Shadow AI Registry
Your organisation is already using AI tools nobody approved.
ChatGPT handling customer queries. Copilot processing confidential documents. Automation tools your teams adopted because they were useful, not because anyone asked whether they should. This is shadow AI — and it's in almost every enterprise. Verdix makes it visible, classified, and governed — before it becomes a regulatory problem.
The Risk
Shadow AI isn't just an IT problem. It's a governance gap.
Under the EU AI Act, organisations are responsible for AI systems they deploy — whether or not those systems were formally sanctioned. An employee using an unsanctioned AI tool to process customer data isn't exempt from Article 9 risk management obligations because IT didn't know about it.
The question isn't whether shadow AI exists in your organisation. It does. The question is whether you've captured it, classified it, and made a governance decision about it before a regulator asks.
Regulatory exposure
Article 9 EU AI Act risk management obligations apply to AI in use, not just AI formally approved.
Data classification risk
Unsanctioned tools handling confidential or restricted data create GDPR exposure without any governance trail.
Investment distortion
Initiatives proposing AI tools that already exist informally in the organisation are scored incorrectly without this data.
The Approach
We don't scan your network. We ask the people who already know.
Technical infrastructure scanning finds AI tools after the fact. It requires IT access, integration overhead, and weeks of setup before it produces useful data.
Verdix takes a different approach. The people submitting AI initiatives already know which tools their teams use informally. We capture that knowledge during the governance intake process — when it's most useful, before any investment decision is made.
Declaration during intake
Every initiative submission includes a structured Shadow AI section: which tools are already in use, the vendor, the data classification of information they handle, the number of users, and whether IT and Legal are aware. Felix, the AI governance advisor, guides this conversationally.
Automatic risk scoring
Declared shadow AI tools are assessed against seven risk criteria. Unsanctioned tools handling confidential or restricted data automatically apply a risk modifier to the initiative score. High-risk flags create mandatory evidence requirements — the initiative cannot progress to the Decide stage until the flagged tools are either formally sanctioned or replaced.
Portfolio registry
Across the entire portfolio, Verdix aggregates all declared shadow AI tools into a Shadow AI Registry — filterable by vendor, data classification, risk level, and sanction status. Updated automatically as new initiatives are submitted.
The Registry
One view of every informal AI tool across your entire AI portfolio.
The Shadow AI Registry gives your CISO and risk team a live, structured inventory of AI tools in informal use across the organisation. Not a one-time audit — a continuously updated record built from the governance process itself.
- Filter by vendor, tool type, data classification, risk level, and sanction status
- See which initiatives are affected by each shadow AI tool
- Track remediation status — sanctioned, in review, replaced, or escalated
- Export as CSV for regulatory audit and board reporting
- EU AI Act Article 9 alignment note on every registry view
Verdix captures shadow AI through stakeholder declaration during the governance intake process — making informal AI tool use a formal, accountable governance artefact before any deployment decision is made. No infrastructure scanning required.
Declaration vs Scanning
Technical scanning finds tools. Declaration governs them.
| Technical scanning | Verdix declaration | |
|---|---|---|
| Setup time | Weeks — requires IT integration | Zero — built into intake |
| What it captures | Tool presence | Tool presence + context + intent + data classification |
| Pre-production | Not available — scans deployed systems | Native — captured before any deployment |
| Governance output | Discovery report | Governance-grade artefact with risk score |
| EU AI Act alignment | Indirect | Direct — Article 9 risk management documentation |
Common Questions
Questions worth a clear answer.
Make shadow AI a governance artefact, not a compliance surprise.
See how the Shadow AI Registry surfaces, classifies, and remediates informal AI tool use across your organisation.