Shadow AI Assessment
From knowing where AI leaks to controlling how it works
The Exposure Scan shows where AI touches your business in one day. This assessment puts you in control of it. Across workshops and stakeholder interviews we work through four steps: Discovery (what is actually in use, including personal accounts, browser extensions, and tools with standing OAuth access to your mail and files), Enablement (giving people sanctioned tools good enough that workarounds die), Governance (a livable policy, enterprise-grade contracts, EU AI Act obligations), and Maturity (measured value, skills, and a funded roadmap). Evidence-based scoring throughout: claims without shown evidence cap at 3.
Runs on the Galactus assessment platform: anchored questions, evidence-based scoring, and red flags that override averages. See how our assessments work
34 anchored questions · 4 model steps · aligned to the EU AI Act
Where this sits
- 1GRIP Exposure Scan (free, 2 minutes, self-service): Your first signal.
- 2AI Exposure Scan (1 day on site, fixed fee): Where AI actually lives and your three biggest risks, named.
- 3Shadow AI Assessment (multi-week): Full control: verified discovery, policy, enablement, governance, and a funded roadmap.
Clear entry point
We define the mandate, decision context, and expected outcomes before moving into analysis or execution.
Controlled risk posture
Recommendations account for governance, security, continuity, delivery pressure, and business appetite.
Executive handover
Outputs are framed for leadership decisions, operational ownership, and measurable follow-through.
What You Get
- A verified inventory of AI usage: sanctioned, shadow, and the tools with standing access to your data
- Data flows mapped per tool: what goes into which AI, under which contractual terms
- A livable AI policy people can actually repeat, not a ban they route around
- Your EU AI Act position: deployer obligations, high-risk use cases, literacy duty
- Governance that covers vendor-pushed AI features, not just new tools
- A maturity roadmap with owners, budget logic, and kill criteria
Ideal For
- Organizations whose Exposure Scan or GRIP result demands more than a one-day answer
- Leadership that wants AI productivity without uncontrolled data exposure
- Companies whose customers have started sending AI questionnaires down the chain
- Boards that need demonstrable AI governance, not a policy PDF
Discovery involving usage logs or expense data is executed with explicit consent and respect for Belgian employee-monitoring rules (CAO nr. 81, GDPR); we review patterns, not individuals.
Start with your free GRIP score.
Self-serve, 2 minutes: a 0 to 100 read on how exposed your organization is to uncontrolled AI usage.