The AI Apps Your Employees Are Already Using and Why Your PE Diligence Missed Them

Shadow AI does not appear in vendor contracts, IT registers, or standard diligence reports. It lives in browser activity, employee workflows, and ungoverned tool adoption. For private equity buyers, the real risk is not whether AI is being used, but whether you can see it before you inherit it.

Shadow AI Due Diligence: Find Hidden AI Apps Before Close
Learn how Shadow AI due diligence helps PE firms uncover unsanctioned AI tools, data privacy risks, IP exposure, and hidden AI usage before deal close.

How ShadowSense detects unsanctioned AI tool adoption before it becomes a data room problem

There is a category of risk sitting inside every portfolio company you have evaluated in the last two years, and it did not appear in a single vendor contract, IT register, or compliance questionnaire. It is browser-level AI tool adoption, it is happening at scale right now, and traditional private equity diligence has no mechanism to find it.

This is not a theoretical concern. It is a live operational reality playing out across mid-market businesses every day. According to a 2026 global survey on AI and cybersecurity covering nearly 900 C-suite, board, and IT leaders, two-thirds of organisations are experiencing unmanaged AI exposure, with 68% of medium-sized businesses reporting only partial or no visibility into the AI tools their employees are using. The employees are not being reckless. They are solving problems with the tools that work. The problem is that no one above them knows it is happening, and the implications for data privacy, regulatory compliance, and deal valuation are significant.

The Invisible Stack That Is Already There

When a PE firm or its advisors conduct a technology diligence review, the standard approach involves reviewing sanctioned software contracts, querying the IT asset register, and sometimes running SSO or identity provider exports. This methodology is thorough for the IT stack that was formally approved. It tells you almost nothing about what employees are actually using through their browsers every day.

The gap between the two is where shadow AI lives.

Across SaaSrooms-monitored organisations, ShadowSense, the browser-level visibility layer built into the SaaSrooms platform, consistently surfaces unsanctioned AI tool activity that sits entirely outside the official stack. In a 30-day window observed across one SaaSrooms customer, a media production business with just under 200 employees, ChatGPT alone recorded 75,708 browser sessions from 62 unique users. Claude registered 6,787 sessions across 40 users, and Google Gemini logged 23,287 sessions from 78 users. None of these were in the company’s formal software register. All of them were active, habitual, and invisible to the IT and compliance functions.

In a separate staffing and professional services organisation monitored by SaaSrooms, ChatGPT showed 44,340 sessions from 79 unique users in the same period, and Claude added a further 1,289 sessions. Again, these tools had not been formally procured, had not been reviewed for data privacy compliance, and would not have appeared in any standard diligence output.

These are not anomalies. They are the norm. Global research drawing on nearly 900 respondents across C-suite, board, and IT leadership reinforces this at scale: even among large organisations with revenues above $5 billion, only 53% report full visibility into employee AI tool usage. That means 47% of the most well-resourced businesses in the market are operating with meaningful blind spots in their own AI stack.

Why This Matters for PE Due Diligence

Private equity diligence has become increasingly sophisticated on technology risk, driven partly by GDPR enforcement, the rise of cyber insurance underwriting, and a stronger investor focus on data governance at the point of acquisition. Yet the methodology remains structurally blind to browser-level behaviour.

The question is not whether employees at a target company are using AI tools. They are. The question that diligence needs to answer is which tools, how often, with what data, and whether there are any compliance, licensing, or liability exposures that the acquirer is about to inherit.

The same research also surfaces a perception gap that should concern any investor relying on management representations during diligence. While 45% of IT and operational leaders say AI has significantly increased cyber risk in their organisations, only 30% of C-suite and board leaders share that view. When the people signing off on data governance questionnaires are materially less aware of the risk than the people living with it day to day, the reliability of self-reported diligence outputs is fundamentally compromised.

Consider what is at stake in any one of the following scenarios. A sales team has been using a consumer-tier ChatGPT account for 14 months to draft client proposals. Those proposals contained pricing data, customer names, and commercial terms. The data was processed under OpenAI’s standard consumer terms, not enterprise data processing agreements. Under GDPR Article 28, that potentially constitutes an unlawful data processing arrangement with a third-party sub-processor that was never identified or contracted.

An operations team has been using a free AI writing tool to summarise internal reports. That tool’s free tier explicitly retains user inputs to train future models. Confidential operational data is now, in all probability, part of a third-party model training dataset.

A technology team has been using an AI code completion tool under a personal licence, not a business one. The intellectual property terms of that tool attribute co-authorship in a way that complicates clean IP ownership for any software the company has built or is building.

None of these scenarios require bad actors or negligent behaviour. They require only that employees used the tools available to them to do their jobs better. But from the perspective of an acquirer valuing a business, these are real liabilities.

What ShadowSense Sees That SSO Cannot

The reason these exposures persist is structural. Single Sign-On logs capture identity events for formally provisioned applications. If an employee navigates directly to chatgpt.com, gemini.google.com, or any of the dozens of AI productivity tools available today and authenticates with their personal account or no account at all, that activity generates no SSO event. It is invisible to Okta, Azure AD, and Google Workspace audit logs alike.

ShadowSense operates differently. As a browser-level extension deployed across an organisation’s managed devices, it observes domain-level web activity directly and maps it against SaaSrooms’ application catalogue. The result is a view of what employees are actually accessing, regardless of authentication method or procurement status. There is no dependency on identity infrastructure, no reliance on self-reporting, and no way for an individual tool to be invisible simply because it was not formally onboarded.

This is precisely why the data coming out of ShadowSense tells a different story from the IT register. In the organisations SaaSrooms monitors, the AI tool footprint captured through browser signals is consistently larger than what the formal stack suggests, often by a significant margin. The pattern across sectors is consistent: consumer AI tools used at scale, under personal terms, with no organisational visibility or governance.

The Three Risks That Diligence Needs to Price

Data Privacy and Regulatory Exposure

GDPR, the UK Data Protection Act, and equivalent frameworks globally require organisations to maintain a record of processing activities and to ensure that any third party processing personal data on their behalf is subject to a data processing agreement. Consumer AI tools, used by employees through personal accounts, almost universally fail this requirement. The liability for any enforcement action following an acquisition falls to the acquirer if it is not identified and remediated prior to close. ShadowSense surfaces this exposure before it becomes a data room problem by identifying which AI tools are in active use, how broadly, and whether they sit outside contractual governance.

Intellectual Property and Data Leakage Risk

Employees processing commercially sensitive information through unsanctioned AI tools create potential IP and confidentiality risks that are genuinely difficult to quantify post-acquisition. In one SaaSrooms-monitored instance, ShadowSense identified that a significant proportion of a company’s workforce was regularly accessing a third-party AI summarisation tool with no enterprise data protection provisions. The content being summarised included board-level documents and commercially sensitive financial data. The acquirer was able to identify this risk during diligence rather than after close, allowing it to price the remediation cost into the deal and require a governance remediation plan as a completion condition.

Cost Normalisation and License Rationalisation

Shadow AI creates a hidden cost problem as well as a compliance one. The data found that 32% of organisations identify implementing more stringent vendor security standards as their top priority for managing embedded AI risk in third-party software. This is telling: the majority of organisations recognise that AI risk is increasingly arriving not through employee-installed tools but through vendor platforms that embed AI features without explicit customer approval or governance oversight. Organisations frequently discover, through ShadowSense, that they are paying for enterprise AI tools through formal procurement while simultaneously having large portions of the workforce using competing tools through free or personal accounts. This creates an opportunity at the portfolio level to rationalise licences, negotiate better enterprise pricing, and bring unsanctioned usage under governance frameworks that actually protect the business. For PE investors focused on operational value creation post-acquisition, this is a meaningful efficiency lever.

What Good Governance Looks Like Post-Acquisition

The value of identifying shadow AI exposure is not to stop employees using effective tools. Attempting to prohibit AI adoption in a modern workforce is not a governance strategy. The same research found that only 41% of organisations have a formal AI governance framework in place at all, yet where those frameworks exist, leaders consistently report stronger visibility, higher confidence in their controls, and better ability to manage third-party AI risk. Governance, in other words, is not bureaucracy. It is the mechanism through which visibility converts into assurance. The value is in bringing that adoption into a framework that protects the organisation, its customers, and its intellectual property while enabling employees to continue working productively.

For PE-backed businesses, this typically means three things following identification through a platform like SaaSrooms. First, a classification of AI tools by risk level, distinguishing between tools with enterprise data processing agreements and those operating under consumer terms. Second, a formal acceptable use policy that acknowledges the reality of AI tool adoption and provides a clear governance pathway for employees who want to use tools not yet on the approved list. Third, ongoing browser-level monitoring to ensure that new tools are surfaced quickly and assessed before they become embedded in workflows at scale.

The window between initial adoption and deep workflow integration is short. ShadowSense data consistently shows that unsanctioned tools move from isolated usage to organisational habits within weeks, not months. The sooner that visibility exists, the lower the remediation cost and the simpler the governance conversation.

The Diligence Question That Changes the Deal

There is a version of every technology diligence process that ends with a clean IT register, a tidy list of contracted vendors, and a comfortable sign-off on data governance. That version misses the most important question.

The question is not what software the IT team approved. It is what the workforce is actually using, at the browser level, every day, with data that belongs to the business. For the majority of mid-market targets today, those are two materially different answers, and the gap between them is where unpriced risk lives.

Buyers who understand this shift their diligence posture from reviewing the sanctioned stack to observing real behaviour. That shift is not complicated. It requires visibility tools that operate at the layer where employee behaviour actually happens, surfaces AI tool adoption as it exists rather than as it was intended, and translates browser-level signals into the compliance and IP risk language that deal teams and their advisors already understand.

The businesses that will navigate the AI adoption era well are not the ones that prohibit unsanctioned tools most aggressively. They are the ones that see clearly, govern decisively, and never walk into a transaction carrying risks they did not know to look for.

That kind of clarity is now possible. The only question is whether you find this risk during diligence, or inherit it after the deal is done.

Find Shadow AI Before the Deal Closes

Schedule a 30-minute SaaSrooms consultation to uncover unsanctioned AI tools, browser-level usage, and hidden data risks before acquisition, with full visibility, compliance insight, and disciplined AI governance.
LinkedIn
Twitter
Facebook
Email

Tell us about your stack

We will analyse your portfolio and send your personalised report within 48 hours.

Newsletter

Sign up to the SaaSrooms newsletter to get updates, news, and insights.

Book a Call to Get Started

Take a free 30 minute opportunity assessment to identify your savings potential. Get a personalised action plan to maximise your ROI.

SaaSrooms adapts to your needs to reduce risk, cut your SaaS costs, and streamline procurement.