**What is shadow AI detection?**
Shadow AI detection is the practice of identifying unsanctioned AI tools, models, and API integrations deployed without security approval. It relies on visibility at the traffic layer, where AI calls are made, because these tools route live data to external models in ways traditional security stacks cannot see.
**How do enterprises detect shadow AI?**
Enterprises detect shadow AI by inspecting AI traffic at an AI gateway that sits between users and external providers. The gateway logs every call, flags unauthorized models, and enforces policy in real time. Kong research found that 54% of enterprises with governance frameworks use an AI gateway as this control plane.
**What is the difference between shadow AI and shadow IT?**
Shadow IT is unsanctioned software that usually stays within a known perimeter. Shadow AI routes live data — prompts, records, and code — to external models and behaves non-deterministically, so its data exposure and outputs vary from one call to the next. That makes shadow AI harder to detect and higher risk.
**What are the HIPAA risks of shadow AI in healthcare?**
Routing protected health information to an external LLM without a Business Associate Agreement is a potential HIPAA violation, regardless of whether a breach occurs. Ungoverned AI also fails HIPAA's audit-trail requirement, leaving organizations unable to prove how PHI was accessed or transmitted.
**What is federated AI governance?**
Federated AI governance is a model where a central team defines baseline policies while individual teams keep autonomy to operate within them. Central rules — such as never routing PHI to external models — are inherited by every team, ensuring one consistent posture across multi-cloud and hybrid environments.
**What is the Cordyceps AI vulnerability disclosure?**
The Cordyceps disclosure identified identical AI-generated vulnerabilities propagated through CI/CD pipelines across more than 300 GitHub repositories, exposing them to supply-chain attacks. It demonstrated how ungoverned AI-generated code can spread the same flaw at scale before anyone detects it.