AI Governance - 10 min read

Shadow AI Is the AI on Your Network Right Now. We Built a Registry to Make It Visible.

Today Aeon AI Risk Management is launching the Shadow AI List, a maintained, risk-ranked registry of the 420 AI tools your employees and their agents are most likely using right now. Built to load into your firewall, SIEM, and DLP so the AI on your network stops being invisible. Inside: why classic shadow IT playbooks fail, the four risks regulated enterprises should track, and how the AI Exposure Index (AEX) ranks tools inside their category.

Ask a CISO at any mid-market or regulated firm what AI tools their employees are actually using. The honest answer is some version of "the sanctioned ones, plus whatever the browser will load." The unsanctioned column is where the real risk lives, and it is the column most enterprises cannot see.

Today Aeon AI Risk Management is launching the Shadow AI List, a maintained, risk-ranked registry of the AI tools your people and their agents are most likely to be using right now. It is built to be loaded into your firewall, SIEM, and DLP, so the AI on your network stops being invisible.

What "shadow AI" actually means

Shadow AI is the use of AI tools, chatbots, coding copilots, meeting transcribers, agent platforms, image and video generators, by employees outside of any sanctioned AI program. It is the AI for which no procurement record exists, no DPIA was written, no vendor diligence was completed, no acceptable-use policy was signed, and no audit trail is kept.

The volume is not a marketing number. Hundreds of new AI tools ship every quarter. Most have a browser-only entry path that bypasses every classic procurement choke point. Many are free. Many are useful enough that people will route around an outright block. And many train on user input by default, with the contractual mechanism to opt out either buried in a paid tier or absent entirely.

The result is a steady, untracked outflow of data from regulated environments into a vendor cloud the enterprise has no relationship with.

Why classic shadow IT playbooks do not carry over

Shadow IT was a known shape: an employee adopting a SaaS application the IT department had not blessed. The remediation pattern was familiar. Discover via CASB, classify, enter procurement, sign a DPA, log the integration, and either sanction it or block it.

Shadow AI breaks several assumptions in that playbook.

The first is that the surface is bounded. With shadow IT, an enterprise could plausibly enumerate the SaaS apps in use. With shadow AI, the surface keeps expanding, and the tools your people reach for next week did not exist last quarter.

The second is that the data flow is structured. Shadow IT typically moved data into a database. Shadow AI moves data into a prompt, which the vendor may use to improve its model, which is then exposed back to every other user of that vendor. The exfiltration pathway is not just storage; it is the training surface.

The third is that the vendor relationship is the unit of risk. With shadow IT, you assessed the vendor. With shadow AI, the vendor may be a thin wrapper on a foundation model run by another company, with a third company hosting the inference. Diligence on the visible vendor does not cover the chain.

This is why a sticky note that says "use the approved tools only" does not survive contact with reality, and why a CASB alone does not solve it.

The four risks regulated enterprises should worry about

Data exfiltration without storage. A prompt that contains client data, source code, model weights, deal terms, or a regulated record leaves the perimeter the moment it is sent. Whether the vendor "stores" it is the wrong question, the relevant question is whether it was used to update a model that other users now query.

Training on our data, by default. A non-trivial fraction of consumer AI tools train on user input unless the user finds the toggle, and the toggle is often only available in the paid tier. A regulated enterprise that has not enumerated these defaults at the tool level cannot make a defensible claim about where its data has been.

Vendor diligence gap. OSFI B-10 places obligations on federally regulated institutions for third-party arrangements that involve material risk. Most shadow AI usage is a third-party arrangement that no one logged. The gap is not theoretical; it is the entire reason the guideline exists.

Compliance trail gap. The EU AI Act, ISO 42001, NIST AI RMF, AIDA in Canada, and sector rules like OSFI E-23 and B-13 all assume the enterprise can produce a list of the AI systems it deploys or uses. An organization that cannot answer "what AI is in use here" cannot answer any of the downstream questions those frameworks require.

The methodological problem with existing AI tool lists

Most published AI tool lists are either an analyst's opinion or a single traffic-rank number. Neither is operationally usable. An analyst opinion does not update at the cadence shadow AI moves. A traffic rank conflates a viral consumer toy with a vendor that has actually penetrated enterprise data. A list that ranks Midjourney against GPT-5 against a payroll integration is not a list anyone can build policy on.

The Shadow AI List is built differently. We rank each tool inside its category, so an image generator is never ranked against a foundation model. The score is a composite, the AI Exposure Index (AEX), built from seven dimensions: prevalence, velocity, intensity, reach, integration depth, visibility (how detectable the tool is on a normal security stack), and risk weight. The signals are a mix of developer adoption (GitHub, npm, PyPI, Hugging Face, Docker), consumer adoption (search interest, app stores), enterprise penetration (job listings, review volume, compliance attestations), and a detection layer of domains, IPs, and binaries security teams can actually pivot on.

The methodology is open. The maintained data and the weekly cadence are the product.

What the registry covers today

420 tools, ranked. 667 detection domains your DNS, firewall, and SIEM can already match against. Categories include chatbot, model hub, coding agents, meeting transcription, sales and marketing, HR and recruiting, productivity agents, image and video, data analytics, agent tooling, and writing. The list is re-verified every release: each tool's domain has to resolve and match the vendor, at least two independent signals must be current, vendor identity is confirmed, and every new entry gets a human pass.

The top fifteen tools by exposure today include the names you would expect: ChatGPT, Gemini, Copilot, Claude. They also include several that quietly score very high inside their category but rarely surface in policy: meeting transcribers your people use without thinking, sales automation that touches CRM data, HR tools that ingest resumes and interview recordings. The full ranked top fifteen is free to view at /top.

The other hidden-risk surface is the long tail of tools that are not household names but score Critical or High on data risk. DeepSeek is one. So are several specialized agent platforms. Those are the ones a CISO finds on the network and asks "when did this get here."

How to operationalize it

The Shadow AI List is designed to be loaded into the tools you already run.

In your DNS resolver, firewall, or SWG, the detection domains become the allow/log/block list. You decide the posture per category and per tool, and the list keeps the underlying domains current.

In your SIEM, the registry becomes an enrichment source. When a user agent or DNS lookup hits a tool you have not classified, the platform tags it with category, risk score, and whether the tool trains on user input.

In your DLP, the categorization drives the policy. Tools flagged as training on user input get the strictest content rules; vendor-controlled enterprise tiers get a softer ruleset.

In your vendor onboarding, the entry for the tool becomes the starting point for the diligence file. A team that is asked to onboard a new AI vendor begins with the registry entry rather than a blank template.

This is the loop that turns "we do not know what AI is on our network" into a maintained, auditable program.

Pricing

The Free Top 100 is exactly that: the 100 highest-exposure tools by AEX, with names, domains, and category, ready to import as a starter blocklist. It is free, and it is enough to make a real dent.

The Full Pack at $199 is the complete 420-tool registry, every detection domain, and the full risk scoring. It is a one-time purchase of the current release.

Weekly Updates at $499 per year delivers the maintained, re-verified registry every Saturday, so the list never goes stale. This is the tier security and governance teams should be on; shadow AI moves weekly, and so does the data.

What this is, and what it is not

This is a risk-ranked, maintained registry, by Aeon AI Risk Management, designed for security, compliance, risk, governance, and privacy teams.

It is not an outright blocklist. The decision of whether to allow, log, or block a given tool is the customer's, made against their own policy. The list provides the evidence to make those decisions defensibly, and the detection layer to enforce them.

It is not a substitute for a sanctioned AI program. The point of making shadow AI visible is to bring it into the sanctioned program, not to win a game of whack-a-mole.

It is also not a one-time download. Shadow AI is a moving surface, and a static list is a stale list within a quarter.

The shape of the program this enables

Once the registry is loaded, the program changes from reactive to operational.

Procurement sees a new AI tool in the access logs and pulls the registry entry rather than starting a Word document. Risk gets a quarterly view of which tools are in use, ranked, with the diligence gaps flagged. Compliance can answer the regulator's "what AI is in use here" question with an actual list. Engineering and IT stop being the bottleneck for AI tooling decisions and become the enforcement layer for a policy the business actually owns.

This is the operational layer underneath the AI governance documentation. Shadow AI List is the closest thing to a single source of truth a regulated enterprise can get for that layer today.

Browse the registry. Get the free top 100. See the methodology.

Aeon AI Risk Management helps regulated enterprises build AI governance that holds up under audit. The Shadow AI List is the operational registry that sits underneath that work. If shadow AI is on your CISO's risk register and not yet on your sanctioned-AI list, start the conversation.