A leadership team at a $200M firm was asked a simple question: can you name every AI tool currently in use across your organization? The CTO guessed seven. By the end of the week, the real number was 23. Eleven had never been reviewed by IT. Four had terms of service that let the vendor train on customer data. Two were handling information that fell under the company’s regulatory obligations.

That is not unusual. For a mid-market healthcare or financial-services organization, it is the rule — and the stakes are higher, because the “data” leaking into unreviewed tools is protected health information or client financial records.

Shadow AI — the AI tools your people adopt without anyone approving or reviewing them — is the largest unmanaged risk in mid-market technology right now. It is not malicious. It is what happens when powerful tools are cheap, instant to access, and solving real problems faster than governance can keep up. The gap isn’t strategy. The gap is visibility.

The number that matters

23 versus 7. The actual count of AI tools in use was more than triple what leadership believed. We have run this exercise across organizations of every size, and the ratio holds: real usage is almost always a multiple of the estimate.

A 20-minute audit you can run this week

You do not need a consultant or a platform to start:

  • Survey your department heads with one question: “What AI tools is your team using, including anything adopted in the last 12 months?” Anonymize it if that is what it takes to get honest answers.
  • Pull SaaS subscriptions under $500/month from the last year of expense reports. Department-level AI tools almost always hide here.
  • Check browser-extension policies. Personal ChatGPT, Claude, and Gemini integrations installed as extensions rarely appear in any IT inventory.

Consolidate the list. You do not need to shut anything down yet — you need to know what you are working with. That list is your starting point.

How LANStatus helps

For our clients, AI discovery is part of managed IT, not a separate project. We surface the tools in use through endpoint visibility and network monitoring, then — for healthcare and financial-services clients especially — map each one against your compliance obligations so you know which tools are touching regulated data. The audit above is something you can do yourself; it is also something we do continuously, so the inventory never goes stale.

If a regulator or auditor asked you to produce a complete inventory of every AI system touching your data — or your clients’ data — how long would it take, and how confident would you be in the answer?

Want a complete inventory of the AI touching your systems? LANStatus runs AI discovery as part of every managed engagement.

Explore Managed IT Services

Brian Diamond

Founder & CEO, LANStatus · Fractional Chief AI Officer

Brian founded LANStatus in 2001 and works with mid-market healthcare and financial-services organizations on AI strategy, governance, and security. He publishes The CAIO Brief, a weekly briefing for leaders navigating AI in real time.

The CAIO Brief · BrianOnAI · LinkedIn

A version of this article first appeared in The CAIO Brief.