Glossary / Shadow AI

Definition

What is Shadow AI?

Unsanctioned AI use

Shadow AI is employee use of AI tools — ChatGPT, Claude, Gemini, Perplexity, Cursor — outside your governance perimeter. Trinitite reads the Secure Web Gateway telemetry you already export, classifies it against a curated AI destination registry, correlates it against governed traffic within ±60 seconds, and emits a signed, deduplicated inventory by vendor, user, and time.

The audit-acceptable answer to “how do you KNOW your people aren’t using consumer AI for sensitive work?” cannot be a survey. Trinitite never injects into your SWG — it only reads what Zscaler NSS, Cisco Umbrella, Cloudflare Zero Trust, Netskope, Forcepoint, or generic DNS already export, so there is no TLS decryption and no inline blocking.

Each event is flagged is_shadow when there is a known AI vendor with no governed equivalent in the principal’s window; identical events collapse to one counted row per 24 hours. The signed bundle emits by_vendor, by_user, and totals rollups chain-linked into the unified ledger — answering EU AI Act Annex IV §1, SR 11-7 §III inventory completeness, SOC 2 CC6.6, and GDPR Art. 28.