30 Days Gen AI Risk Trial -Start Now
Book a demo
Free Shadow AI risk assessment

Score your Shadow AI exposure

Answer seven quick questions about how your workforce uses AI today. We will score your unmanaged AI risk from 0 to 100 and show you where to start. Takes about two minutes. No email needed to see your result.

Question 1 of 813%

How many employees does your organisation have?

More people means more surface area for unsanctioned AI usage.

Free audit checklist

Shadow AI Risk Assessment Checklist

Aona's free interactive Shadow AI risk assessment scores your exposure from 0 to 100. This checklist turns the same dimensions into audit questions you can work through with IT, security and compliance. Your organisation's size and industry set the context; the six areas below are the ones you can actually change.

1

Visibility and discovery

  • Inventory every AI tool in use
    Can you produce a list of every AI tool employees have used in the last 30 days, including free browser-based tools?
  • Move beyond surveys
    Is your visibility based on real usage telemetry rather than self-reporting or an annual questionnaire?
  • Map the data flows
    Do you know which AI tools receive company data via typed prompts, copy-paste or file uploads?
2

Policy and acceptable use

  • Publish a written AI policy
    Is an AI acceptable-use policy written, communicated and acknowledged by every employee?
  • Name approved tools and banned data
    Does the policy list approved tools, prohibited data categories and an approval path for new tools?
  • Enforce it technically
    Is the policy backed by controls at the point of use, rather than relying on trust alone?
3

Controls at the point of use

  • Block sensitive data in real time
    Can you stop PII, client data, credentials or source code before it reaches an AI tool?
  • Redact instead of banning
    Can you redact sensitive fields so employees keep the productivity without the exposure?
  • Cover files, not just prompts
    Do your controls inspect file uploads as well as typed text?
4

Sanctioned AI adoption

  • Offer approved alternatives
    Have you sanctioned enterprise-grade options for the ChatGPT, Copilot, Gemini and Claude use cases employees already have?
  • Retire consumer accounts
    Are enterprise tiers, with training-data opt-outs, SSO and data residency, replacing personal accounts?
  • Make approval fast
    Is there a well-known, fast route to request a new AI tool so employees do not route around IT?
5

Incident readiness

  • Have a response plan
    Is there a documented plan for an AI-related data exposure, with named owners and timelines?
  • Test your detection
    Would your monitoring actually flag sensitive data pasted into an unsanctioned AI tool today?
  • Learn from near-misses
    Are past AI incidents and near-misses reviewed for root cause and fed back into controls?
6

Device and identity foundations

  • Enrol devices
    Are endpoints under MDM or Intune so AI controls can be deployed and enforced at scale?
  • Centralise identity
    Is access to sanctioned AI tools governed through SSO, with Entra or a similar identity provider?
  • Account for unmanaged devices
    Do you know how much AI usage happens on BYOD and unmanaged devices, and is it in scope?
Download the checklist (PDF)

One A4 page, no email required. You can also print this section directly from your browser.

Go deeper

FAQ

Common questions

Each of the seven questions contributes points based on how much unmanaged AI usage you have and how few controls are in place. Higher adoption, regulated data and weaker controls raise the score. The points are normalised to a 0 to 100 scale and mapped to a tier: Low, Moderate, Elevated or Critical.

See your real Shadow AI exposure, not an estimate

Run Aona alongside your existing tools for 30 days. Discover every AI tool and agent, prove where sensitive data is going, and turn on enforcement where it matters.