Cyber Intelligence
PROTEGO
Cloud Security15 min read

Shadow AI in Enterprise: Detecting and Governing Unauthorized AI Usage

Your Conditional Access policies almost certainly have a gap for consumer AI tools. ChatGPT, Claude.ai, and Gemini fall through blocks designed for cloud storage because they are categorized differently in most CASB and proxy rule sets. This guide shows how to find exactly what AI traffic is leaving your environment and enforce policy before an auditor does it for you.

I
Idan Ohayon
Microsoft Cloud Solution Architect
Shadow AIDefender for Cloud AppsCASBConditional AccessMicrosoft PurviewDLPAI GovernanceZero Trust

Your Employees Are Already Using ChatGPT with Customer Data

Your most comprehensive Conditional Access policy probably has a gap for consumer AI tools. Not by design: when the policy was written, someone assessed that browser access to consumer SaaS was covered by existing controls. What was missed is that chat.openai.com, claude.ai, and gemini.google.com are not categorized as "cloud storage" or "file sharing" in most proxy and CASB rule sets. They fall under "search engines," "technology tools," or simply "uncategorized" — categories that bypass the blocks applied to Dropbox and Google Drive.

Microsoft's Defender for Cloud Apps telemetry from 2025 found that in enterprises with 1,000+ users, an average of 47% of knowledge workers used at least one unapproved generative AI tool monthly. Of those sessions, 23% involved uploading files or pasting text matching internal document classification patterns. For a regulated industry, that is a reportable incident waiting for an auditor to trigger.

This guide covers the actual detection and enforcement work: finding what AI traffic is leaving your environment today, classifying apps into a governance framework, and deploying controls that cover browser sessions, native app calls, and corporate network egress.

---

What Shadow AI Traffic Looks Like in Enterprise Logs

The highest-volume shadow AI tools in enterprise telemetry fall into four categories with distinct risk profiles:

CategoryCommon ToolsPrimary Data Risk
General AI assistantsChatGPT, Claude.ai, Gemini, PerplexityPasted customer data, internal docs, source code
AI coding assistantsGitHub Copilot (personal), Cursor, Codeium, Replit AIProprietary source code transmitted to external inference
AI image generatorsMidjourney, DALL-E via ChatGPT, Adobe FireflyBrand assets, design IP, unreleased product visuals
AI productivity toolsNotion AI, Otter.ai, Grammarly, Fireflies.aiMeeting transcripts, HR records, email content
Most DLP policies written before 2024 targeted cloud storage destinations: OneDrive personal, Dropbox, consumer Google Drive. Generative AI endpoints accept the same sensitive content through the same upload and paste mechanisms, but are categorized differently in proxy and CASB systems. The detection gap is categorical.

---

Discovery: Finding AI Apps in Your Environment with Defender for Cloud Apps

Before applying controls, you need a complete inventory of what AI tools are in use. Defender for Cloud Apps Cloud Discovery is the primary tool for Microsoft environments. It analyzes proxy logs, firewall logs, or Defender for Endpoint telemetry to identify cloud apps in use without requiring proxy integration if MDE is deployed.

Running a Shadow AI Audit

  1. In the Microsoft Defender portal, navigate to Cloud Apps > Cloud Discovery > Discovered apps
  2. Filter by category: Generative AI (added in Defender for Cloud Apps update 246, October 2024)
  3. Sort by traffic volume descending to prioritize the highest-usage apps
  4. Export the full inventory with user counts, traffic volumes, and risk scores

For programmatic access to the discovered app catalog: 

# Authenticate and pull top generative AI apps by traffic volume
$tenantId = "<your-tenant-id>"
$clientId = "<your-app-id>"
$clientSecret = "<your-secret>"
$tokenBody = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://graph.microsoft.com/.default"
}
$token = (Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method Post -Body $tokenBody).access_token
$headers = @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" }
# Query Defender for Cloud Apps API for discovered generative AI apps
$filter = @{
    filters = @{
        category = @{ eq = @(11) }  # Category 11 = Generative AI in MDCA schema
        trafficTotalBytes = @{ gt = 1048576 }  # Filter to apps with >1MB of traffic
    }
    limit = 50
    sortField = "trafficTotalBytes"
    sortDirection = "desc"
} | ConvertTo-Json -Depth 5
$reqParams = @{
    Uri     = "https://your-tenant.portal.cloudappsecurity.com/api/v1/discovery/discovered_apps/"
    Headers = $headers
    Method  = "Post"
    Body    = $filter
}
Invoke-RestMethod @reqParams

Defender for Cloud Apps rates each app on a risk score from 0 to 10 based on security attributes: SOC 2 compliance, ISO 27001 certification, GDPR data processing agreements, data retention policies, and password security requirements. Consumer AI tools typically score 4 to 7. Enterprise tiers (Azure OpenAI, Claude for Business, Gemini for Google Workspace) score 8 to 10 and should be evaluated separately from their consumer counterparts.

---

Governance Framework: Three-Tier Classification

Before applying technical controls, define a classification framework. Trying to block everything immediately creates helpdesk load and executive escalations; having no policy creates compliance exposure. The three-tier model:

TierDefinitionExamplesControl Posture
SanctionedApproved for use with corporate data; enterprise agreement in placeMicrosoft Copilot (M365), Azure OpenAI (enterprise), GitHub Copilot EnterpriseStandard DLP, activity logging, usage monitoring
MonitoredAllowed without sensitive data; sessions are monitored and DLP-inspectedChatGPT Teams, Claude for Business (where procured), Gemini for WorkspaceSession policy: block file uploads, alert on sensitive data paste
BlockedNo access from managed devices or corporate networkConsumer AI personal accounts, Midjourney, Cursor (unapproved), Otter.ai webConditional Access block, MDE web filter, Azure Firewall deny
Document and publish this framework to employees before activating enforcement. The first block notifications should not be the first time employees hear about the policy.

---

Defender for Cloud Apps Session Policies

Once the app inventory is classified, apply controls. Defender for Cloud Apps provides two control types for browser-based apps:

  • Access policies: block access to an app entirely, appropriate for tier-3 (blocked) apps
  • Session policies: allow access but intercept uploads, downloads, or specific activities, appropriate for tier-2 (monitored) apps

Configure a session policy to block file uploads to unmanaged AI tools. This requires Conditional Access App Control to be enabled for the relevant apps first (covered in the next section).

In the Defender portal, create a session policy with these parameters:

  • Policy name: Block uploads to unapproved AI tools
  • Session control type: Control file upload (with DLP)
  • Activity filter: App equals [ChatGPT, Claude.ai, Gemini, Perplexity] (select from the app catalog)
  • Content inspection: Enable DLP; match against your sensitive information types (credit card numbers, employee IDs, internal project codes, custom classifiers for IP)
  • Action: Block + notify user
  • Alert: Create alert for each matched activity

For apps in the Monitored tier where you want visibility without blocking: create a session policy with "Monitor" action instead of "Block." This logs all upload activity without creating user friction, giving you 30-60 days of baseline data before moving to enforcement.

---

Entra ID Conditional Access App Control

Conditional Access App Control routes browser sessions for specified apps through the Defender for Cloud Apps session proxy. This is the control plane that makes session policies work.

Create a Conditional Access policy that routes monitored AI app sessions: 

{
  "displayName": "MCAS Control: AI App Session Routing",
  "state": "enabled",
  "conditions": {
    "applications": {
      "includeApplications": ["All"]
    },
    "users": {
      "includeGroups": ["All Users"],
      "excludeGroups": ["CA-Excluded-Accounts", "AI-Tool-Admins"]
    },
    "clientAppTypes": ["browser"],
    "platforms": {
      "includePlatforms": ["all"]
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": ["compliantDevice"]
  },
  "sessionControls": {
    "cloudAppSecurity": {
      "isEnabled": true,
      "cloudAppSecurityType": "mcasConfigured"
    }
  }
}

For apps that are not in the Microsoft app catalog, use the "Onboard with app control" flow in Defender for Cloud Apps to add them as custom monitored apps. The portal walks you through configuring the app's SSO URL and the proxy certificate.

Critical limitation: Conditional Access App Control applies to browser sessions only. Native desktop applications — Cursor IDE, GitHub Copilot in VS Code, Grammarly desktop, Otter.ai desktop — bypass this control entirely. Browser sessions represent the majority of shadow AI activity for knowledge workers, but developer tools and native apps require network-layer controls.

---

Microsoft Purview Endpoint DLP for AI Destinations

Purview endpoint DLP extends DLP coverage beyond browser sessions to clipboard operations, file saves, and application-level data movement on managed endpoints. It requires Defender for Endpoint deployment (MDE onboarding) and the Purview compliance client.

Create a DLP policy targeting AI tool web destinations:

In Microsoft Purview > Data loss prevention > Policies > Create policy:

  1. Template: Custom policy
  2. Locations: Devices (requires MDE onboarding + Purview endpoint DLP)
  3. Rule conditions:
  • Content contains sensitive info types (credit card numbers, US SSN, passport numbers, employee IDs, and your custom org-specific classifiers)
  • Activity is "Upload to restricted cloud service domain" or "Paste to browser"
  • Restricted cloud service domains: chat.openai.com, claude.ai, gemini.google.com, perplexity.ai, midjourney.com, huggingface.co
  1. Action: Block activity, notify user with policy tip, generate alert

Add new AI tool domains to an existing Purview policy without recreating it: 

Connect-IPPSSession -UserPrincipalName admin@yourtenant.onmicrosoft.com
# List current restricted domains in the policy rule
$policy = Get-DlpCompliancePolicy -Identity "AI Tool Data Restriction"
$rule = Get-DlpComplianceRule -Policy $policy.Name -Identity "Block uploads to AI tools"
$rule.BlockAccessScope
# Add a new AI tool domain
$ruleParams = @{
    Identity                               = "Block uploads to AI tools"
    AddSensitiveInformationTypeRulePackage = $null
    AddBlockedCloudStorageService          = @{Name="PerplexityAI"; Domain="perplexity.ai"}
    Confirm                                = $false
}
Set-DlpComplianceRule @ruleParams
# Verify the update
Get-DlpComplianceRule -Policy $policy.Name | Select-Object -ExpandProperty BlockedCloudStorageServices

Purview endpoint DLP's clipboard monitoring is particularly valuable: if a user opens a classified document in Word and pastes content into a ChatGPT browser session, the paste action is intercepted and evaluated against your sensitive information types before it leaves the machine. This catches data exfiltration that bypass browser proxy controls.

---

Network Layer Controls for Native Apps and BYOD

Browser session proxying and endpoint DLP cover managed devices with MDE deployed. For native app traffic, corporate network egress, and bring-your-own-device scenarios, network-layer controls are required.

Defender for Endpoint Web Content Filtering

MDE web content filtering blocks URL categories on enrolled endpoints without requiring a proxy. Add the Generative AI category to block unapproved tools:

In Microsoft Intune > Endpoint security > Attack surface reduction > Web content filtering:

Create a new policy with:

  • Platform: Windows 10 and later
  • Blocked categories: Generative AI, Artificial Intelligence (added in MDE platform version 4.18.25050, May 2025 update)
  • Assignment: All devices (or a specific device group for phased rollout)

For apps not covered by category-based filtering, add custom URL indicators in the MDE portal: 

# Add individual AI tool URLs to MDE custom indicators
$headers = @{ Authorization = "Bearer $mdeToken"; "Content-Type" = "application/json" }
$indicator = @{
    indicatorValue = "cursor.sh"
    indicatorType = "DomainName"
    action = "Block"
    title = "Block Cursor AI - Unapproved AI Coding Tool"
    description = "Cursor IDE sends source code to external AI inference. Blocked per AI governance policy."
    severity = "Medium"
    generateAlert = $true
} | ConvertTo-Json
$indParams = @{
    Uri     = "https://api.securitycenter.microsoft.com/api/indicators"
    Headers = $headers
    Method  = "Post"
    Body    = $indicator
}
Invoke-RestMethod @indParams

Azure Firewall Rules for Corporate Network Egress

For on-premises and Azure-hosted workloads routed through Azure Firewall, create application rule collections blocking consumer AI endpoints: 

resource shadowAIBlock 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2024-01-01' = {
  parent: firewallPolicy
  name: 'ShadowAIBlock'
  properties: {
    priority: 500
    ruleCollections: [
      {
        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
        name: 'BlockConsumerAITools'
        priority: 100
        action: { type: 'Deny' }
        rules: [
          {
            ruleType: 'ApplicationRule'
            name: 'BlockConsumerAIEndpoints'
            targetFqdns: [
              'chat.openai.com'
              'claude.ai'
              'gemini.google.com'
              'perplexity.ai'
              'midjourney.com'
              'cursor.sh'
              'api.cursor.sh'
              'www.cursor.sh'
            ]
            protocols: [
              { protocolType: 'Https', port: 443 }
            ]
          }
          {
            ruleType: 'ApplicationRule'
            name: 'AllowEnterpriseAIAPIs'
            targetFqdns: [
              '*.openai.azure.com'
              'cognitiveservices.azure.com'
              '*.cognitiveservices.azure.com'
            ]
            protocols: [
              { protocolType: 'Https', port: 443 }
            ]
          }
        ]
      }
    ]
  }
}

Important: blocking api.openai.com and api.anthropic.com will also block any enterprise application that calls these APIs directly without routing through Azure OpenAI. Audit your application inventory for direct API usage before adding those domains to the deny list. Use Azure Firewall's Threat Intelligence feed in addition to explicit FQDNs to catch new AI tool domains as they emerge.

---

KQL Detection Queries for Ongoing Monitoring

Controls will not catch everything. Deploy detection queries to identify bypass attempts, policy gaps, and high-risk activity: 

// Detect blocked AI tool access attempts via Azure Firewall
AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| where msg_s contains "Deny"
| where msg_s has_any (
    "chat.openai.com", "claude.ai", "gemini.google.com",
    "perplexity.ai", "cursor.sh", "midjourney.com"
  )
| extend
    SourceIP = extract(@"From: (d+.d+.d+.d+)", 1, msg_s),
    TargetFQDN = extract(@"To: ([w.-]+)", 1, msg_s)
| summarize
    AttemptCount = count(),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP, TargetFQDN, bin(TimeGenerated, 1h)
| where AttemptCount > 10
| order by AttemptCount desc
// Detect file uploads to AI apps from Defender for Cloud Apps activity log
CloudAppEvents
| where TimeGenerated > ago(7d)
| where ActionType in ("FileUpload", "FileAttachment", "FileSyncUpload")
| where AppName has_any ("ChatGPT", "Claude", "Gemini", "Perplexity", "Midjourney")
| summarize
    UploadCount = count(),
    UniqueFiles = dcount(ObjectName),
    FileSizeTotal = sum(tolong(RawEventData.fileSize))
    by AccountDisplayName, AccountObjectId, AppName, bin(TimeGenerated, 1d)
| where UploadCount > 5
| order by UploadCount desc

High-volume blocked attempts from a single source IP after network controls are applied indicate VPN or proxy bypass attempts. A single user with more than 20 uploads to an AI app in a day during business hours is the most common insider risk pattern and should trigger an investigation workflow.

---

Hardening Checklist

  • [ ] Shadow AI discovery completed: Cloud Discovery run with Generative AI category filter; full inventory exported with user counts, traffic volumes, and risk scores
  • [ ] AI app classification framework documented: three-tier policy (sanctioned / monitored / blocked) with specific named apps in each tier
  • [ ] Policy communicated to employees before enforcement blocks activate: IT security communication sent with examples of what is blocked and the enterprise-approved alternatives
  • [ ] Conditional Access App Control configured for monitored AI apps: browser sessions routed through Defender for Cloud Apps session proxy
  • [ ] Session policies deployed: file uploads to unapproved AI apps blocked with DLP content inspection enabled for all sensitive information types
  • [ ] Purview endpoint DLP policy created: AI tool domains added to restricted cloud service domain list; clipboard paste monitoring enabled
  • [ ] MDE web content filtering policy deployed: Generative AI and Artificial Intelligence categories blocked on all managed endpoints (verify MDE platform version 4.18.25050+ for category support)
  • [ ] Custom MDE URL indicators added for AI tools not covered by category-based filtering (Cursor, Fireflies.ai, Otter.ai, and similar)
  • [ ] Azure Firewall rules deployed for corporate network egress: consumer AI API and portal domains in deny rule; enterprise AI endpoints in allow rule
  • [ ] KQL detection queries active in Sentinel: Azure Firewall deny events for AI domains, MCAS upload events, high-volume bypass attempts
  • [ ] Alert rules configured: more than 10 blocked AI tool attempts per hour from a single IP; more than 5 file uploads to monitored AI apps from a single user per day
  • [ ] GitHub Copilot personal account usage audited: ensure developers using AI coding tools are on the enterprise license, not personal accounts routing proprietary code to OpenAI's consumer endpoints
  • [ ] Monthly shadow AI report scheduled: new AI apps discovered since last review, bypass attempt trends, DLP incident counts by app and user
  • [ ] Exception request process defined: documented procedure for teams requesting approval for new AI tools, including required security review and DPA check
N

Recommended tool: Nordpass

Up to 40% commission

Try for free

Get weekly security insights

Cloud security, zero trust, and identity guides — straight to your inbox.

I

Idan Ohayon

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.

Share this article

TwitterLinkedIn

Questions & Answers

Related Articles

☁️
Cloud Security

AZ-500 vs SC-200 vs SC-300: Which Azure Security Cert Should You Get in 2026?

14 min read

☁️
Cloud Security

Terraform Security Scanning: Checkov vs Terrascan vs tfsec Compared

16 min read

☁️
Cloud Security

Azure Firewall Premium vs Standard: When the Upgrade Is Worth It

16 min read

Need Help with Your Security?

Our team of security experts can help you implement the strategies discussed in this article.

Contact Us