A CISO's Playbook for Surfacing Every AI Tool Already in Use

A CISO's guide to discovering shadow AI across the enterprise. This playbook covers how to surface every AI tool in use, from web apps to coding agents, using a combination of policy, network analysis, and endpoint governance tools like Bifrost Edge.

The widespread adoption of generative AI has created a significant blind spot for security leaders: employees are using hundreds of ungoverned AI tools for daily work. A recent report from the analyst firm Enterprise Technology Research (ETR) highlights that while 70% of organizations are increasing their AI budgets, many lack the visibility to manage the associated risks. This "shadow AI" ecosystem, spanning everything from web-based chatbots to integrated development environment (IDE) plugins and desktop applications, introduces unmanaged pathways for data exfiltration, compliance violations, and intellectual property loss.

For Chief Information Security Officers (CISOs), the first step toward managing this risk is creating a comprehensive inventory of every AI tool already in use. An open-source AI gateway like Bifrost can centralize and govern known AI traffic, but it cannot see the tools that bypass it. This playbook provides a structured approach to surfacing that hidden usage and bringing it under a unified governance framework.

The Challenge: Why Shadow AI Is Hard to Find

Shadow AI thrives because it is decentralized and user-driven. Unlike traditional software that requires formal procurement and deployment, modern AI tools are often free, browser-based, or installed with a single click. This creates several discovery challenges.

• Endpoint Proliferation: AI is no longer confined to the data center. It runs on employee laptops inside desktop apps like Claude Desktop and Cursor, as web apps like ChatGPT, and as coding agents directly in the command line.
• Encrypted Traffic: Most AI services use standard HTTPS, making their traffic difficult to distinguish from general web browsing using network-level tools alone.
• Dynamic and Evolving Tools: The AI tool landscape changes weekly. New models and applications appear constantly, making it impossible to maintain a static, manually curated list of indicators of compromise or blocked domains.
• Model Context Protocol (MCP) Servers: Modern coding agents connect to external MCP servers to execute tools and access local files. These connections are a powerful, yet often invisible, vector for data movement that most security tools are not designed to inspect.

Stage 1: Initial Discovery and Baseline

The initial goal is to build a baseline understanding of AI usage without deploying heavy-handed blocking, which can drive usage further into the shadows.

Conduct User Surveys and Policy Reviews

Start with the human layer. Anonymous surveys can provide valuable, honest feedback on which tools teams find most useful and for what purposes. This is also the time to review and update the company's acceptable use policy to explicitly address generative AI. The NIST AI Risk Management Framework (AI RMF 1.0) provides a solid foundation for developing these policies, emphasizing the need to "Map, Measure, and Manage" AI risks.

Analyze Network and Proxy Logs

While not a complete solution, analyzing DNS requests and proxy logs can reveal connections to the most common AI service domains. Create a list of top-level domains for services like OpenAI, Anthropic, Google AI, and others. This method will catch the low-hanging fruit but will miss desktop applications that may use different endpoints or less obvious services that bundle AI capabilities.

Stage 2: Automated Discovery with Endpoint Governance

Manual methods and network analysis provide an incomplete picture. To get a definitive, real-time inventory, CISOs need a solution that provides visibility directly on the endpoint, where the tools are being used. This is where an endpoint governance agent becomes critical.

The Bifrost AI gateway provides the central control plane for setting policy, and Bifrost Edge extends that policy to every employee machine. This combination moves a security program from reactive analysis to proactive governance.

How Endpoint Governance Works

An endpoint agent like Bifrost Edge is deployed to every company-managed device via an existing mobile device management (MDM) solution like Jamf, Intune, or Kandji. Once installed, it operates transparently to the user, inspecting traffic and identifying connections to known AI services and, crucially, discovering new ones.

Key capabilities for discovery include:

• Application Inventory: The agent identifies every installed AI-native application, such as the ChatGPT or Claude desktop apps, and reports them back to a central dashboard.
• MCP Server Discovery: It inspects traffic from coding agents like Claude Code and Codex CLI to discover and inventory every MCP server they are configured to use. This closes a major visibility gap for engineering teams.
• Browser AI Visibility: The agent can identify traffic to web-based AI tools, distinguishing it from general browsing.

From Discovery to a Fleet-Wide Inventory

The output of this stage is not just a list of domains but a rich, fleet-wide catalog of every AI application and MCP server in use, tied to specific devices and users. A centralized admin dashboard provides a single view to see what is running where. This inventory becomes the foundation for a risk-based governance strategy.

Stage 3: Implementing Risk-Based Governance

With a comprehensive inventory in hand, security teams can move from discovery to control. The goal is not necessarily to block every tool but to enforce consistent security and compliance policies on the tools that are approved for use.

Create an Approval Workflow

Using the discovered inventory, CISOs can implement a formal approval workflow for all AI tools.

1. Review Discovered Tools: Analyze the inventory to identify tools that offer clear business value versus those that pose an unacceptable risk.
2. Approve or Deny: Mark each application and MCP server as approved or denied. This decision is then automatically enforced on the endpoint. Approved tools continue to function seamlessly, while denied tools are blocked before they can transmit data.
3. Route and Govern: All traffic from approved tools is automatically routed through the organization's central Bifrost AI gateway. This ensures that every request is subject to the organization's data loss prevention policies, guardrails, and audit logging.

The "AI Gateway + Bifrost Edge" Model

This combined approach is the most effective way to manage AI risk at scale. The Bifrost AI gateway acts as the central policy engine and enforcement point for all known and sanctioned AI traffic. Bifrost Edge acts as the discovery and enforcement agent on the endpoint, ensuring that even previously unknown "shadow AI" is either blocked or brought into compliance with the gateway's policies. This creates a closed-loop system where nothing is left ungoverned.

Next Steps: Building a Sustainable Program

Surfacing the AI tools already in use is the foundational step in a modern AI governance program. By moving from manual spot-checks to a continuous, automated discovery and enforcement model, CISOs can enable their organizations to adopt AI safely and effectively. This approach turns a major security blind spot into a well-managed and visible component of the enterprise software ecosystem.

Teams looking to implement such a playbook can start by evaluating how an endpoint governance solution can provide the necessary visibility. The information needed to manage AI risk is already on the network and endpoints; the key is having the right tools to surface it. Teams evaluating AI gateways and endpoint governance can request a Bifrost demo to see this model in action.

Sources

• ETR, "The State of AI in the Enterprise, 2024"
• NIST, "AI Risk Management Framework (AI RMF 1.0)"
• ISACA, "Generative AI Governance"