Stay ahead of Shadow AI with automated alerts that flag AI usage outside your approved inventory — giving administrators a continuous, actionable view of unregistered AI activity across the organization.
Organizations often struggle to govern AI they can't see. AI usage spreads quickly through browsers, desktop apps, plugins, APIs, and agents — and approved AI policies become ineffective without continuous monitoring. Manual audits and self-reporting miss fast-moving adoption, leaving teams exposed to compliance, privacy, and vendor risks.
The Unapproved AI Alert feature solves this by continuously reconciling detected AI usage against your approved AI allowlist and surfacing context-rich alerts when unregistered systems appear — enabling rapid triage, consistent enforcement, and a defensible audit trail of Shadow AI exposure and remediation.
Defender telemetry captures every AI domain visit across the organization. Each visit is matched against your AI Inventory — anything that doesn't match exactly is flagged as unregistered and scored for risk.
Purpose
Unapproved AI Alerts provide administrators with a continuous, prioritized view of AI usage that falls outside the approved inventory, helping teams respond before Shadow AI becomes a compliance or security incident.
- Detect unregistered AI usage in near real time against your AI Inventory
- Reduce Shadow AI exposure with automated, context-rich alerts instead of ad hoc audits
- Enforce AI governance policies consistently across users, devices, and applications
- Support audit defensibility with a closed-loop record of detection, response, and remediation
- Cut alert fatigue with severity scoring and digest cadences tailored to your team's workflow
This ensures organizations can move from reactive discovery to proactive, scalable AI governance.
How it works
Configurable Metrics in Rollups
Administrators can choose which data points appear in their digest reports under Notification Center → Settings → User Risk Alerts. Available metrics include:
- New AI sources discovered — count of newly detected AI services in the period
- New users accessing AI — number of new users detected accessing AI services
- Total AI usage events — total number of AI access events recorded
- High risk users detected — users flagged as high risk based on scoring rules
- Unapproved AI domains accessed — domains accessed that are not in the approved AI inventory
- Most-used AI services — ranking of the most frequently accessed AI services
Flexible Delivery Cadence
Choose how and when alerts arrive:
- In-app notifications — Immediate, Daily, Weekly, or Monthly
- Email rollups — scheduled digests delivered to your inbox
This flexibility lets teams pick a regular pulse that fits their workflow without creating alert fatigue.
User Risk Digest
Digest reports consolidate Shadow AI activity across the selected period — for example, a Monthly Report showing new AI sources, total usage events, unapproved domains accessed, and the most-used AI services. Each digest provides an at-a-glance summary of organizational exposure.
One-Click Drill-Down
Every digest includes a View User Risk action that takes administrators directly into the User Risk dashboard for further investigation — see who accessed what, how often, and what data sensitivity indicators are present.
Notes
- Available on Teams and Enterprise plans
- Requires the Defender Shadow AI connector
- Per-user Shadow AI risk lives in the User Risk dashboard; the digest surfaces it proactively so admins don't have to check manually In-app and email channels can be toggled independently per alert type
- Digest cadences (Immediate, Daily, Weekly, Monthly) can be combined to match different stakeholder needs