Journal
Shadow AI
AI Inventory
EU AI Act
Article 9
Data Governance

Shadow AI Discovery: How to Inventory Every LLM in Your Organisation

3 June 2026

Shadow AI Discovery: How to Inventory Every LLM in Your Organisation

Audience: Chief Privacy and Information Officer (CPIO) Subject: Eliminating the AI Inventory Gap and Enforcing EU AI Act Compliance

1. Executive Summary: The Regulatory Cliff

As of June 2026, your organisation is exactly 60 days away from the August 2, 2026 enforcement deadline of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). Beyond this date, the grace period for unmanaged AI experimentation ends and the era of technical enforcement begins.

The most critical hurdle to your compliance posture is the Inventory Gap. Current industry data reveals that over 50% of EU organisations lack a systematic inventory of the AI systems they actually operate. Without a complete, real-time "routing table" of AI traffic, your organisation faces unquantified liability under Article 9 (Risk Management) and Article 49 (Registration).

2. The Problem: The Failure of Process-Based Compliance

2.1 The Shadow AI Crisis

Shadow AI — the unsanctioned use of Large Language Models by employees — has become the primary driver of corporate data leakage. Employees are adoption-oriented, often pasting confidential customer data, intellectual property, or trade secrets into consumer-grade tools like ChatGPT or Claude to solve immediate productivity needs.

2.2 Why Manual Surveys and Form-Based Registries Fail

Traditional compliance relies on manual surveys where department heads self-report the tools they use. This is fundamentally flawed for three reasons:

  • Invisibility of Embedded AI: SaaS vendors frequently embed generative AI features into existing, approved platforms (CRMs, HRIS, project management tools) overnight without notification.
  • Decentralised Development: Developers often call AI APIs in production scripts or side projects that bypass standard procurement gates.
  • The Documentation Trap: Competitors like Modulos, Daiki, or EQS sell "paper controls" — documentation templates and registries. While useful for audits, these tools do not sit in the traffic path and cannot physically stop an employee from using an unapproved tool.

The CPIO Pain: You cannot govern what you cannot see. If a high-risk AI system is operating in "shadow mode" without registration, the organisation is in direct violation of Article 49, facing fines of up to €35 million or 7% of global annual turnover.

3. The NordClaw Solution: Discovery via Interception

NordClaw shifts your posture from "process-based compliance" to "infrastructure-based enforcement." Instead of asking employees what they use, NordClaw observes what is actually happening.

3.1 The Transparent Proxy (api.nordclaw.eu)

NordClaw acts as a transparent proxy that sits directly between your organisation's users and any LLM provider, running on Google Cloud Run in europe-west3 (Frankfurt). By changing a single environment variable (BASE_URL), all AI traffic is routed through a sovereign EU-hosted endpoint.

  • Auto-Discovery: The proxy identifies every distinct LLM being called across the network from live traffic — building your model inventory automatically from day one.
  • Identity Mapping via SSO: Unlike standard provider dashboards that show only aggregate token counts, NordClaw integrates with Microsoft Entra ID or Google Workspace via Firebase Auth. Every request is mapped to a named human, department, and role through tenant_id custom JWT claims injected at sign-in.

3.2 Technical Reality vs. Claims

While US-based platforms may offer similar technical features, they are subject to the US CLOUD Act, creating a permanent GDPR Article 44 conflict for EU companies. NordClaw runs entirely within Google Cloud europe-west3 — EU-native jurisdiction — ensuring the data residency guarantee is technical, not just contractual.

4. Regulatory Alignment: Satisfying the EU AI Act

Automated discovery is not a luxury; it is the prerequisite for the following legal obligations:

  • Article 9 (Risk Management System): Requires identifying and analysing all AI systems. NordClaw provides the exhaustive list of systems that must enter this process — derived from live traffic, not self-reporting.
  • Article 49 (Public Database Registration): Mandates that high-risk systems be registered. NordClaw's inventory ensures no high-risk embedded tool (e.g., an AI resume screener in an HR tool) operates in shadow mode.
  • Article 26(6) (Logging Obligations): Requires deployers to retain automatically generated logs for at least six months. NordClaw initiates this immutable audit trail — stored in Google Cloud SQL for PostgreSQL 15 — the moment traffic is intercepted.

5. Value Realisation Across the Organisation

5.1 Human Resources

HR is frequently classified as high-risk under Annex III of the Act. NordClaw's discovery engine surfaces any AI tools being used for applicant ranking or performance monitoring, immediately triggering mandatory Human-in-the-Loop (HITL) approval gates.

5.2 Finance & C-Level

For the CFO, Shadow AI represents unquantified spend. NordClaw provides per-trace cost attribution, tagging every prompt and retrieval with its model, token count, and cost in cents — stored in Cloud SQL and surfaced through the CISO dashboard. This transforms "Shadow AI" from a hidden cost into a manageable line item.

5.3 IT & Cybersecurity

IT gains a real-time "routing table" of all AI traffic. This enables the decommissioning of insecure endpoints or the redirection of traffic to your "Walled Garden" of security-screened integrations. Custom integration workflows run inside isolated Podman containers via the NordClaw ZeroClaw agent plane, ensuring no integration can exfiltrate data outside its permitted scope.

6. Comparison: NordClaw vs. The Market

FeatureNordClawGovernance tools (Daiki / EQS)US platforms (TrueFoundry)
Real-time interception✅ Yes❌ No✅ Yes
Auto-inventory discovery✅ Yes❌ Manual only✅ Yes
SSO identity mapping✅ Firebase Auth / Entra ID❌ No⚠ Partial
EU sovereign hosting✅ GCP europe-west3⚠ Conditional❌ US (CLOUD Act)
Compliance export (Art. 26)✅ One-click PDF / CSV❌ No❌ No

7. The 90-Day Compliance Readiness Sprint

To move from total blindness to full technical visibility before the August deadline:

  • Days 1–30 (Visibility): Activate the proxy (45-minute Workspace Setup Wizard) and generate the AI Model Inventory from live traffic.
  • Days 31–60 (Hardening): Enable PII Redaction using the Rust ONNX engine across all EU languages, ensuring no personal data leaves the europe-west3 perimeter.
  • Days 61–90 (Documentation): Generate pre-filled DPIA and FRIA templates based on the actual usage patterns discovered during the sprint.

8. Conclusion: From Worry to Control

In the post-August 2026 landscape, a lack of inventory is a lack of compliance. Manual surveys are no longer defensible in a regulatory audit. NordClaw provides the only EU-native solution that combines real-time interception with automated governance documentation.

By deploying NordClaw today, you move from a state of unquantified liability to a state of technical enforcement. You gain the ability to answer the three questions every regulator will ask: What AI is being used? By whom? With what data?

The question for the board is no longer whether you need an AI inventory — but whether your inventory is based on human memory or technical reality.