Shadow AI Remediation

Shadow AI Remediation provides real-time visibility and control over how AI tools are being used by employees, and just-in-time remediation through guided playbooks.

AI detection includes:

• GenAI and AI orchestration web applications.
• GenAI applications registered to the IdP.
• GenAI browser extensions.

Configuration Phases

To get started you must complete the following steps:

Deployment Configuration

• Configure your Identity Provider and connect to Shadow AI Remediation to provide visibility into AI usage and risk in your organization.
• Deploy the Browser Extension to discover GenAI user-related activities.

Discovery and Visibility Configuration

• Review the out-of-the-box list of GenAI applications.
• Add additional applications to capture and log your organization's GenAI activity in the inventory’s and dashboards.

Policy Configuration

• Define the sanctioned GenAI applications that your organization’s policy permits.
• Decide your desired policy.
• Configure and test your policy.

Deployment Configuration

To get started, you first need to configure your Identity Provider and connect it to Shadow AI Remediation. Once connected, deploy the browser extension in your environment to allow Shadow AI Remediation to discover and monitor user-related AI activities.

Configuring Your Identity Provider

To get started, you must first configure your Identity Provider and connect to Shadow AI Remediation to provide visibility into AI usage and risk in your organization.

• Microsoft Entra ID
• Okta
• Other IdP

Deploying the Browser Extension

After configuring your Identity Provider and connecting to Shadow AI Remediation, you must deploy the browser extension in your environment to discover user-related activities.

Notes

• The browser extension does not distinguish between a user’s personal activities and business activities, and will capture personal activities conducted using any browser in which the extension is deployed. It is your responsibility to ensure that the collection and use of personal activity data complies with applicable law and contract terms. Contact your legal department with any questions.
• All privacy-related features can be managed and optionally disabled. Refer to Configuring Privacy Controls for additional information.

Discovery and Visibility Configuration

Shadow AI Remediation comes with a pre-populated list of common GenAI applications. You must ensure all GenAI applications, including home-grown, that are permitted by your organization’s policy are added to Shadow AI Remediation. This will ensure that all GenAI applications, including home-grown will be included in inventory’s, dashboards, and activity logs.

First review the generative-ai-apps list. If a sanctioned GenAI application is not listed, create a Custom Application to add the application, and then add it to the following list:

• generative-ai-apps - Ensures the application will appear in the GenAI inventory and dashboards.

If you are unable to add a custom application because its URL overlaps with an existing domain of a SaaS application in the global application database, add the application to the following lists instead:

• generative-ai-hostnames - Ensures the application is covered by the GenAI dashboards and logs. For example, application.acme.com.

Policy Configuration

To implement your organization's GenAI policy, you must first identify sanctioned applications and define usage rules. Once established, these policies are enforced by configuring, testing, and enabling playbooks that manage how users interact with both approved and non-sanctioned AI tools.

Define the sanctioned GenAI applications

To ensure GenAI applications are permitted and blocked inline with your organization's AI policy, you must configure Shadow AI Remediation with your organization’s sanctioned GenAI applications.

Sanctioned GenAI applications, whether a well-known mapped SaaS application, such as Microsoft Copilot, or a custom application you have added, must be added to the following list:

• generative-ai-sanctioned-apps - Ensures playbooks are not triggered by sanctioned applications.

Sanctioned applications that were mapped by their domains should be added to the following list:

• generative-ai-sanctioned-hostnames - Ensures playbooks are not triggered by sanctioned applications that were mapped based on their hostnames.

Decide Desired Policy

Before configuring and enabling playbooks, you must determine your GenAI policy. This will help you decide which playbooks to enable and whether to limit the number of times the playbook should be triggered for non-sanctioned applications.

Policy Configuration and Testing

Once you have determined your organization's GenAI policy, you can configure and enable the desired playbooks. After they're configured, you can deploy, and test them.

User Levels and Permissions

To administer Shadow AI Remediation, users must be assigned the Org Admin user level. For read-only access, users must be assigned either the Cert Admin, Helpdesk Admin, or Report Admin user level. For more information about these user levels and their permissions, refer to User Level Access Matrix.

• Global Administrator - Has full access to the admin console and can configure and manage all aspects of the product. Can also configure system configurations and define privacy controls.
• Read-only Administrator - Has limited access to the admin console. They can retrieve and view data, but cannot make modifications or deletions.

Accessing Shadow AI Remediation

To access the Shadow AI Remediation portal:

1. Select the SailPoint Solutions Center icon in the upper-left corner.

2. Select the Shadow AI Remediation tile.