Blue Vector • Free Resource

Shadow AI & Prompt Audit Checklist

A leadership-only field checklist for finding out what your team is actually doing with AI—the unsanctioned tools, the data walking out the door, and the quiet non-adoption killing your official rollout. Work through it discreetly. The goal is a picture and a plan, not a witch hunt.

Ground rule: announce a no-blame amnesty window before you start asking questions. People tell the truth about shadow tools exactly once—when honesty is safe. Burn that, and every future audit is fiction.

Phase 1 — Discovery (What's Actually in Use)

CheckDoneFindings
Pull the network/DNS logs (or ask IT) for traffic to consumer AI domains over the last 90 days
Inventory browser extensions and installed apps on company machines for AI tools
Check expense reports and credit-card statements for AI subscriptions
Interview one person per department: “What do you use AI for? What would you use it for if you could?”
List every sanctioned AI tool and who is licensed vs. who actually logs in

Phase 2 — Exposure (What Data Is Leaving)

CheckDoneFindings
Identify whether customer drawings, CAD, or specs have been pasted/uploaded into consumer tools
Identify whether pricing, cost sheets, or customer lists have been used in prompts
Check whether any AI accounts in use train on submitted data (consumer vs. business tier)
Review NDAs and customer flow-downs for clauses AI use could already be violating
Flag any export-controlled or regulated data (ITAR/EAR, HIPAA, etc.) in the exposure paths above

Phase 3 — Prompt Quality & Drift (For Sanctioned Tools)

CheckDoneFindings
Sample 20+ recent outputs from each sanctioned workflow; grade against spec
Compare current prompts against the originally approved versions (drift check)
Verify human-approval steps are actually happening, not rubber-stamped
Test agent-connected workflows for prompt-injection paths (untrusted email/document content reaching the agent)
Confirm logs exist for agent actions and someone reviews them on a schedule

Phase 4 — Adoption Map (Who's In, Who's Out, Why)

CheckDoneFindings
Map actual usage by team: enthusiasts, quiet avoiders, and active workaround-builders
Identify the specific reason for each pocket of avoidance (trust, training, fear, tool quality)
Find the “pilot purgatory” projects: POCs older than 90 days with no deploy date
Identify knowledge-hoarding chokepoints (processes only one person can run)

Phase 5 — Remediation Plan

#FindingAction (replace / govern / train / shut down)OwnerDate
1
2
3
4