Shadow AI Dashboard
Monitor and govern AI usage across the org — platform distribution, PII findings, and Palveron Discover.
The Shadow AI dashboard is the CISO's window into AI usage across the company — across browser-based AI (Browser Guard), behavioral detection (Palveron Discover), and trace-level analytics.
Prerequisites
- Tier 1 (URL-based detection) — Browser Guard extension installed on at least one user. See Browser Guard Installation.
- Palveron Discover (Sprint 80+) — Business or Enterprise tier, with
aiDiscoverytoggled on under Settings → Security.
Open the dashboard
Navigate to Monitoring → Shadow AI. The page has five tabs:
| Tab | Purpose |
|---|---|
| Overview | KPIs across all tiers — platform distribution, PII findings, trends |
| Governance | Sanctioned vs. unsanctioned tools, warn-override rates, compliance posture |
| Discovery | Tier-1 events from Browser Guard (URL-based) |
| Reports | CSV / PDF exports for compliance and finance |
| Discover | Tier-2 behavioral detections from Palveron Discover (confirm / dismiss workflow) |
📸 Screenshot: Shadow AI dashboard with the five tabs.
Overview widgets
Platform distribution
Pie chart of which AI platforms employees are actually using — ChatGPT, Claude, Gemini, Copilot, Grok, DeepSeek, Perplexity, Meta AI, plus the long tail. Sourced from Browser Guard Tier-1 detections.
PII findings
Bar chart of PII types found in prompts (email, phone, IBAN, name, SSN, credit card, "other"). Click any bar to drill into the underlying traces.
Timeline
30-day line chart of total AI requests. Use it to spot spikes (new team adopting an AI tool) and steady-state baselines.
Top users (anonymized)
Most active Browser Guard users by request count. Anonymized by default — de-anonymization requires admin rights and writes a tamper-evident governance event.
Sanctioned rate
The percentage of detected AI usage that hits an explicitly sanctioned tool. The target is 100 % — every gap is a Shadow AI candidate to address.
Warn overrides (30d)
How often employees clicked Send anyway on a WARN policy in the last 30 days. High counts on a single policy usually mean the policy is mis-scoped (too sensitive); high counts spread across policies usually mean staff training is needed.
Palveron Discover (behavioral detection)
Discover surfaces AI tools that don't appear in any URL allow-list — because the user is hitting them via a non-obvious path, an extension, or an API call your URL-based detection can't see.
Two live detection vectors:
| Vector | What it sees | Confidence baseline |
|---|---|---|
| SSE fingerprint | Server-Sent Events response bodies fingerprinted in near real time inside the browser | 0.7+ |
| Extension inventory | Browser extensions cross-referenced against a curated registry of AI-tool extensions (30 entries today) | 0.95 (extension presence is binary) |
Two more vectors are schema-ready for Sprint 82-83: dom_signature (DOM patterns of AI UIs) and ws_pattern (WebSocket payload signatures).
Discover workflow
- Detection lands as
status: newin the Discover tab. - Triager reviews evidence:
- For SSE detections — the response fingerprint pattern and confidence.
- For Extension detections — extensionId (monospace), version, vendor, category (writing assistant, code assistant, search AI, etc.), risk level, and the crucial "Trains on user data: Yes / No / Unknown" flag.
- Triager picks Confirm AI or Dismiss.
- Confirm → creates an UNSANCTIONED
AiToolPolicyrow + a CustomAiPlatform entry; the domain shows up in future Tier-1 detections; the Closed Loop fires (SHA-256 attestation hash recorded). - Dismiss → all
newdetections for that domain marked dismissed; future detections for the same domain still register but stop alerting.
- Confirm → creates an UNSANCTIONED
When the project has Flare anchoring active, every Confirm also enqueues a Flare anchor for the attestation hash (Sprint 81+). The trace carries flareEnqueued: true so you can prove the discovery existed at a given timestamp.
Vector badges
In the Discover table, each row carries a colored pill identifying the source vector:
- Blue (SSE) —
Radioicon - Violet (Extension) —
Puzzleicon
A row can collect multiple vectors over its lifetime — the badge is true if any vector detected it. The extension evidence panel expands inline when you click the extension name in the row.
CSV export
Click Export → CSV under any tab. Default range: the last 30 days; switch to Quarter or Year for compliance-bound time windows (the calendar boundaries are exact, not approximations).
Compliance integration
Shadow AI feeds the EU AI Act ctrl.shadow_ai.asset_inventory control:
- Missing — zero
AiToolPolicyrows on the project. - Implemented — at least one row, but all still
PENDING. - Enforced — sanctioned-to-(sanctioned+unsanctioned) ratio ≥ 80 %.
The control is referenced by EU AI Act Art. 9, DORA Art. 8, and NIST MAP 1. See Readiness Score impact for how it rolls into your overall compliance score.