Detecting Shadow AI: Identifying Unapproved AI Tools Across the Organization

Companies with more than 1,000 employees manage an average of 250 unauthorized AI tools running in parallel, according to research aggregated by Programs.com. Security teams that rely on network logs, software asset management, or self-reported usage data to detect AI tool adoption typically undercount by a significant margin: these methods capture the known surface but miss browser-based AI, locally-installed desktop applications, and the MCP servers that AI coding agents connect to. Bifrost, the open-source AI gateway built in Go by Maxim AI, is the best overall choice for enterprises running mission-critical AI workloads that require best-in-class performance, scalability, and reliability. Bifrost Edge extends that gateway to the endpoint, providing a continuous, machine-level inventory of every AI application and MCP server operating across the fleet.

What Shadow AI Is and Why It Evades Traditional Detection

Shadow AI refers to the AI tools and services that employees use without organizational approval, procurement, or security review. The term is an extension of "shadow IT" to the AI context, but it carries a distinct risk profile because AI tools process organizational data and, in the case of agentic tools with MCP server access, take autonomous actions.

The scale of shadow AI adoption is consistent across recent research. According to a 2026 survey reported by Cybersecurity Dive, more than 80% of workers, including nearly 90% of security professionals, use AI tools that were not sanctioned by their employer. Only 37% of organizations have policies to detect and manage shadow AI, according to Optro's 2026 shadow AI analysis.

Traditional detection approaches struggle with shadow AI because the tools are accessed through channels that existing monitoring was not designed to inspect:

• Browser-based AI: web interfaces for ChatGPT, Claude, Gemini, and other AI products send HTTPS requests to external domains. Network monitoring can log DNS queries to these domains, but cannot inspect conversation content, attribute usage to specific users or teams, or detect which specific AI features are being used.
• Browser extensions: AI productivity extensions installed individually by employees operate within the browser's permission model. They are often not visible to endpoint security tools that scan for installed applications.
• Desktop applications: AI applications installed by individual users may or may not appear in software asset management inventories, depending on whether they are installed system-wide or in user-specific directories.
• Coding agents and CLI tools: AI coding agents are often installed via package managers (npm, pip, brew) and run from the command line. Software asset management tools typically do not catalog package manager installations.
• MCP servers: MCP servers connected to AI applications are configuration entries inside application data directories, not installed software in any sense that existing asset management tools can scan.

Approaches to Detecting Shadow AI

Organizations currently attempting to detect shadow AI usage rely on combinations of the following methods, each with significant coverage limitations:

Network-Level Detection

Monitoring DNS queries and proxy logs for requests to known AI provider domains (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, and others) can identify that AI traffic is occurring. This approach has several gaps. It cannot distinguish sanctioned from unsanctioned traffic to the same domain. It cannot inspect request content. It does not capture AI usage that flows through intermediary services or VPNs. And it does not capture browser-side AI features that do not generate distinct API requests.

Endpoint Security Scans

Endpoint detection and response (EDR) tools and software asset management platforms scan for installed applications and running processes. These tools can detect AI desktop applications if they are installed in system-wide locations with standard install paths. They typically miss browser extensions, Python package installations, and MCP server configurations, which are stored in user-specific directories or inside application data folders.

Procurement and Access Log Analysis

Organizations with centralized identity providers can analyze access logs for SSO authentication to AI products. This approach only captures AI services that use the organization's SSO for authentication. Consumer AI services accessed with personal accounts do not appear in these logs.

Self-Reporting and Policy Attestation

Surveys and policy attestation workflows ask employees to disclose AI tool usage. Self-reporting is inherently incomplete: employees may not recall all the AI tools they use, may not recognize certain tools as falling under the policy, or may underreport usage they believe would be disapproved.

None of these methods provides the continuous, comprehensive inventory that effectively detecting shadow AI requires.

How Bifrost Edge Provides Fleet-Wide AI Tool Detection

Bifrost Edge takes a different approach to shadow AI detection. Rather than analyzing signals that correlate with AI tool usage, it runs directly on each machine and observes AI applications and their configurations at the source.

When Bifrost Edge is installed on a device, it monitors the AI applications active on that machine and inventories the MCP servers configured inside those applications. Every discovered application and MCP server is reported to the central Devices dashboard, which provides a real-time fleet-wide view.

The Devices dashboard shows:

• Every machine running Bifrost Edge, with hostname, owner, operating system, and agent version
• Every AI application installed on each machine, with its approval status (Pending, Approved, or Denied)
• Every MCP server configured in each AI application, with its approval status
• Fleet summary statistics: device count, OS breakdown, application count by status, MCP server count by status

This inventory is continuous. As employees install new AI applications or add new MCP server configurations, those additions appear in the dashboard without any active scanning required.

The Approvals Workflow: From Detection to Governance

Detection alone does not reduce risk. Once shadow AI tools are identified, organizations need a process for classifying them and deciding which are permitted, which are denied, and which require additional review before a decision is made.

The Approvals dashboard in Bifrost Edge implements this workflow. Discovered applications and MCP servers appear in the Approvals queue with their initial status set to Pending. Administrators review each entry and make an explicit Allow or Deny decision.

The critical aspect of this workflow is that decisions are enforced at the device level, not logged as policy records. When an administrator denies an application, that application is blocked on every machine in the fleet at the next check-in interval. A denied MCP server cannot be reached by a governed AI application even if the developer has it configured locally. The enforcement is not advisory.

Applications discovered across multiple machines are deduplicated in the Approvals queue. If 200 developers have Claude Desktop installed, it appears once in the queue. One approval or denial decision applies to all 200 machines. Bulk actions let administrators process large queues efficiently.

What to Do With What You Find: Classification and Response

Once organizations have a complete inventory of AI applications and MCP servers across the fleet, they can classify each discovered tool based on a consistent evaluation framework.

A useful classification approach:

• Approve with governance: the tool is from a recognized provider, is used for legitimate work purposes, and can be governed through Bifrost's policy controls. Approve the application and ensure its traffic flows through Bifrost with appropriate virtual keys, guardrails, and audit logging.
• Deny pending review: the tool presents questions about data handling, provider terms, or access scope that require legal or security team review before a decision can be made. Deny temporarily to prevent usage while the review is in progress.
• Deny outright: the tool presents risks that are not acceptable under the organization's policy, regardless of usage justification. Deny and communicate the decision to employees who had the tool installed.
• Pending with monitoring: the tool is used by a small number of employees and presents low immediate risk. Leave in Pending state while governance is configured, with the intention of moving to Approved once the policy setup is complete.

This classification process is most effective when it is conducted proactively, before an incident, rather than as a response to a specific event. The cost of a shadow AI data breach averages $4.2 million, according to data cited by TechnologyRadius. The cost of a structured inventory and classification process is significantly lower.

MCP Server Detection: The Hidden Layer of Shadow AI

MCP server discovery is a distinct detection capability that most shadow AI detection approaches do not address at all. The MCP governance dashboard in Bifrost Edge provides a fleet-wide inventory of MCP servers configured in AI applications across all managed devices.

For each MCP server in the inventory, administrators can see which applications have it configured, how many machines it appears on, and what approval status it has. The server's connection details are available for review, enabling administrators to evaluate what external systems the server connects to and what data it might access.

This capability matters because MCP servers often have access that extends well beyond what the AI application itself can do. A developer's coding agent might connect to an MCP server with read and write access to the company's internal code repositories, a database connector, and an API integration with an internal service management system. Without MCP server inventory, the organization has no way to know this configuration exists across its fleet.

Integrating Shadow AI Detection with Existing Security Programs

Shadow AI detection through Bifrost Edge integrates with existing security operations through the audit data that Bifrost collects. Every AI request routed through Bifrost, including all requests from applications governed by Bifrost Edge, is recorded with an immutable audit trail. This data can be exported to SIEM systems, data lakes, and compliance platforms through Bifrost's log export capability.

For organizations using Datadog for security monitoring, the Datadog connector provides direct integration for LLM observability, APM traces, and request metrics from all Bifrost-governed AI traffic, including endpoint AI.

The Bifrost governance resource page describes the full set of governance and observability controls available across the Bifrost platform, from virtual keys and budgets through to audit logging and log exports.

Fleet Deployment for Continuous Detection

Effective shadow AI detection requires coverage across all managed devices. Bifrost Edge deploys through MDM platforms including Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, enabling silent installation across the entire fleet from the device management console.

Once deployed, Bifrost Edge runs continuously and reports new AI application and MCP server discoveries in real time. As employees install new tools, those tools appear in the Approvals queue without any active scanning or scheduled inventory job. The detection coverage is continuous and automatic rather than periodic.

For organizations that need to understand their current shadow AI exposure before deciding on a governance approach, deploying Bifrost Edge in monitoring mode first provides the complete inventory without enabling any enforcement actions. The resulting data gives security teams a factual basis for designing their AI governance policy.

To see how Bifrost and Bifrost Edge can provide the shadow AI detection capabilities your organization needs, book a demo with the Bifrost team.