Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Cranium Release Notes
2026.6.1 Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
Aiceberg Release Notes
Aiceberg 2026.6.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Aiceberg
Listen vs Enforce Overview
Guardian Overview
Inventory
Inventory Overview
How to Create a Model
How to Create a Profile
How to Create a Use Case
Activity
Sessions Activity Overview
Session Events Overview
Monitoring Activity Overview
Monitoring Events Overview
Playground Overview
Trace Overview
Cannon
Cannon Overview
Cannon Runs Overview
Cannon Results Overview
Collections Overview
How to Create a Collection
Observe
Use Case Overview
Profile Analysis Overview
Shadow AI Overview
Admin
Admin Overview
User Management Overview
Roles Overview
Shadow AI
Shadow AI Activity Tables
Shadow AI Overview

Shadow AI surfaces the AI tools and services being used across your organization, including usage that would otherwise go unseen. As people adopt AI applications on their own, much of that activity happens without oversight. Shadow AI makes it visible, drawing on the activity from your connected SIEM to show which AI services are in use, who is using them, and how much data is moving through them.

The Overview page gives you the high-level picture of AI activity across your organization. The Events, Services, Users, and History pages break that activity down in detail.

How Shadow AI Classifies Activity

Detected AI activity is organized into a taxonomy with three levels: category, subcategory, and service.

At the top are four categories:

  • AI Provider Access: Direct access to AI providers, such as calls to major LLM APIs and AI infrastructure providers.
  • AI Enabled SAAS: Software-as-a-service applications that have AI capabilities built in, such as CRM and business platforms with AI features.
  • AI Web App Usage: AI applications used through the browser, such as consumer AI tools and web-based assistants.
  • Dev App Embedded AI: AI embedded in development tools and workflows, such as AI SDKs and coding assistants.

Each category contains subcategories that group related activity more narrowly, such as AI SDK Detection, API Keys Secrets, Collaboration Tools, and Major LLM APIs. Within each subcategory are the individual services detected, the specific AI tools and platforms that activity was attributed to.

Overview Page

The Overview page summarizes AI activity across the selected time range. A time range control at the top scopes the entire page, offering a relative window of the last 7, 30, or 90 days, or a custom date and time range.

Four metrics summarize activity over that range:

  • Total Events: The total number of detected AI events.
  • Unique Users: The number of distinct users associated with the activity.
  • Data Transferred: The volume of data moved through the detected activity.
  • Failed Requests: The number of requests that failed.

Activity Breakdown

A breakdown panel shows where AI activity is concentrated. you can view the breakdown by category, subcategory, or service, and filter by any combination of category subcategory, and service to narrow what it covers. A metric selector switches the breakdown between events, unique users, and data transferred, so you can see which categories, subcategories, or services account for the most activity by the measure you care about. The breakdown can be shown in several display formats.

Usage Over Time

A usage-over-time panel shows how AI activity has moved across the selected time range. You can group the trend by category, subcategory, or destination, adjust the interval, and switch between display formats to read the pattern the way that suits you.

Did this answer your question?