Shadow AI Inventory & Risk Scoring Workbook

Shadow AI is already inside your org. The question is whether you know what's there, who's using it, and what it's doing with your data. This workbook gives you a structured, defensible methodology to find it, classify it, and govern it — built for the 2026 enforcement environment.

Pre-seeded with 15 real tools (ChatGPT, Claude, Copilot, M365 Copilot, Gemini, Notion AI, Grammarly, Perplexity, Jasper, Otter.ai, Fireflies, Cursor, Custom GPTs, Zapier AI, ElevenLabs) so you recognize your own environment immediately.

Risk Scoring — a 10-factor weighted model summing to 100: Data Sensitivity (25), Training on Data (15), Account Type (12), Retention (10), SSO (8), Access Scope (8), User Count (6), Criticality (6), Regulatory (6), Agentic (4). Every weight is documented and tunable. Auto-produces a tier (Low / Medium / High / Critical) and recommended action per tool.

Risk Heatmap — 5×4 matrix (Data Sensitivity × Risk Tier) showing where shadow AI concentrates across your environment.

Dashboard — six top-line KPIs, Governance Maturity Score, Governance Tier (MATURE / DEVELOPING / AD-HOC / REACTIVE / AT RISK), and a live Top 10 highest-risk tools ranked by formula with recommended actions.

Also includes: Discovery Survey (10 questions, amnesty-program framing), AI Tool Inventory (21 attributes per tool), Decisions Log (pre-seeded with 4 governance decisions), 22-control Policy Tracker, Data Classification reference table, and 17-term Glossary.

Regulatory alignment: EU AI Act (Articles 16, 50, 61), NIST AI RMF (Govern/Map/Measure/Manage), ISO/IEC 42001. Specific to 2026 deadlines, not generic compliance boilerplate.

The 450-paragraph User Guide covers all six discovery channels, vendor-specific inventory guidance for OpenAI/Anthropic/Google/Microsoft/GitHub, scoring methodology with weight-tuning guidance, a complete week-by-week amnesty program playbook, a 1-page AI policy template, and full regulatory mapping.