advanta

HomeModule LibraryUse Cases

Module USE-07 sigil: Use Cases pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module USE-07. The Pillar geometry encodes Use Cases (Pillar 5); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SUSE-07
P5· L-E· Bands FoundationalOperationalIntegratedOptimisedDefensible

· USE-07

Shadow AI Discovery and Conversion Playbook

Shadow AI is the most prevalent risk vector in legal AI today: personnel using unsanctioned AI tools for client work, often for legitimate reasons but outside the AI Bill of Materials. This Module defines how to discover Shadow AI activity, classify each instance (block, convert, formalise), and convert legitimate use into sanctioned AI BoM entries. It includes the discovery survey, the conversion conversation script, and the policy-amnesty window that turns potential incidents into onboarding opportunities. Without this Module, Shadow AI either escalates into incidents or drives compliant users underground. Methodology v2026.1.

strategic

·

Quarterly

·

Discovery sweep 2–3 weeks per quarterly cycle; 1–3 business days per tool assessment; 2–6 weeks per tool conversion pathway.

Methodology v2026.1

Executive Summary

USE-07 defines the operational playbook for discovering and remediating Shadow AI—any AI tool in use without an Active DAT-06 AI BoM registration. It treats Shadow AI as a governance health issue rather than purely a misconduct problem, covering tools adopted before governance existed, vendor-embedded AI, and unregistered or lapsed versions of otherwise approved tools. The module specifies a quarterly discovery sweep using IT environment scans, practitioner disclosure surveys, vendor contract reviews, and incident cross-references. Each discovered tool is classified using a four-tier Shadow AI severity model, assessed for governance gaps across data exposure, agentic risk, client impact, and root-cause policy failures. Tools are then either converted into governed status, restricted pending governance, or retired via SUS-06, with Tier 1–2 cases routed through STR-07 incident response. USE-07 aligns with EU AI Act deployer obligations, ISO/IEC 42001 inventory requirements, and ABA supervision duties. It produces DPS-grade evidence of active enforcement, supports continual reduction of the shadow footprint, and turns unregistered tools into either safe, governed assets or cleanly decommissioned systems.

Defensibility Evidence Produced

USE-07 operates at DPS Tier 3 (Defensible) across all three lenses. Adoption lens: practitioner disclosure survey records, communications for each discovery cycle, and training completion records for the discovery team — 5-year retention from discovery cycle date. Sophistication lens: full Shadow AI Discovery Reports for all quarterly sweeps, governance gap assessments per discovered tool, disposition decisions with rationale, policy gap analyses, and conversion tracking records provide a complete audit trail of the organisation's active Shadow AI governance enforcement — 5-year retention. Defensibility lens: STR-07 incident records for Tier 1 and Tier 2 Shadow AI discoveries, Emergency Retirement Protocol records, client disclosure records where professional obligations were triggered, IT environment scan records, and AI Governance Lead sign-off records for all disposition decisions constitute the highest-grade evidence that the organisation actively identifies and remediates unregistered AI — 7-year retention from tool disposition date. Evidence available within 48 hours of regulatory, legal, or client inquiry. Annual evidence accessibility audit required.

Elements:

Decision traceabilityGovernance posture

Metric 0 Pre-Check

Before any Shadow AI discovery sweep, confirm two preconditions:

Gate 1 — AI BoM Register Currency

Verify the DAT-06 AI BoM Register is current (updated within the last 30 days) and accessible to the discovery team. If the register is stale, update it before starting discovery; otherwise, you cannot reliably distinguish registered from unregistered tools.

Gate 2 — IT Security Participation Confirmed

Confirm IT Security has allocated resources to support environment scans. If IT Security cannot participate, reschedule the sweep; partial discovery without security input must not be treated as complete coverage.

1. Purpose

USE-07 defines the operational methodology for identifying, assessing, and remediating Shadow AI—AI tools operating without current, Active DAT-06 AI BoM registration.

Shadow AI includes:

  • Tools adopted by practitioners unaware of registration requirements.
  • Tools deployed before formal AI governance processes existed.
  • Vendor-embedded AI features not flagged as AI at procurement.
  • Tools whose active version materially differs from the version recorded in the AI BoM.
  • Tools whose registration has lapsed after major version changes.

The Playbook reframes Shadow AI from a binary compliance failure to a managed governance challenge: systematically discover tools, assess severity, decide disposition, convert what can be governed, and retire what cannot. It also treats recurring Shadow AI patterns as indicators of systemic policy or process gaps.

2. Strategic Context

Shadow AI is inevitable in any legal organisation using AI. The key risk is how long unregistered tools operate undetected and what exposure accumulates in that period. Empirical evidence from professional services suggests typical detection lags of six months or more, during which unregistered tools may process privileged communications, client confidential data, or cross-border personal data without controls.

Regulatory and client expectations are tightening:

  • The EU AI Act imposes deployer obligations to identify AI systems in use, including those adopted outside formal procurement.
  • ISO/IEC 42001 requires complete AI system inventories and continual improvement in AI management systems.
  • Clients increasingly demand assurance that all AI in use is inventoried and governed.

USE-07 operationalises these expectations through quarterly discovery sweeps, structured remediation, and DPS-grade documentation of governance actions.

3. Operating Principles

  1. Discovery is Not Punishment
  2. Completeness Over Speed
  3. Severity Drives Response, Not Volume
  4. Convert Where Possible
  5. Patterns Indicate Policy Gaps
  6. Document Everything

4. Shadow AI Severity Classification

Classify every discovered unregistered tool using the four-tier Shadow AI severity model (aligned with SUS-06):

Tier 1 — Critical

  • Tool confirmed active on client matters or processing privileged data without oversight; or
  • Tool unregistered for 90+ days while in use.

Response:

  • Activate SUS-06 Emergency Retirement Protocol.
  • File STR-07 within 24 hours.
  • Shut down tool access within 24 hours.

Tier 2 — High

  • Tool is registered but operating outside approved scope or by unapproved users; or
  • Registered tool with a major version change not reflected in the AI BoM.

Response:

Operational Signals

use-07.shadow-tools-discovered

Defensibility Posture Statement

Count of Shadow AI tools surfaced per discovery cycle — DE-1 Decision traceability record.

Quarterly

use-07.conversion-rate

Annual Legal AI OS Index

Proportion of discovered Shadow AI converted to AI BoM entries vs blocked feeds the Annual Legal AI OS Index governance signal.

Quarterly

use-07.amnesty-uptake

Console

Personnel disclosures during amnesty windows for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • Risk & Compliance

Approvers

  • General Counsel
  • Risk & Compliance

Contributors

  • Head of Legal Operations
  • CIO / CISO
  • AI Task Force

Informed

  • Board
  • Audit Committee

Inputs · Outputs

Inputs

  • · Current DAT-06 AI BoM Register
  • · IT environment scan data (SaaS inventory, API logs, browser extensions, endpoints, integrations)
  • · Quarterly practitioner disclosure survey responses
  • · Vendor contract and procurement registry
  • · GOV-02 AI Use Policy
  • · STR-07 incident log
  • · GOV-04 vendor due diligence records

Outputs

  • · Quarterly Shadow AI Discovery Reports
  • · Tool-level governance gap assessment records
  • · Disposition decisions (Convert, Restrict, Retire) per tool
  • · Emergency Retirement notifications for Tier 1 and Tier 2 tools (SUS-06 and STR-07)
  • · Conversion packages for tools entering DAT-06 registration
  • · Policy gap analysis and remediation recommendations
  • · Shadow AI trend and pattern reports
  • · DPS-grade evidence packages for retention and audit

Framework Crosswalk

EU AI Act

European Union

Supports deployer obligations to identify all AI systems in use, including those adopted outside formal procurement, and to ensure appropriate risk management and transparency controls.

ISO/IEC 42001

ISO/IEC

Supports AI management system requirements for complete AI inventories, continual improvement, and closure of gaps created by tools adopted outside formal approval processes.

ABA Model Rules of Professional Conduct

American Bar Association

Informs duties of supervision under Rules 5.1–5.3 where supervised personnel use AI tools without partner awareness or approval, requiring discovery and remediation of Shadow AI.

Operational Artefacts

  • Shadow AI Discovery Sweep Checklist

    checklist · v2026.1

    Gated
  • Shadow AI Governance Gap Assessment Template

    xlsx · v2026.1

    Gated
  • Disposition Decision Matrix

    xlsx · v2026.1

    Gated
  • Shadow AI Discovery Report Template

    docx · v2026.1

    Gated
  • Practitioner Disclosure Survey Template

    docx · v2026.1

    Gated

Diagnostic Relevance

Running Shadow AI Discovery strengthens the Defensibility lens — expected Band progression: Operational → Integrated.

Confidence: high

Key Takeaways

  • Run quarterly Shadow AI discovery sweeps combining IT scans, practitioner surveys, vendor reviews, and incident cross-references.

  • Classify every unregistered tool using the four-tier Shadow AI severity model to drive triage and response.

  • Apply a structured disposition decision for each tool: Convert to governed status, Restrict pending governance, or Retire.

  • Route all Tier 1 and Tier 2 Shadow AI findings to SUS-06 Emergency Retirement and STR-07 incident reporting within mandated timeframes.

  • Use repeat Shadow AI patterns to identify and remediate policy, procurement, and training gaps rather than focusing only on individual non-compliance.

  • Document discovery, assessment, disposition, and policy remediation as DPS-grade evidence of active AI governance enforcement.

  • Track KPIs for discovery rate, time-to-disposition, and conversion rate to demonstrate continual improvement and regulatory alignment.

Run this Module

Operational artefacts available to Enterprise Partnership members. Methodology v2026.1.

View Membership

Targeting

Audience

AI Governance LeadIT SecurityLegal OperationsGeneral CounselRisk and Compliance

Strengthens

Defensibility lensAdoption lens

Module Details

Format
Module
Difficulty
Operational
Pillar
P5
Owner
Risk & Compliance
Access
Enterprise Partnership

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Where this Module lives

Shadow AI Discovery is the front door for the Class 8 Shadow AI risk vector. Converted Shadow tools become AI BoM entries that flow into Vendor Evaluation (VEN-01) and the Risk Register (GOV-03). Confirmed incidents escalate to the Incident Response Playbook (GOV-05). The Module produces DE-1 (Decision traceability) records into the DPS. Without it, the AI BoM is a fiction.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.