What is Shadow AI and why is it a risk?

Shadow AI refers to AI tools and applications that employees use without formal IT or procurement approval — such as ChatGPT, Midjourney, or Grammarly used for work tasks. Shadow AI is a risk because it may process confidential data, violate GDPR or DORA data-handling rules, introduce unvetted AI sub-processors, and create undisclosed third-party dependencies that regulators now require firms to disclose and manage.

How does RiskImmune discover Shadow AI tools?

RiskImmune connects read-only to Google Workspace or Microsoft 365 via OAuth and scans OAuth-approved app permissions, installed browser extensions, SSO logins, and SaaS subscription spend. It identifies every AI tool in use across the organisation in under 60 seconds — no agents, no IT project required.

How does RiskImmune help with DORA compliance?

RiskImmune automates DORA Article 28 compliance by maintaining a live ICT Third-Party Register of all AI vendors and technology providers, scoring concentration risk, flagging critical ICT providers, and generating the register in the exact format regulators require. It also produces DORA incident reporting templates and continuous ICT risk monitoring evidence.

What is the difference between TPRM and GRC?

GRC (Governance, Risk and Compliance) is the broad discipline covering an organisation's entire risk posture — policies, internal controls, regulatory compliance (ISO 27001, NIS2, DORA, SOC 2), and board reporting. TPRM (Third-Party Risk Management) is a subset that focuses specifically on risks introduced by vendors, suppliers, and technology partners. RiskImmune covers both: its GRC module manages internal compliance frameworks while its TPRM module automates vendor risk scoring using 200+ OSINT signals.

How quickly can I see results with RiskImmune?

The Free Shadow AI Scan delivers a full AI exposure report within 60 seconds of connecting your Google Workspace or Microsoft 365 account. Vendor risk assessments using the AI auto-grader produce scored results in minutes rather than the weeks typically required for manual questionnaire-based assessments. Compliance gap reports against DORA, NIS2, and ISO 27001 are generated immediately upon onboarding.

Is RiskImmune suitable for small businesses or only enterprises?

RiskImmune offers a free Starter tier with self-serve Shadow AI scanning that suits small and mid-size businesses with no upfront cost. The Pro plan at €149/month covers growing teams needing continuous compliance monitoring. Enterprise plans from €15,000/year serve large regulated organisations, financial institutions, and critical infrastructure operators with full DORA, NIS2, and MAS TRM requirements.

Which compliance frameworks does RiskImmune support?

RiskImmune supports DORA (Digital Operational Resilience Act) including Articles 28–30, NIS2 Directive Article 21, ISO 27001:2022 Annex A controls, GDPR Article 28 data processor obligations, SOC 2 Trust Service Criteria, MAS TRM (Monetary Authority of Singapore Technology Risk Management), and the EU AI Act governance requirements. Controls are pre-mapped so compliance evidence is generated automatically.

How does RiskImmune score vendor risk?

RiskImmune scores vendor risk using over 200 OSINT signals gathered automatically — including security posture data from external scanners, breach history, regulatory enforcement actions, data privacy policies, sub-processor disclosures, and financial stability indicators. Scores are mapped to Critical, High, Medium, and Low risk levels and updated continuously so risk teams always have a current view without manual questionnaire chasing.

RiskImmune™ — AI Governance, GRC & Shadow AI Discovery Platform

RiskImmune discovers every AI tool your employees use — sanctioned and shadow — scores their risk automatically using 200+ OSINT signals, and generates continuous DORA, NIS2, and ISO 27001 compliance evidence. Free Shadow AI Scan available. No credit card required.

What is Shadow AI?

Shadow AI refers to AI tools used by employees without formal IT or procurement approval — such as ChatGPT, Midjourney, or Grammarly processing company data. These tools create uncontrolled third-party data-sharing risks and regulatory exposure under DORA Article 28, NIS2 Article 21, and GDPR Article 28.

Platform Features

Shadow AI Discovery — Connect Google Workspace or Microsoft 365 read-only via OAuth. See every AI tool in use across your organisation in 60 seconds.
Automated Vendor Risk Scoring — 200+ OSINT signals score every AI vendor: Critical, High, Medium, Low. No questionnaire chasing.
DORA Compliance — Live ICT Third-Party Register, concentration risk scoring, and Article 28–30 audit-ready exports.
NIS2 Compliance — Supply chain risk management, incident reporting templates, and Article 21 evidence.
ISO 27001:2022 — Automated Annex A control mapping and continuous evidence collection.
GRC Platform — Integrated governance, risk, and compliance management for regulated industries.
TPRM — Third-Party Risk Management with automated questionnaires, document extraction, and vendor monitoring.

Who Uses RiskImmune?

CISOs, GRC teams, IT security, procurement, and legal teams across financial services, fintech, healthcare, and critical infrastructure operators in 15+ countries. Backed by Techstars, Singtel Innov8, and NUS Enterprise.

Frequently Asked Questions

How does RiskImmune find Shadow AI?

RiskImmune connects read-only to Google Workspace or Microsoft 365 via OAuth. It scans OAuth-approved app permissions, SSO logins, browser extensions, and SaaS spend data to identify every AI tool in use — no agents or IT project required. Results appear within 60 seconds.

Which compliance frameworks are supported?

DORA (Articles 28–30), NIS2 (Article 21), ISO 27001:2022, GDPR (Article 28), SOC 2, MAS TRM, and the EU AI Act. Controls are pre-mapped so compliance evidence is generated automatically.

How is vendor risk scored?

Over 200 OSINT signals are gathered automatically — breach history, security posture, regulatory actions, privacy policies, financial stability, and sub-processor disclosures — producing Critical/High/Medium/Low scores updated continuously.

What does RiskImmune cost?

Free Starter tier with self-serve Shadow AI scanning. Pro plan at €149/month. Enterprise from €15,000/year with custom TPRM, Trust Center, and IRM/ERM options.

Get Started

Run your free Shadow AI scan at riskimmune.ai/shadow-ai-scan. Book a 30-minute demo at riskimmune.ai/demo.