Advanta is currently undergoing final system calibration ahead of launch. Selected infrastructure and experiences may still be in active refinement.

advanta

HomeModule Library

Module USE-07 sigil: Use Cases pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module USE-07. The Pillar geometry encodes Use Cases (Pillar 5); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SUSE-07

P5

L-E

USE-07

Shadow AI Discovery and Conversion Playbook

Provides the discovery methodology, governance gap analysis, and conversion or retirement pathway for unregistered AI tools operating in the organisation.

ModuleoperationalQuarterlyProtect lensComply lens

Audience

AI Governance LeadIT SecurityLegal OperationsGeneral CounselRisk and Compliance

·

Discovery sweep 2–3 weeks per quarterly cycle; 1–3 business days per tool assessment; 2–6 weeks per tool conversion pathway.

Executive Summary

USE-07 defines the operational playbook for discovering and remediating Shadow AI—any AI tool in use without an Active DAT-06 AI BoM registration. It treats Shadow AI as a governance health issue rather than purely a misconduct problem, covering tools adopted before governance existed, vendor-embedded AI, and unregistered or lapsed versions of otherwise approved tools. The module specifies a quarterly discovery sweep using IT environment scans, practitioner disclosure surveys, vendor contract reviews, and incident cross-references. Each discovered tool is classified using a four-tier Shadow AI severity model, assessed for governance gaps across data exposure, agentic risk, client impact, and root-cause policy failures. Tools are then either converted into governed status, restricted pending governance, or retired via SUS-06, with Tier 1–2 cases routed through STR-07 incident response. USE-07 aligns with EU AI Act deployer obligations, ISO/IEC 42001 inventory requirements, and ABA supervision duties. It produces DPS-grade evidence of active enforcement, supports continual reduction of the shadow footprint, and turns unregistered tools into either safe, governed assets or cleanly decommissioned systems.

Metric 0 Pre-Check

Before any Shadow AI discovery sweep, confirm two preconditions:

Gate 1 — AI BoM Register Currency

Verify the DAT-06 AI BoM Register is current (updated within the last 30 days) and accessible to the discovery team. If the register is stale, update it before starting discovery; otherwise, you cannot reliably distinguish registered from unregistered tools.

Gate 2 — IT Security Participation Confirmed

Confirm IT Security has allocated resources to support environment scans. If IT Security cannot participate, reschedule the sweep; partial discovery without security input must not be treated as complete coverage.

---

1. Purpose

USE-07 defines the operational methodology for identifying, assessing, and remediating Shadow AI—AI tools operating without current, Active DAT-06 AI BoM registration.

Shadow AI includes:

  • Tools adopted by practitioners unaware of registration requirements.
  • Tools deployed before formal AI governance processes existed.
  • Vendor-embedded AI features not flagged as AI at procurement.
  • Tools whose active version materially differs from the version recorded in the AI BoM.
  • Tools whose registration has lapsed after major version changes.

The Playbook reframes Shadow AI from a binary compliance failure to a managed governance challenge: systematically discover tools, assess severity, decide disposition, convert what can be governed, and retire what cannot. It also treats recurring Shadow AI patterns as indicators of systemic policy or process gaps.

---

2. Strategic Context

Shadow AI is inevitable in any legal organisation using AI. The key risk is how long unregistered tools operate undetected and what exposure accumulates in that period. Empirical evidence from professional services suggests typical detection lags of six months or more, during which unregistered tools may process privileged communications, client confidential data, or cross-border personal data without controls.

Regulatory and client expectations are tightening:

  • The EU AI Act imposes deployer obligations to identify AI systems in use, including those adopted outside formal procurement.
  • ISO/IEC 42001 requires complete AI system inventories and continual improvement in AI management systems.
  • Clients increasingly demand assurance that all AI in use is inventoried and governed.

USE-07 operationalises these expectations through quarterly discovery sweeps, structured remediation, and DPS-grade documentation of governance actions.

---

3. Operating Principles

  1. Discovery is Not Punishment
  2. Completeness Over Speed
  3. Severity Drives Response, Not Volume
  4. Convert Where Possible
  5. Patterns Indicate Policy Gaps
  6. Document Everything

---

4. Shadow AI Severity Classification

Classify every discovered unregistered tool using the four-tier Shadow AI severity model (aligned with SUS-06):

Tier 1 — Critical

  • Tool confirmed active on client matters or processing privileged data without oversight; or
  • Tool unregistered for 90+ days while in use.

Response:

  • Activate SUS-06 Emergency Retirement Protocol.
  • File STR-07 within 24 hours.
  • Shut down tool access within 24 hours.

Tier 2 — High

  • Tool is registered but operating outside approved scope or by unapproved users; or
  • Registered tool with a major version change not reflected in the AI BoM.

Response:

Defensibility Evidence

USE-07 operates at DPS Tier 3 (Defensible) across all three lenses. Adoption lens: practitioner disclosure survey records, communications for each discovery cycle, and training completion records for the discovery team — 5-year retention from discovery cycle date. Sophistication lens: full Shadow AI Discovery Reports for all quarterly sweeps, governance gap assessments per discovered tool, disposition decisions with rationale, policy gap analyses, and conversion tracking records provide a complete audit trail of the organisation's active Shadow AI governance enforcement — 5-year retention. Defensibility lens: STR-07 incident records for Tier 1 and Tier 2 Shadow AI discoveries, Emergency Retirement Protocol records, client disclosure records where professional obligations were triggered, IT environment scan records, and AI Governance Lead sign-off records for all disposition decisions constitute the highest-grade evidence that the organisation actively identifies and remediates unregistered AI — 7-year retention from tool disposition date. Evidence available within 48 hours of regulatory, legal, or client inquiry. Annual evidence accessibility audit required.

Operational Artefacts

  • Shadow AI Discovery Sweep Checklist

    checklist · v2026.1

    Gated

  • Shadow AI Governance Gap Assessment Template

    xlsx · v2026.1

    Gated

  • Disposition Decision Matrix

    xlsx · v2026.1

    Gated

  • Shadow AI Discovery Report Template

    docx · v2026.1

    Gated

  • Practitioner Disclosure Survey Template

    docx · v2026.1

    Gated

Framework Crosswalk

EU AI Act

European Union

Supports deployer obligations to identify all AI systems in use, including those adopted outside formal procurement, and to ensure appropriate risk management and transparency controls.

ISO/IEC 42001

ISO/IEC

Supports AI management system requirements for complete AI inventories, continual improvement, and closure of gaps created by tools adopted outside formal approval processes.

ABA Model Rules of Professional Conduct

American Bar Association

Informs duties of supervision under Rules 5.1–5.3 where supervised personnel use AI tools without partner awareness or approval, requiring discovery and remediation of Shadow AI.

Operational Details

Inputs

  • · Current DAT-06 AI BoM Register
  • · IT environment scan data (SaaS inventory, API logs, browser extensions, endpoints, integrations)
  • · Quarterly practitioner disclosure survey responses
  • · Vendor contract and procurement registry
  • · GOV-02 AI Use Policy
  • · STR-07 incident log
  • · GOV-04 vendor due diligence records

Outputs

  • · Quarterly Shadow AI Discovery Reports
  • · Tool-level governance gap assessment records
  • · Disposition decisions (Convert, Restrict, Retire) per tool
  • · Emergency Retirement notifications for Tier 1 and Tier 2 tools (SUS-06 and STR-07)
  • · Conversion packages for tools entering DAT-06 registration
  • · Policy gap analysis and remediation recommendations
  • · Shadow AI trend and pattern reports
  • · DPS-grade evidence packages for retention and audit

Owner

AI Governance Lead + IT Security

Telemetry & Observability

Telemetry-ready

Key Takeaways

  • Run quarterly Shadow AI discovery sweeps combining IT scans, practitioner surveys, vendor reviews, and incident cross-references.

  • Classify every unregistered tool using the four-tier Shadow AI severity model to drive triage and response.

  • Apply a structured disposition decision for each tool: Convert to governed status, Restrict pending governance, or Retire.

  • Route all Tier 1 and Tier 2 Shadow AI findings to SUS-06 Emergency Retirement and STR-07 incident reporting within mandated timeframes.

  • Use repeat Shadow AI patterns to identify and remediate policy, procurement, and training gaps rather than focusing only on individual non-compliance.

  • Document discovery, assessment, disposition, and policy remediation as DPS-grade evidence of active AI governance enforcement.

  • Track KPIs for discovery rate, time-to-disposition, and conversion rate to demonstrate continual improvement and regulatory alignment.

Get This Module

This module is available as part of an Advanta Advisory engagement.

Explore Advisory

Module Details

Type

Pillar

P5

Layer

E · Execution

Duration

Discovery sweep 2–3 weeks per quarterly cycle; 1–3 business days per tool assessment; 2–6 weeks per tool conversion pathway.

Advisory

Yes

Access

enterprise

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Risk Classes Mitigated

Related Resources

P5 · Use CasesModule Library →Take the Free Baseline Diagnostic →

Governance

Methodology
v2026.1

ADVISORY

Need help implementing this — and the 49 modules around it?

Advanta Advisory works with legal departments to deploy the full Legal AI OS framework — governance design, implementation roadmap, and team capability — structured around your maturity baseline.

Explore Advisory →Run the Diagnostic first
← Back to Module Library