DOUSATSU 洞察
Shadow AI Audit

Find out what AI is actually running in your organisation.

Shadow AI — the use of AI tools by employees without organisational visibility, policy, or oversight — is the most common compliance exposure in UK SMEs right now. Most leaders can't see it. The audit makes it visible.

Book a discovery call →What is shadow AI? ↓

What you can't see is what exposes you.

Your staff are using AI tools. Not because they're reckless — because those tools save time. The problem is that most organisations have no visibility over which tools are in use, what data is being processed through them, or whether any of it is covered by policy.

That's shadow AI. And under UK GDPR, the Data Protection Act 2018, and sector-specific obligations from the FCA, SRA, and Regulator of Social Housing, the liability for what those tools process sits with you — not the employee, and not the tool provider.

What does a Shadow AI Audit actually involve?

Three things, delivered in five working days:

01

Discovery

A structured interview with relevant stakeholders to map known AI tool usage across departments. We establish what's been sanctioned, what hasn't, and what nobody's thought to ask about.

02

Exposure mapping

Every identified tool is assessed against your regulatory obligations: data residency, retention policies, training data consent, and sector-specific requirements. The gaps become visible.

03

Remediation report

A clear written output: what's in use, what's exposed, and what to do about it. Board-ready. Referenced to your specific regulatory framework, not generic AI guidance.

Is this audit right for your organisation?

The Shadow AI Audit is built for UK SMEs in regulated sectors where data handling obligations are non-negotiable:

01

Financial services

FCA-regulated firms where client data confidentiality and AI model governance are under increasing scrutiny.

02

Legal

SRA-regulated practices where client confidentiality obligations extend to every tool in the workflow.

03

Pharma and life sciences

Where data integrity and research confidentiality have regulatory and commercial consequences.

04

Housing associations

Where tenant data is processed at scale and AI tool adoption is outpacing governance.

What does the audit deliver?

A single written report, delivered within five working days of the discovery session:

01

Complete inventory of AI tools identified across your organisation.

02

Data flow assessment — what information is being processed, where, and under what terms.

03

Regulatory gap analysis — mapped to UK GDPR, DPA 2018, and your sector regulator.

04

Remediation recommendations — prioritised, practical, actionable.

05

Policy drafts — where none exist, we provide starting-point documentation.

06

Board summary — one page, non-technical, ready to share with leadership.

Priced per engagement following a short discovery conversation.

Not sure where you stand?

Take the free Risk & Readiness Assessment — five minutes to find out exactly where your AI exposure lies.

Take the free assessment →

Frequently asked questions

What is shadow AI?

Shadow AI is the use of AI tools by employees without organisational visibility, policy, or oversight. It includes free-tier ChatGPT accounts, browser-based AI assistants, AI-powered writing tools, and any other AI product being used in the course of work without formal sanction.

How long does the Shadow AI Audit take?

The audit is delivered in five working days from the discovery session. The discovery session itself takes approximately two hours.

What regulations does the audit cover?

The audit maps AI tool usage against UK GDPR, the Data Protection Act 2018, and sector-specific obligations relevant to your organisation — FCA, SRA, or sector regulator guidance as applicable.

Does the EU AI Act apply to our business?

Article 4 of the EU AI Act (Regulation (EU) 2024/1689) applies to UK businesses with exposure to EU markets. Where it applies, the audit addresses documented AI literacy and governance requirements. For most UK-only SMEs, the primary compliance framework remains UK GDPR and DPA 2018.

What happens after the audit?

The remediation report gives you a prioritised action list. Dousatsu can support implementation through Track 04: AI Governance & Compliance, or you can act on the findings independently. There is no obligation to continue.

How much does the Shadow AI Audit cost?

The audit is priced per engagement following a short discovery conversation. Pricing reflects the size and complexity of your organisation. Book a call to discuss scope.

Written by Chris Hampson, Anthropic Academy-certified AI governance consultant.