All insights
AI GovernanceZero Trust

Shadow AI: The Ungoverned Data Leakage Path Boards Have Not Yet Assessed

Employees are pasting confidential data into unsanctioned AI tools daily, creating an ungoverned data leakage channel that most organisations have neither measured nor reported to their boards. This analysis shows how Defender for Cloud Apps exposes shadow AI usage and why governance - not just blocking - is the only defensible response.

INSIGHTS OF 2026
4 min read
Practitioner Insight

Why Blocking Public AI Tools Is Not Enough: A Defender for Cloud Apps Deep Dive

Every organisation deploying Microsoft Copilot faces the same paradox: they want to harness AI productivity gains while preventing employees from pasting confidential data into ChatGPT, Google Gemini, Claude, and the dozens of other public AI tools available via any web browser. The instinct is to block these tools. The reality is that blocking alone creates a whack-a-mole problem that cannot be won and Microsoft Defender for Cloud Apps (MDCA) provides the visibility to understand why.

The Shadow AI Problem

Shadow AI follows the same pattern as shadow IT, but moves faster. When employees discover that AI tools dramatically accelerate their work - drafting emails, summarising documents, generating code, they adopt them immediately. A 2025 Microsoft Work Trend Index report found that 78% of AI users bring their own tools to work, and 52% are reluctant to admit they use AI for important tasks.

The risk is not theoretical. When an employee pastes a client contract into ChatGPT to "summarise the key terms," that data enters OpenAI's infrastructure. When a developer pastes proprietary code into an AI coding assistant, the intellectual property boundary has been breached. When an HR team member uses an AI tool to draft redundancy communications, personal data crosses an uncontrolled boundary.

Defender for Cloud Apps: Discovery

MDCA provides the most comprehensive view of AI tool usage in any enterprise security platform. The discovery capability works at two levels:

Cloud Discovery (log-based): MDCA ingests firewall and proxy logs (from Zscaler, Palo Alto, or any SIEM-integrated appliance) and identifies traffic to known AI services. Navigate to Microsoft Defender XDR > Cloud Apps > Cloud discovery > Discovered apps and filter by category "Generative AI." MDCA maintains a catalogue of over 800 AI applications, each with a risk score based on compliance certifications, data residency, encryption, and terms of service.

Defender for Endpoint integration: For organisations using Microsoft Defender for Endpoint (MDE), MDCA receives signals directly from the endpoint agent without requiring proxy infrastructure. This is the recommended approach for hybrid and remote workforces. Under Settings > Cloud Apps > Cloud Discovery > Automatic log upload, enable the Defender for Endpoint integration. Every AI tool accessed from a managed device is now visible.

The discovery dashboard will reveal the true scale of shadow AI. In a typical 500-person organisation, we routinely discover 15-30 distinct AI tools in active use, including:

  • ChatGPT and OpenAI API
  • Google Gemini
  • Anthropic Claude
  • Perplexity AI
  • Midjourney and DALL-E (image generation)
  • GitHub Copilot (individual, not enterprise-managed)
  • Various AI transcription tools (Otter.ai, Fireflies.ai)
  • AI writing assistants (Jasper, Grammarly AI, Copy.ai)
  • AI coding tools (Cursor, Replit, Codeium)

Creating Block Policies

Once you understand the landscape, MDCA allows you to create block policies. There are two enforcement mechanisms:

Access blocking via Defender for Endpoint: Under Cloud Apps > Cloud app catalogue, select an AI application and mark it as Unsanctioned. If MDE integration is active, the endpoint agent will block access to the application's domains at the DNS level. This is the most reliable method as it works regardless of network - at the office, at home, or on public Wi-Fi.

Session control via Conditional Access App Control: For web applications accessed through the browser, configure Conditional Access App Control policies in MDCA to block file uploads to unsanctioned AI tools. Navigate to Cloud Apps > Policies > Policy management > Create policy > Session policy. Set the activity type to "Upload" and the app filter to the generative AI category. This allows users to read AI tool output (for research) while blocking the upload of corporate data.

Policy template for AI blocking:

  1. Mark all generative AI apps as unsanctioned (blanket block)
  2. Create exceptions for sanctioned tools (Microsoft Copilot, enterprise GitHub Copilot)
  3. Configure session policies to block file uploads to any AI tool not explicitly sanctioned
  4. Enable real-time monitoring alerts for any new AI tool detected

App Governance for OAuth Consent

A frequently overlooked vector is OAuth consent. AI tools increasingly request Microsoft Graph permissions via OAuth - "Sign in with Microsoft" flows that grant the AI tool access to emails, files, or calendars. MDCA's App Governance module (under Cloud Apps > App governance) monitors OAuth consent grants and can:

  • Alert on any new OAuth app requesting Graph permissions
  • Block consent for apps in specific categories (including generative AI)
  • Revoke existing OAuth grants that were approved before the policy was in place
  • Enforce admin consent workflow, requiring IT approval before any OAuth grant is finalised

Configure this under Entra ID > Enterprise applications > Consent and permissions > User consent settings - set to "Do not allow user consent" and require admin approval for all OAuth grants.

Why Blocking Alone Does Not Solve the Problem

Here is the uncomfortable truth: blocking public AI tools without providing a sanctioned alternative guarantees non-compliance. Employees who have experienced the productivity gains of AI will find workarounds:

  • Personal devices: Block ChatGPT on corporate devices, and employees will use their phones to type in (or photograph) confidential information
  • VPN bypass: Sophisticated users will disconnect from corporate VPN to access blocked tools
  • Alternative tools: Block ChatGPT, and employees will switch to one of dozens of lesser-known alternatives that are not yet in MDCA's catalogue
  • Copy-paste via personal email: The most common workaround - email content to a personal account, then use AI tools on a personal device

The solution is a three-pronged strategy:

  1. Block: Use MDCA to block unsanctioned AI tools on corporate devices and networks
  2. Provide: Deploy Microsoft Copilot (or another sanctioned enterprise AI) with appropriate data governance controls, giving employees a legitimate productivity tool
  3. Monitor: Maintain continuous MDCA monitoring for new AI tool adoption, treating any new unsanctioned tool as a signal that the sanctioned tool is not meeting user needs

The organisations that succeed with AI governance are those that recognise blocking as a necessary but insufficient control. The firewall is one layer; the sanctioned alternative is the layer that actually changes behaviour. Without Copilot (or an equivalent), your block policy is a dam against a rising tide - it will hold for a while, but the pressure never stops building.

Facing this in your environment?

We implement and operate these exact controls inside Microsoft 365 tenants. Find the right first step for your situation.

Explore Copilot Readiness
PreviousISO 42001 Certification Readiness: What Management Must Govern Before AI DeploymentNext Device Compliance as Governance Control: The Intune Baseline Regulators Expect

More in AI Governance

EU AI Act

EU AI Act Compliance: The Regulatory Obligations Microsoft 365 Tenants Must Address Now

18 min readISO/IEC 42001

Copilot Data Exposure: The Governance Failure of Deploying AI Without Permission Remediation

6 min readISO/IEC 42001

Prompt Injection in Enterprise AI: The Manipulation Risk Management Must Understand

8 min read