or Descript with corporate email, granting these tools access to Google Drive or OneDrive via OAuth. Zaun discovers these shadow SaaS applications through OAuth grant monitoring and DNS telemetry.

Executive AI Assistant Usage

C-suite members use Otter.ai, Fireflies.ai, or Notion AI to transcribe or summarize confidential meetings, exposing board discussions, M&A details, or financial data to third-party AI models. Zaun flags these tools and identifies the sensitivity of the data they can access.

Browser Extension Risks

Employees install AI-powered browser extensions like Monica, Merlin, or MaxAI that request permissions to read page content across all tabs, including internal tools like Jira, Confluence, Salesforce, and Workday. Zaun inventories active browser extensions and flags those with excessive permissions.

File Sharing to Unsanctioned Storage

Teams adopt Notion, Airtable, Monday.com, or Coda for project management and sync files from Google Drive, SharePoint, or Box. Zaun detects these new integrations and checks whether the connected SaaS application has been vetted.

Integrations

Zaun's Shadow AI / SaaS module connects to the following data sources:

IntegrationSignal TypeWhat It Provides
OktaOAuth grantsNew app authorizations, scope changes
Microsoft Entra IDOAuth grantsEnterprise app consents, admin approvals
Google WorkspaceOAuth grantsThird-party app access, marketplace installs
CrowdStrike FalconDNS telemetryAI/SaaS domain resolution on endpoints
Microsoft DefenderNetwork telemetryOutbound connections to AI services
NetskopeCASB signalsInline SaaS discovery, data classification
ZscalerWeb proxy logsURL categorization, shadow IT discovery
Microsoft PurviewDLP signalsSensitive data uploaded to AI tools
Google Workspace DLPDLP signalsContent inspection for regulated data
Cloudflare GatewayDNS logsAI service domain queries

Configuration

# Example: Shadow AI detection policy
shadow_ai:
  monitoring:
    - oauth_grants        # Monitor new OAuth app authorizations
    - browser_extensions  # Track AI browser extensions
    - dns_queries         # Detect AI service domains
    - dlp_signals         # Data loss prevention integration

  alerting:
    severity: high
    channels:
      - slack: "#security-alerts"
      - email: [email protected]

  exceptions:
    approved_tools:
      - "github-copilot"
      - "notion-ai"

Sample Finding

{
  "finding_id": "SHA-2024-001",
  "detection": "unsanctioned_ai_tool",
  "severity": "high",
  "timestamp": "2024-12-15T14:30:00Z",
  "details": {
    "tool": "unauthorized-ai-assistant.com",
    "user": "[email protected]",
    "data_accessed": ["google-drive", "slack-messages"],
    "oauth_scopes": ["read:drive", "read:messages"],
    "risk_factors": ["pii_exposure", "unvetted_vendor"]
  },
  "runbook": "SHA-RB-001"
}

Next Steps

Platform Overview

Understand Zaun's architecture, key concepts, and how the platform works.

Identity + OAuth

Monitor risky OAuth grants and suspicious identity signals.

On this page

Why It MattersWhat Zaun DetectsUnsanctioned AI ToolsSaaS SprawlData ExposureSpecific Use CasesSource Code Leakage via AI AssistantsUnauthorized AI Coding ToolsMarketing Team SaaS SprawlExecutive AI Assistant UsageBrowser Extension RisksFile Sharing to Unsanctioned StorageIntegrationsConfigurationSample FindingNext Steps