Shadow AI Discovery: How to Inventory Every LLM in Your Organisation
Shadow AI Discovery: How to Inventory Every LLM in Your Organisation
What if your CFO discovered, on August 3, 2026, that half of your workforce had been quietly pasting customer records into unsanctioned LLMs for the past eighteen months? Under Article 49 of the EU AI Act, that single sentence is worth up to €35 million or 7% of global turnover — and “we didn’t know” is not a defence a regulator will accept.
The uncomfortable truth: most enterprises cannot name, in real time, every AI model their employees are calling this hour. Manual surveys are obsolete the day they are filed. SaaS vendors ship embedded LLM features overnight. Developers wire API keys into production scripts that never enter procurement. You are governing a perimeter you cannot see.
The Failure of Process-Based Compliance
Shadow AI — the unsanctioned use of Large Language Models by employees — has become the primary driver of corporate data leakage. Employees are adoption-oriented. They paste confidential customer data, intellectual property, and trade secrets into consumer-grade tools to solve immediate productivity needs.
Traditional compliance asks department heads to self-report. This fails for three structural reasons:
- Invisibility of embedded AI. SaaS vendors ship generative features into approved platforms (CRMs, HRIS, project tools) without notification.
- Decentralised development. Engineers call AI APIs from production scripts and side projects that bypass procurement.
- The documentation trap. Governance vendors (Modulos, Daiki, EQS) sell “paper controls” — registries that sit outside the traffic path and cannot physically stop a single unapproved request.
The CPIO pain: you cannot govern what you cannot see. If a high-risk AI system operates in shadow mode without registration, you are in direct violation of Article 49.
Discovery via Interception
NordClaw shifts your posture from “process-based compliance” to “infrastructure-based enforcement.” Instead of asking employees what they use, NordClaw observes what is actually happening.
The transparent proxy
NordClaw operates a transparent proxy (api.nordclaw.eu) that sits directly between your users and any LLM provider. The full processing stack runs on Sovereign Container Infrastructure in Frankfurt. By changing a single environment variable, every AI request is routed through an EU-jurisdiction endpoint.
- Auto-discovery. The proxy identifies every distinct model called across your network from live traffic — building your inventory automatically from day one.
- Identity mapping via SSO. Every request is mapped to a named human, department, and role through Enterprise Identity Federation (OIDC SSO) with Microsoft Entra ID or Google Workspace. The
tenant_idanduser_idclaims are injected at sign-in by our blocking auth function.
Technical reality, not contractual claims
US-based platforms remain subject to the US CLOUD Act, creating a permanent GDPR Article 44 conflict — covered in depth in our cross-border data transfer audit. NordClaw runs entirely inside our Frankfurt data centers, so the data residency guarantee is architectural.
Regulatory Alignment
Automated discovery is not a luxury. It is the prerequisite for:
- Article 9 (Risk Management). Requires identifying and analysing all AI systems. NordClaw provides the exhaustive list — derived from live traffic, not self-reporting.
- Article 49 (Public Database Registration). No high-risk embedded tool can operate in shadow mode once the proxy is in path.
- Article 26(6) (Logging). Six-month immutable retention begins the moment traffic is intercepted, written to our Dedicated PostgreSQL 15 Cluster in Frankfurt.
Value Across the Organisation
Human Resources
HR is classified as high-risk under Annex III. NordClaw’s discovery engine surfaces every tool used for applicant ranking or performance monitoring and triggers mandatory Human-in-the-Loop approval gates.
Finance & C-Level
Shadow AI is unquantified spend. NordClaw tags every prompt with model, token count, and cost — the foundation of our per-trace cost attribution model for CFOs.
IT & Cybersecurity
IT gains a real-time routing table of all AI traffic and can decommission insecure endpoints or redirect them through the Walled Garden of vetted integrations.
Comparison: NordClaw vs. The Market
| Feature | NordClaw | Governance tools (Daiki / EQS) | US platforms (TrueFoundry) |
|---|---|---|---|
| Real-time interception | ✅ Yes | ❌ No | ✅ Yes |
| Auto-inventory discovery | ✅ Yes | ❌ Manual only | ✅ Yes |
| SSO identity mapping | ✅ Entra ID / Workspace | ❌ No | ⚠ Partial |
| EU sovereign hosting | ✅ Frankfurt | ⚠ Conditional | ❌ US (CLOUD Act) |
| Compliance export (Art. 26) | ✅ One-click PDF / CSV | ❌ No | ❌ No |
The 90-Day Compliance Readiness Sprint
To move from total blindness to full technical visibility before the August deadline:
- Days 1–30 (Visibility). Activate the proxy and generate the AI Model Inventory from live traffic.
- Days 31–60 (Hardening). Enable PII redaction across all EU languages.
- Days 61–90 (Documentation). Generate pre-filled DPIA and FRIA templates from actual usage patterns.
Early access · MVP cohort
Be audit-ready before August 2, 2026.
NordClaw is onboarding a limited cohort of enterprise partners ahead of the EU AI Act enforcement deadline. Reserve your seat and shape the compliance infrastructure your DPO, CISO, and CFO will rely on.
Sign up for early access →
From Worry to Control
In the post-August 2026 landscape, a lack of inventory is a lack of compliance. Manual surveys are no longer defensible. NordClaw is the EU-native infrastructure that combines real-time interception with automated governance documentation.
The question is no longer whether you need an AI inventory. It is whether your inventory is based on human memory or technical reality.