Employees are submitting customer records, credentials, and confidential documents into AI tools, leaving your organization liable.
ShadowLock is the shadow AI detection platform for MSPs and IT teams: the visibility to see it and the controls to stop it.
ChatGPT, Claude, Gemini accessed via personal accounts: no enterprise contract, no DPA, no audit trail.
Sidebar assistants and email rewriters that read content across every site employees visit, including clipboard data.
Copilot and AI writing features inside approved SaaS apps, activated without any security review.
Claude Desktop, ChatGPT app, Ollama, and LM Studio running entirely outside browser-based controls.
GitHub Copilot, Cursor, and similar tools with broad file access. Proprietary code and credentials directly at risk.
Otter.ai, Fireflies, and similar tools recording and processing internal calls, clinical discussions, and client meetings.
Patient data pasted into public AI tools without a BAA in place triggers HIPAA exposure. No breach required.
Customer PII processed through unapproved vendors with no DPA, no lawful basis, and no compliant transfer mechanism.
Source code, contracts, and product plans submitted to public AI. Failing to control access can weaken trade secret protections.
When a client has an AI-related incident and you had endpoint scope, the gap between "not our job" and "you should have known" is where claims live.
Personal-account AI tools run under consumer terms: no DPA, no BAA, no incident notice obligation. The protection you assumed doesn't exist.
Without prior visibility you can't answer which tool, which account, or what data was involved, breaking triage, notifications, and defensibility.
ShadowLock covers the full AI surface: browser, desktop app, and cloud tool, without enterprise-level deployment complexity or dedicated security engineering.
Deployed silently to Windows endpoints via your existing RMM. Monitors AI activity, scans browser extensions, detects local AI apps, and locks down the AI built into Chrome, Edge, Brave, and Firefox. Zero user interaction.
Self-configures once the agent is installed. Intercepts pastes, file uploads, and sensitive data typed straight into prompts, enforces the data-sharing opt-out on each AI tool, and applies your policies with clear user-facing messages.
Connects to each customer's Microsoft 365 tenant via Microsoft Graph and scans for AI apps that have been granted OAuth access: Copilot plugins, third-party AI add-ins, and other AI service principals. New connections trigger a critical alert automatically, with no endpoint required.
Detects navigation to known AI domains and enforces your access policy before anything is pasted. Domain list stays current automatically.
Stops paste events and file uploads before content reaches the AI tool. PII, credentials, SSNs, and card data classified entirely within the browser.
Flags known AI sidebars and writing tools, plus unknown extensions with high-risk permissions that can read sensitive content on every page.
Surfaces AI exposure that browser controls never reach: offline tools, local LLMs, and developer-facing apps running outside any web policy.
Reads the signed-in identity on any AI site and blocks personal or unauthorized accounts from sending prompts until a corporate account is verified. Website-agnostic, no per-site setup.
Cross-org risk view, alert workflows, device inventory, and policy management: everything an MSP needs to govern AI risk across all customers from one place.
Catches sensitive data as it's typed into a prompt, not just pasted, and redacts the value from the request before the model sees it. The user keeps their flow; the secret never leaves.
Reads each AI tool's real "train on my data" setting and blocks prompts until it's switched off. Grounded for ChatGPT, Claude, Perplexity, Le Chat, Copilot, and Grok.
Disables the AI built into browsers by enterprise policy: Gemini in Chrome, Copilot in Edge, Leo in Brave, and Firefox AI. Locked, with drift detection if anyone re-enables it.
Blocks Google Search's conversational AI Mode, redirecting it back to standard results while ordinary search stays untouched. A surface no browser policy can reach.
Set allow, warn, and block policies per AI tool, per organization, and per user. Changes propagate to every online endpoint within minutes.
| AI Tool | Surface | Action |
|---|---|---|
| ChatGPT | Paste | 🚫 Block |
| ChatGPT | File Upload | 🚫 Block |
| Claude | Site Access | ⚠️ Warn |
| Gemini | Personal Acct | 🚫 Block |
| Perplexity | Site Access | ✅ Allow |
| Ollama | Desktop App | ⚠️ Warn |
AI adoption is outpacing governance in almost every organization. Three things make waiting more expensive than acting.
The average organization already has 8 AI apps in active use. Most of it is happening without approval or any governance framework.
Employees on managed devices using AI through personal accounts are completely outside your policies, your logging, and every enterprise control. It looks like personal browsing. The data exposure is not.
Security questionnaires, cyber insurance renewals, and compliance reviews now include AI governance questions. "We didn't have visibility" doesn't reduce liability. It creates it.
Cross-organization view of every client's AI exposure. Push policy changes to hundreds of endpoints and generate customer-ready reports, before an incident forces the conversation.
See which AI tools employees are using, what data they're pasting, and which extensions are risky. Configure allow/warn/block without a complex rule engine. Alerts that matter, not thousands of low-signal events.
Risk signals, not content. Sensitive data is classified locally and never transmitted. You get the evidence to act, without capturing what employees type or read.
Sensitive data is never sent to the backend. Only the data type and a reference are logged. You know something sensitive was pasted, but not what it said.
Upload events log the filename, type, and size. File contents are never read or stored, by design and not just by policy.
Keystroke logging is explicitly out of scope, technically and legally. ShadowLock monitors AI interaction events, not what employees write.
All agent-to-backend communication is encrypted. EU deployments support EEA data residency requirements.
Default 90-day event retention, configurable per organization. Data lifecycle controls built in from day one.
Partners confirm employee disclosure compliance before onboarding each organization. Consent is enforced in the deployment workflow, not just the documentation.
Pay per managed device. Volume discounts apply automatically. The more devices you monitor, the lower your per-device rate.
See the full pricing breakdown, or compare ShadowLock to DNS filters, DLP suites, and browser-isolation tools.
Drag the slider to see your monthly rate at any scale.
| Devices | Rate |
|---|---|
| 1–99 devices | $1.00/device |
| 100–249 devices | $0.95/device |
| 250–499 devices | $0.90/device |
| 500–999 devices | $0.85/device |
| 1000+ devices | $0.80/device |
No charge until your trial ends. Cancel anytime.
One plan, full feature set. Every customer gets all capabilities. No feature tiers.
Guide
The plain-English guide to shadow AI: what it is, why every modern IT team has it, and how to detect it.
How-to
A practical guide to detecting ChatGPT and other AI tool usage on company endpoints: what to look for and how to act on it.
Compliance
How unapproved AI tools quietly break SOC 2 compliance, and what auditors are starting to check.
Shadow AI is the use of AI tools, like ChatGPT, Gemini, Claude, or Copilot, by employees without IT approval or oversight. It is the AI-era equivalent of shadow IT and creates risk because sensitive company data can be pasted into AI services that have no data processing agreement, no audit trail, and no compliance coverage.
ShadowLock combines a Windows endpoint agent and a managed browser extension to detect both desktop AI apps and web-based AI usage. It identifies which tools employees are using, flags pastes of sensitive data into AI prompts, and reports every event to your central dashboard in real time.
Yes. ShadowLock detects AI tool usage at the endpoint and browser layer, so it sees activity regardless of which account is signed in: corporate SSO, a personal Google account, or no account at all. This closes the most common shadow AI gap that network-only tools miss.
ShadowLock helps IT and security teams meet the access control, audit, and data protection requirements relevant to HIPAA and SOC 2. By preventing sensitive data from being pasted into unapproved AI tools and producing an audit trail of every event, ShadowLock supports the technical controls auditors increasingly expect for AI usage.
Deploy ShadowLock in minutes via your existing RMM. Get visibility across every AI tool in your customer environments, before an incident, an audit, or a client question forces the conversation.
14-day free trial · Cancel anytime