Detection & Prevention Tactics
A five-level maturity model for detecting and preventing Shadow AI usage — from zero controls to mature governance. Find where you are and plan your path forward.
Detection Maturity Model
Description
No AI usage policy exists. No technical controls block access to AI tools. Employees use whatever they want, whenever they want. Zero visibility into what data is leaving the organisation.
Risk Level
Critical. You have no idea what data employees are feeding into AI tools. You cannot report on AI usage to auditors or compliance teams. You are one incident away from a Samsung-scale breach.
Tools Required
None currently deployed
Est. Cost / Difficulty / Timeframe
$0 / N/A / N/A
Description
Written AI usage policy distributed to all staff. Covers approved/prohibited tools, data classification rules, and incident reporting. Training delivered but no technical enforcement. Relies entirely on employee compliance.
Risk Level
High. Policy alone reduces risk by roughly 30-40% through awareness, but determined or careless users can still bypass it completely. No detection capability means breaches go unnoticed.
Tools Required
Policy document, training materials, acknowledgement tracking
Est. Cost / Difficulty / Timeframe
$0-$2K / Low / 1-2 weeks
Description
DNS-level filtering blocks access to known AI tool domains (chatgpt.com, claude.ai, gemini.google.com, etc.). Network logs capture attempted access. You can see who is trying to use AI tools, even if you cannot inspect the content of prompts.
Risk Level
Medium. Blocks casual usage but savvy users can bypass via VPN, mobile hotspot, or lesser-known AI tools not in your block list. You have detection but not comprehensive prevention.
Tools
DNS Filtering: Cisco Umbrella, Cloudflare Gateway
Network Monitoring: Existing SIEM, firewall logs
Est. Cost / Difficulty / Timeframe
$5-15K/yr / Medium / 2-4 weeks
Description
Endpoint DLP agents inspect content being pasted or uploaded to AI tools and block sensitive data in real-time. Browser extension controls restrict which AI sites can be accessed. CASB solutions with AI-specific categories monitor and control SaaS AI tool usage across the organisation.
Risk Level
Low-Medium. Active prevention catches most accidental leaks. Sophisticated users may still find edge cases, but the vast majority of Shadow AI usage is blocked or flagged. This is the recommended minimum for defence organisations.
Tools
Endpoint DLP: Microsoft Purview, Forcepoint DLP
CASB: Netskope, Zscaler
Browser Controls: Managed browser policies, extension whitelisting
Est. Cost / Difficulty / Timeframe
$30-80K/yr / High / 1-3 months
Description
Full governance stack: SaaS discovery tools automatically detect new AI tools appearing on the network. Automated prompt scanning inspects outbound prompts for sensitive data patterns. Approved AI tools are provisioned centrally with SSO and data residency controls. Regular audits review AI usage patterns and policy compliance.
Risk Level
Low. Comprehensive visibility and control. New AI tools are detected within hours. Sensitive data is caught before it leaves the perimeter. Approved tools give employees a compliant path to AI productivity. Audit trail for compliance reporting.
Tools
SaaS Discovery: Josys, Zylo, Productiv
Prompt Scanning: Nightfall AI, custom DLP rules
Approved Provisioning: Enterprise AI platforms with SSO
Auditing: Quarterly AI usage reviews, compliance dashboards
Est. Cost / Difficulty / Timeframe
$80-200K/yr / Very High / 3-6 months
Key Insight
Start with Level 1 (policy) immediately — it costs nothing and can be done this week. Then build toward Level 2-3 technical controls while the policy sets expectations. Waiting for perfect technical controls before doing anything is the worst strategy.
Control Implementation Planner
Select your organisation\'s current maturity level to see a recommended roadmap of next steps with priorities.