# THREAT DOMAIN TAXONOMY: SHADOW AI (UNAUTHORIZED EMPLOYEE EXPERIMENTATION & DATA SPRAWL) ## 1. Standardized Phase Taxonomy (The Threat Lifecycle) While management may frame this as "shadow user innovation" or "employee-led experimentation," from an independent audit and security perspective, Shadow AI represents a systemic failure of asset management, vendor risk management, and data loss prevention. The "threat actor" in this lifecycle is the authorized employee operating outside of governance boundaries, resulting in uncontrolled intellectual property leakage and the ingestion of unvetted, AI-generated artifacts. * **Reconnaissance:** The employee identifies a localized operational friction point (e.g., slow code generation, tedious document summarization) and actively searches for public LLMs, AI SaaS productivity tools, or open-source local models (e.g., via HuggingFace, GitHub) to bypass the friction. * **Weaponization & Delivery (Initial Access):** The employee provisions the Shadow AI tool. This occurs via unauthorized SaaS account creation (often using corporate email credentials), granting third-party OAuth permissions to corporate environments (e.g., "Allow AI-App to read your M365 emails"), or downloading unauthorized local execution environments (e.g., LM Studio, unauthorized IDE extensions). * **Exploitation & Installation (Execution/Persistence):** The employee integrates the unauthorized AI into their daily workflow. They actively feed proprietary corporate data, sensitive PII, or raw source code into the unsanctioned model. The "installation" is the normalization of this opaque workflow, creating a persistent, unmonitored data exfiltration channel. * **Command and Control (C2):** The Shadow AI tool establishes continuous, unmonitored synchronization between the corporate endpoint and the third-party infrastructure. This includes background telemetry, continuous API polling for autocomplete features (e.g., in IDEs), or persistent OAuth tokens maintaining access to enterprise data silos. * **Actions on Objectives (Impact/Exfiltration):** The immediate objective is workflow optimization for the employee. The ultimate *effect* on the organization is massive data exfiltration (where corporate data is ingested into third-party training pipelines), regulatory non-compliance, and the injection of unverified, potentially flawed AI-generated logic or code into the corporate baseline without quality assurance or organizational learning. ## 2. TTP Mapping (Tactics, Techniques, and Procedures) For audit verifiability, this domain maps to MITRE ATT&CK (focusing on Insider Threat and Exfiltration profiles) and ATLAS. * **Reconnaissance:** T1596 (Search Open Technical Databases - employees sourcing models/tools). * **Weaponization & Delivery:** T1199 (Trusted Relationship - bypassing procurement to establish third-party risk); T1078 (Valid Accounts - abusing corporate credentials for unauthorized SaaS). * **Exploitation & Installation:** T1204.001 (User Execution: Malicious Link/File - executing unapproved AI binaries/extensions); AML.T0024 (Exfiltration via ML Inference API - unwitting transfer of IP). * **Command and Control (C2):** T1071 (Application Layer Protocol - HTTP/S API traffic to unsanctioned endpoints). * **Actions on Objectives:** T1567.002 (Exfiltration to Cloud Storage/SaaS); T1005 (Data from Local System - feeding local documents into web prompts). ## 3. Control Intersection and Segregation (The "Kill" Mechanism) * **Reconnaissance** * *Preventive:* Strict Web Content Filtering restricting access to unvetted AI, ML, and software repository categories. * *Detective:* Proxy telemetry highlighting frequent searches or DNS queries for emerging, unsanctioned AI tools. * *Corrective:* Dynamic updates to web filtering blacklists based on emerging threat intelligence regarding high-risk AI applications. * **Weaponization & Delivery** * *Preventive:* Application Control / Whitelisting (e.g., Windows AppLocker) enforcing explicit deny-by-default for unapproved binaries and browser extensions. Cloud Access Security Broker (CASB) blocking unauthorized SaaS logins or OAuth integrations. * *Detective:* EDR alerting on the installation of unapproved software. CASB alerts on "Shadow IT" discovery (new cloud apps connected to corporate identities). * *Corrective:* Automated revocation of unsanctioned OAuth tokens via IdP (Identity Provider) intervention; EDR-driven quarantine of unapproved local binaries. * **Exploitation & Installation** * *Preventive:* Endpoint Data Loss Prevention (DLP) enforcing strict restrictions on clipboard copy/paste volume and file uploads to unclassified web domains. * *Detective:* DLP alerting on the transmission of sensitive regular expressions (e.g., API keys, PII, source code syntax) to unauthorized URLs. * *Corrective:* Real-time DLP blocking of the data transfer; automated alert generation to the employee's direct manager and the Security Operations Center (SOC). * **Command and Control (C2)** * *Preventive:* Zero Trust Network Access (ZTNA) policies restricting API communication exclusively to sanctioned, internally hosted AI gateways. * *Detective:* SIEM correlation of anomalous outbound data transfer volumes originating from standard user endpoints to known AI API IP ranges. * *Corrective:* Dynamic firewall isolation (dropping outbound API connections) for endpoints exhibiting Shadow AI traffic patterns. * **Actions on Objectives** * *Preventive:* Mandatory peer-review and automated static application security testing (SAST) for all code commits to detect AI-generated vulnerabilities prior to production. * *Detective:* Behavioral analytics identifying employees exhibiting unnatural productivity spikes corresponding with unauthorized AI network traffic. * *Corrective:* Formal disciplinary action per the Human Resource Management Policy; mandatory rollback of code/artifacts generated via unvetted Shadow AI tools. ## 4. Telemetry and Evidence Generation To satisfy audit requirements, the following immutable logs must be generated and routed to a centralized, WORM-compliant SIEM: * **CASB & Web Proxy Logs:** Comprehensive records of all web requests, categorized by SaaS application, including upload/download byte counts to identify shadow usage and exfiltration volume. * **IdP OAuth Consent Logs:** Immutable logs from Azure AD / Google Workspace detailing exactly which employees granted third-party AI applications access to corporate data APIs. * **Endpoint DLP Telemetry:** Granular logs capturing specific policy violations (e.g., "User attempted to copy 500 lines of proprietary source code into external browser tab X"). * **EDR Application Execution Logs:** Detailed process creation telemetry proving the presence or execution of unsanctioned local AI runtimes (e.g., Ollama, LM Studio). ## 5. Auditor’s Perspective (CCCE Application) * **Criteria:** Information Security and Asset Management frameworks require that all software, SaaS, and data processing tools undergo rigorous third-party risk assessments, legal review, and architectural approval prior to deployment. Enterprise data must be restricted to sanctioned, monitored environments via strict CASB and DLP enforcement. * **Condition:** First Line management often turns a blind eye to or implicitly encourages "Shadow AI" usage under the guise of "innovation" or "productivity." Employees freely bypass procurement and security testing, leveraging public AI tools with corporate data via unmonitored web browsers or unauthorized IDE extensions. * **Cause:** High operational friction in the authorized IT provisioning process, coupled with a lack of a clear, enterprise-approved "paved road" for safe AI adoption. The Second Line (Risk/Compliance) has failed to enforce technical hard-blocks (CASB/DLP), relying instead on easily ignored, passive Acceptable Use Policies. * **Effect:** The organization suffers unquantifiable data exfiltration, breaching client confidentiality and regulatory frameworks (e.g., GDPR). Furthermore, the ingestion of unvetted, AI-generated code introduces systemic vulnerabilities into the corporate environment, while organizational learning is obstructed because "innovation" occurs in opaque, unrepeatable, individual silos. * **Recommendation:** Management must eliminate operational sympathy for "shadow innovation." Strict technical controls (CASB, Application Whitelisting, Endpoint DLP) must be immediately configured to hard-block all unsanctioned AI tools. Concurrently, management must provision a sanctioned, strictly monitored internal AI gateway to satisfy operational demand without compromising corporate governance.