Riseplan from Roast & Rise
Shadow AI and Data Protection: Find, Classify, Act
A sharp path for founders and IT leads to turn hidden AI usage from a lurking risk into controlled, safe leverage.
Shadow AI is exposing your customer data—likely right now. More than 1 in 5 breaches are caused by unsanctioned AI, and most firms aren't even looking. This plan gives you the exact path, tools, and language to surface the risk, keep the honesty flowing, and close the doors before a regulator or customer forces your hand.

Course thesis
Shadow AI is not about lost productivity—it's a live data breach vector. In 2026, over 45% of staff use unsanctioned AI tools, often with customer data despite policy. Shadow AI was behind 20% of recent breaches at a cost few small firms survive. Only a third have detection in place. Closing this gap is urgent, but you won't succeed by clamping down or chasing sprawl. You need visibility, practical boundaries, and a rulebook people trust enough to use.
What you leave with
By the end, you'll have a clear picture of your team's real AI usage, a practical data-sensitivity model, and a one-page AI policy that is actually followed—plus the tools to detect, not just guess, where data exposure could spill over.
For
Founders, IT/security leads, and operations leads at small and mid-sized organisations worried about unseen AI use risking customer data or regulatory action.
Workflow
Diagnose shadow AI presence, classify data exposure risk, create and communicate one clear AI tool policy, and implement lightweight detection and review.
Change
Move from reacting to AI surprises, denials, and hush to proactively surfacing what is used, classifying data risk, and guiding safe, open use through shared rules and lightweight monitoring.
What you can do
Use these as checks while you move through the plan.
Surface the true scale and nature of shadow AI tool use across your team without punishing honesty.
Rapidly tier company data by sensitivity and decide what can and cannot go into public AI tools.
Draft and socialize a one-page AI usage policy your people actually work with.
Deploy lightweight detection without forcing shadow usage deeper underground.
Spot common failure modes: denial, compliance theatre, and overreactions that break trust or drive worse risk.
Measure risk reduction and honest disclosure within 30 days.
Chapters
01
See the Invisible: Mapping Shadow AI Use
Surface real, risky AI tool usage on your team—without punishing honesty or driving it further underground. Use a discovery survey and smart interviews to map the shadow AI landscape, fast.

Why this matters in the workflow
In 2026, surveys report between 45% and 66% of employees use AI tools at work without approval—often pasting customer data into public systems. Over a third know this breaks policy but do it anyway. Shadow AI caused about 20% of data breaches last year, with each incident averaging $670K—enough to cripple or finish some firms. [2026 workplace surveys]
You can’t stop what you can’t see. Most companies still have zero formal shadow-AI detection, and their risk is invisible until a breach or a regulator lands. This isn’t a productivity drama; it’s a live, growing liability.
Mapping actual usage is your first defense. But blame, surveillance, or tedious compliance rituals just make people hide the truth. You need honest, nuance-rich data on who’s using what, why, and where it touches company or customer information.
Quality checklist
Survey went to all relevant team members, with anonymity guaranteed.
Survey and all communication struck a tone of curiosity, not blame.
At least 50% of team responded, or a reason for low turnout is logged.
Usage mapped: specific tool names, typical workflows, and kinds of data involved.
Anomalies or surprises called out and discussed in safe channels.
No employee was named in any published summary or team map.
Common mistakes
Letting legal or IT rewrite the survey into compliance jargon—killing honesty.
Implying punishment or tracking, so staff work harder to hide AI use.
Ignoring new/unknown tool entries or treating them as unimportant undertones.
Stopping at 'which tools' without mapping what data each touches.
Sharing raw responses company-wide, breaking anonymity and trust.
Jumping to fixes or tough rules before surfacing the map with the team.
Checkpoint
Have you mapped at least 80% of your team’s AI tool usage—and do you know which workflows or data are most exposed?
Exercise
Run a Shadow AI Discovery Survey on Your Team
Goal: Surface honest, anonymous responses about real AI tool usage. Build a live-use map, not a disciplinary list.
Steps
- Customize the Survey Template (see below): Add your company’s branding or tweak wording for your culture, but keep judgment-free tone.
- Decide Broadcast: Send anonymously (Google Forms, Typeform, MS Forms with settings for anonymity). Signal clearly: 'We want to see our real AI usage so we can set safer, smarter ground rules. No names. No blame.'
- Send and Remind: Share a personal note: _“We know many use AI to get things done. This is about surfacing what’s real, so we can make safer, clearer policies—no punishment.”_ Remind after two days.
- Spot Patterns: Download results. Look for:
- Surprising tools
- Data types being pasted
- Any tool clusters by team or workflow
- (Optional) Run three short interviews: Invite (voluntary and confidential) staff to clarify survey answers or discuss context. Listen for edge cases or new tools.
- Draft Your Map: Fill the output map template below, summarizing findings for one team.
- Share Back: In a team huddle or message, share the main surprises and next steps—without naming users or pointing fingers.
If your team is very small (under 6), consider a group conversation instead, using the survey template live.
Use this at work tomorrow
Send the survey, map out real usage patterns, and spark an honest AI tools conversation—before your next data breach comes as a surprise.
02
Classify the Risk: Tier Your Data for AI
Learn to map which of your company's data is safe—or dangerous—to put into AI models, using a practical, living tiering guide that sharpens team judgment and guides real decisions.

Why this matters in the workflow
The reality: over a third of staff entering customer data into public AI tools already know it's against policy (2026 workplace survey). That line is blurred because no one tells them what, exactly, is allowed. "Sensitive" is fuzzy. The cost of being vague: accidental breaches, fines, lost trust, calls from angry customers, your name on a regulator list.
You need a working language that says: this data can move, this data can't. No policy or tech solves this unless your people know what goes where—moment-to-moment, under pressure.
The working model
Quality checklist
Used actual, recent company snippets—not stock examples.
Tier marking matches the Red/Amber/Green guide.
Edge cases or disagreement are written and explained.
Table is clear enough for team use or onboarding.
Common mistakes
Basing table on invented or generic text, not real work data.
Marking all as Red to 'play safe'—ignoring actual workflow needs.
Skipping the Reason or Edge Case column, so policy never sharpens.
Not sharing the table with anyone—so no check on blind spots.
Checkpoint
Can you tier five real data snippets by risk level, and explain your reasoning to a colleague?
Exercise
Tier Your Data: Map Real Snippets by Risk
Do this now (15 minutes)
- Collect 3–5 real data snippets your team has used, or might use, with AI tools. Go for variety: one from a chat, a customer ticket, a project doc, a marketing line.
- Apply the tier guide. Mark each snippet as Red, Amber, or Green. Use the rules above—this is about practice, not theory. If you hit an edge case, write it out.
- Copy the template below. Fill it in for your team, using actual examples—not invented text.
- Share with one colleague. Ask if they'd tier any differently. Debate where you differ.
Output template
See below. Fill in rows for your own data.
Rubric
- Used actual, specific company data/snippets (not just made-up cases)
- Tiers match the described rules (Red for regulated/customer, Amber for aggregated/anonymous, Green for safe public info)
- Edge cases discussed and documented
- Output could be used in team onboarding or guidance
Use this at work tomorrow
Take 3 snippets from yesterday’s work, label them, and start a living team data-tier guide. You’ll spot fuzzy edges fast.
03
Write the Rule: One-Page AI Policy That Sticks
Draft a practical, memorable AI tool policy your people can actually use—and prove it lands, not just exists.

Why this matters in the workflow
You need a rule people will actually read, remember, and use. Not another unread PDF—something that guides action when no one's looking. Because shadow AI is exposing data right now. Most staff want to do the right thing—but only if the rule is clear, human, and possible to follow. Written the wrong way, policy becomes noise, or a threat, or a game of avoidance.
A one-page AI tool policy stops a data breach before it starts—if it's both honest and blunt about what is OK, what is not, and grey areas where people need to ask for help.
The working model
Quality checklist
Stays under one page (≈250 words).
Words and examples match company workflows, not just theory.
Absolute no-go data list is clear and specific (not all data is banned).
At least one example for safe, unsafe, and grey-area AI use.
Includes a simple channel for questions/disclosure.
Staff can explain the rule correctly after hearing it once.
Common mistakes
Slipping into jargon or legal-contractor speak.
Listing all data as banned (policy becomes ignored).
Skipping real examples—leaving staff guessing.
Punitive tone that reduces honesty or encourages hiding.
No way for staff to clarify grey areas.
Checkpoint
Can at least one staff member repeat back your AI tool policy, and identify safe/unsafe tasks, without reading the policy aloud?
Exercise
Draft and Test Your One-Page AI Tool Policy
Steps
- Open the template below. Fill in each section for your company, using your real data tiers and live scenarios.
- Read your draft aloud to a colleague—ideally someone who uses AI tools. No extra explanation.
- Ask them to repeat the rule back to you in their own words.
- Revise your draft based on what they miss, misstate, or find confusing. Tighten, clarify, or add a practical example.
- Share the final rule with two more colleagues (message, meeting, post). Ask for one line of feedback: "Would you know when to pause and check before using AI on a real task?"
Output: Your tested, one-page AI tool policy ready to share.
Use this at work tomorrow
Draft a 200-word AI usage rule, read it to a real team member, refine until they can recite it back—then post it where decisions get made.
04
Light, Not Lurking: Enabling Honest Detection
How to set up low-friction, trust-building detection for shadow AI—finding real risks without pushing AI use deeper underground. Covers detection principles, quick-start process, and building a review loop staff don't fear.

Why this matters in the workflow
Workplace survey data in 2026 shows only a third of companies have any real shadow AI detection. Yet 20% of 2025 breaches started with unacknowledged AI tool use. Most bans or silent surveillance backfire—staff rename AI tools, mask risky workflows, or lie about where customer data lands. You don't need a full monitoring stack. You need a detection and review loop that surfaces uncomfortable truths, builds trust, and lets you fix real blind spots.
The working model
- Light-touch, honest detection wins trust. Heavy surveillance destroys it. Your goal: find real risks, not create a witch hunt.
- Detection is part tech, part human review. Tools can flag unfamiliar endpoints, unauthorized app use, or pasted data. People spot patterns, judge context, and decode intent.
- Review must be calm and predictable. Incidents surface, are reviewed, and are resolved together—not punished in secret.
Quality checklist
Scope is clear and announced to all relevant staff.
At least one real data signal or log is reviewed, not just guessed.
Plain-English notification sent (and saved as evidence).
Detection log is filled out for each flagged app or finding.
Team debrief is scheduled and held—context and next actions agreed together.
No findings hidden or reviewed in secret.
Common mistakes
Secret monitoring without staff knowledge.
Skipping the debrief or failing to invite team context.
Overreacting to false positives or unclear log entries.
Never acting on a flagged risk—detection without review is empty.
Making findings hard to see or trapped in private files.
Checkpoint
Can you show a detection log entry and describe how you shared findings (and next steps) with your team?
Exercise
Set Up Your First Shadow AI Detection Review
Follow these steps to stand up a live detection and review loop on a pilot team or workflow:
1. Choose scope: Select one high-risk workflow or shared workspace to monitor (e.g., customer support inbox, shared drive folder, or a core workflow tool).
2. Decide signal(s): Will you review browser extension lists, check document metadata for AI plugin traces, or ask for a weekly self-report of new AI tools used? Log what you select.
3. Notify team: Write a 2-line, plain-English note to your team that you’re starting a lightweight, honest check for unsanctioned AI tools or connections. State that the goal is to find risks together, not to blame.
4. Run the check: Pull the data (plugin lists, AI integration logs, or self-reports). Document any new or mysterious AI tools or connections.
5. Create a detection log: Use the template. Enter:
- Date
- What was flagged
- How it was found
- Initial review notes
- What happens next
6. Debrief: Share findings openly—invite context before labeling risk.
7. Next action: Pinpoint one improvement: a policy update, a clearer data sensitivity note on a workflow, or flag a training need.
You can do this in 15 minutes per team.
Use this at work tomorrow
Run your first 15-minute detection review. Check browser extensions or document logs, note surprises, and bring them to your next team standup.
05
Keep the Pulse: Measure, Refresh, Build Trust
Learn how to routinely measure shadow AI risk, refresh your approach, and keep team honesty alive, using a pulse survey and monthly review to surface blind spots, track progress, and strengthen trust.

Why this matters in the workflow
Shadow AI risk isn't a one-time breach or a box you tick. Risk moves. Staff change tools, workflows evolve, and one brittle policy forgotten for a month is all it takes for leaks and coverups to return. Statistically, over 45% of staff use unsanctioned AI tools, 20% of breaches come from this blind spot, and only a third of companies have ongoing detection (2026 workplace surveys). You can't control risk you don't surface. And you won't surface it if staff feel honesty is punished or pointless.
A lightweight, recurring pulse survey and review keeps honesty alive. It tells you:
- Is the risk dropping or heading underground?
- Are new AI tools or risky workflows emerging?
- Do people still trust the rules, or are they tuned out?
The working model
Quality checklist
Questions are plain English, concrete, and anonymous.
Findings summarized honestly without naming individuals.
At least one clear, specific action or clarification comes from the review.
Summary note is sent to all relevant staff, names the next action, and invites further honesty.
Next survey is calendared with a real owner.
Common mistakes
Making survey results traceable; kills future honesty.
Focusing just on tools, not workflows or why staff break rules.
No concrete changes after the review; staff tune out future pulses.
Summarizing findings in vague, safe language—real risk goes unsurfaced.
Letting cadence slip; a one-off pulse does not build lasting trust.
Checkpoint
Can you run a pulse survey, review findings, turn up at least one actionable change, and report it back to your team?
Exercise
Run Your First AI Risk Honesty Pulse
Your goal: Launch a 3-question anonymous pulse survey and run a rapid group review. Produce a summary showing what you learned, what changed, and who's responsible for action.
Steps:
- Copy the template below. Adjust the three questions for your team/workflows. Ensure anonymity.
- Send the survey to a pilot squad or department. Give 48-72 hours to reply.
- Convene a review group (ops/security lead, one regular user, one outsider/observer). Score responses for honesty, surface any new risks, and agree one policy or detection tweak based on findings.
- Draft a 1-paragraph note to all (even if only the pilot saw the survey) summarizing:
- What you learned (in plain English)
- What will change now (even if small)
- Who owns the next action (a name, not a dept)
- Calendar the next pulse (no longer than 30 days out).
You have 15 minutes to send, review, and summarize the first cycle, even with a pilot team of one.
Use this at work tomorrow
Copy the 3-question template, send it anonymously to your team, and commit to sharing both what you hear and what you will fix—real learning starts after the first loop.
30-day path
Week 1: Deploy discovery survey and interviews to map shadow AI usage.
Week 2: Classify top 10 data types or workflows with the tiering guide.
Week 3: Draft and circulate one-page AI tool policy. Run live read-throughs for clarity.
Week 4: Launch lightweight detection, run first sample review, and share lessons learned.
Day 30: Run the pulse-check and measure honest reporting, data risk drop, and new concerns.
Success signals
Percentage of staff disclosing at least one AI tool use.
Percentage of data assets mapped with a sensitivity tag.
Policy acknowledged by 90%+ of staff within 2 weeks.
Detection system live with at least one risk flagged and reviewed.
30-day reduction in unknown AI tool use or surprise data exposure incidents.
Reflection prompts
Where does this topic show up in real work?
What behavior should change first?
What evidence would prove this Riseplan worked?
Manager checklist
Choose one owner for the behavior change.
Use the exercise on live work.
Review the output before scaling the habit.
Decide what changes after 30 days.
Want this shaped around your company?
Risey can research your company foundation first, then build a version of this path around your real workflows, customers, and culture.
Start with your company