SAMPLE
Shadow AI Risk Report

Unapproved AI tools and regulatory exposure

Prepared on
April 30, 2026
Report ID
UMB-2026-04-1837
Headcount
50–250 employees
Active departments
Legal, Finance, or HR
AI policy
Not sure
State(s) of operation
Colorado
EU exposure
Yes
Regulatory exposure
Colorado AI Act SB26-189
exposed
California CPPA ADMT regulations Cal. Code Regs. tit. 11, Art. 11
exposed
EU AI Act Reg 2024/1689
exposed
Massachusetts Data Security Regulation 201 CMR 17.00
not exposed
About this report
What it is
An assessment of AI tools currently in use across your organization, with regulatory exposure measured against the four frameworks above. AI-assisted analysis. Human-reviewed before delivery. Based on technology spend data submitted by your organization.
What was reviewed
Vendor names and product descriptions from technology spend records you provided, cross-referenced against vendor-published data processing agreements, regulatory enforcement records, and current statutory text as of the issue date.
How exposure is determined
Each of the four frameworks is assessed against your stated organization profile and the AI tools identified in your data. Frameworks marked exposed currently apply to your operations. Frameworks marked not exposed do not apply at this time. All four frameworks are assessed in every Umbravi report so this document remains useful as your operations change.
What it produces
An inventory of identified AI tools with risk assessment per tool, a regulatory exposure assessment per framework, a Regulatory Exposure Score, and a prioritized action plan.
What it isn't
This report is a risk assessment for informational purposes. It is not legal advice. It identifies exposure surface — not violations. It does not guarantee regulatory immunity. Final compliance determinations require qualified counsel.
Data handling
Source files are purged within 14 days of report delivery. We do not use customer data for AI model training.
Questions or verification
Reference your Report ID and contact hello@umbravi.io.
Findings at a glance
Ten AI tools identified, six high-risk. Three of four applicable regulatory frameworks impacted.
Most urgent items appear in the first three rows of the tool table below.
38/100
Regulatory Exposure Score
high exposure
10
AI tools detected
6
High risk
3
Medium risk
1
Low risk
Executive summary

Findings overview

This report is generated from an analysis of your technology spend data, cross-referenced against vendor-published data processing agreements, regulatory enforcement records, EU AI Act Annex III classifications, and public AI tool registries. Findings are mapped against the frameworks that apply to your stated organization profile.

Your spending data reveals ten AI tools in active use across your organization, including three Shadow AI deployments — Monica.im, Otter.ai, and Fireflies.ai — operating without IT approval gates. Two of the ten are embedded AI features inside tools you already license (Microsoft 365 Copilot and GitHub Copilot Business) that warrant tenant-level review. Six tools present immediate exposure under the Colorado AI Act, California CPPA ADMT regulations, or EU AI Act.

Your Regulatory Exposure Score is 38 out of 100, placing you in the High Exposure band. A lower score indicates higher exposure. The score reflects the combination of unmanaged Shadow AI tools, consumer-tier OpenAI accounts on company cards, and an AI policy status of "Not sure" — meaning your team likely lacks documented guardrails on tool approval and data handling.

The Colorado AI Act (SB26-189) takes effect January 1, 2027, putting your organization in scope as of that date. Because your most active departments are Legal, Finance, and HR, several tools in your inventory directly process information used for consequential employment, financial, or legal decisions — the exact use cases the Act regulates. The California CPPA ADMT regulations apply on the same date for organizations meeting the CCPA business threshold; your headcount and the typical California exposure for an organization of your size place you in scope, with risk-assessment obligations already running. The EU AI Act applies to your operations based on your stated EU exposure, with Annex III obligations attaching to AI systems used in employment-related decisions from August 2, 2026. Your most urgent actions are documenting an AI usage policy, banning Monica.im, and migrating consumer-tier OpenAI accounts to a controlled enterprise tier. The full action plan appears at the end of this report.

Regulatory exposure

Framework-by-framework assessment

Colorado AI Act SB26-189
exposed

Your organization operates in Colorado, which places you within the jurisdiction of the Colorado AI Act, effective January 1, 2027. The statute regulates "covered ADMT" — automated decision-making technology that materially influences a consequential decision in employment, education, lease or purchase of Colorado residential real estate, financial or lending services, insurance, healthcare services, or essential government services and public benefits. Deployer obligations include pre-use consumer notice, post-adverse-outcome disclosure, consumer right to correction of inaccurate data, and meaningful human review to the extent commercially reasonable. Enforcement is exclusively by the Colorado Attorney General under the Colorado Consumer Protection Act; a 60-day cure period applies (waivable for knowing or repeated violations) and there is no private right of action. The Colorado AG is conducting rulemaking on multiple required topics through 2026, which will further specify implementation.

Because your most active departments are Legal, Finance, and HR, the Colorado AI Act's consequential-decisions framing applies directly to several tools in your inventory. Tools that ingest, transcribe, or process personal information about identifiable individuals — Fireflies.ai, Otter.ai, Glean, and the Microsoft 365 Copilot deployment — carry the most direct obligations. Note that general-purpose AI chatbots are conditionally excluded from ADMT scope only when both (a) not configured or marketed for consequential decisions and (b) subject to an acceptable use policy prohibiting such use. Your AI policy status of "Not sure" means the second condition is presumptively unmet, putting general-purpose AI tools in scope. See the tool-by-tool assessment below for specific recommendations.

California CPPA ADMT regulations Cal. Code Regs. tit. 11, Art. 11
exposed

The California Privacy Protection Agency's ADMT regulations apply to businesses meeting the CCPA business threshold: $25M+ annual revenue, or processing personal information of 100,000+ consumers or households, or deriving 50%+ of revenue from selling or sharing personal information. For an organization of your headcount band with EU exposure indicated, California consumers, employees, or applicants are typical and the CCPA threshold is presumptively met. The regulations themselves took effect January 1, 2026, with ADMT-specific obligations (pre-use notice, opt-out rights, access rights) effective January 1, 2027. Risk-assessment obligations for "significant risk" processing — including using or training ADMT for significant decisions — are running now, with assessments for ongoing 2026-2027 processing due to be completed by December 31, 2027 and a summary attestation to CPPA due April 1, 2028. CCPA penalties are up to $2,500 per violation, up to $7,500 per intentional violation or per violation involving a minor.

ADMT under California's regulations is defined more narrowly than Colorado's — California's trigger requires the technology to replace or substantially replace human decision-making, which fails if a human reviewer (a) knows how to interpret the output, (b) reviews the output and other relevant information, and (c) has authority to make or change the decision. Tools where human review is present but cursory still trigger ADMT obligations. Significant-decision domains under California's regulations include financial or lending services, housing, education enrollment or opportunities, employment or independent-contracting opportunities or compensation, and healthcare services; advertising is explicitly excluded. Tools in your inventory most likely to trigger California ADMT obligations are those used in HR and employment workflows where human review is undocumented — Glean, Microsoft 365 Copilot in HR-facing use, and meeting intelligence platforms used in recruiting or performance review. Tools used to train ADMT on personal information also fall under risk-assessment obligations even if not directly used in significant decisions.

EU AI Act Regulation 2024/1689
exposed

Your stated profile indicates EU exposure — customers, employees, or operations within the EU. The EU AI Act applies to any provider or deployer of AI systems whose output is used within the EU, regardless of where the organization is based. Phased obligations are in effect: prohibited-practice provisions have applied since February 2, 2025; general-purpose AI governance obligations took effect August 2, 2025; high-risk obligations under Annex III apply from August 2, 2026. Penalties for high-risk violations reach €15M or 3% of global annual turnover, whichever is higher.

Several tools in your inventory fall within EU AI Act scope. Tools used in employment-related decisions sit squarely within Annex III high-risk categories — including Glean (when used for HR knowledge retrieval) and meeting intelligence platforms used for performance or recruiting reviews. Tools generating public-facing content (Jasper AI, Adobe Firefly) trigger Article 50 transparency-labeling obligations. Tools embedded in employee workflows (Cursor.sh, Microsoft 365 Copilot, GitHub Copilot, OpenAI) require documented risk management under Article 13. Documentation gaps are the most immediate exposure.

AI tool inventory

Tool-by-tool risk assessment

Tool Threat Recommendation and regulatory context
Monica.im
Browser extension — shadow IT
 high
Recommendation
Ban immediately. Remove from all endpoints.
Browser extension with persistent clipboard and page-read access. No enterprise Data Processing Agreement (DPA) available. EU AI Act Art. 13 requires documented transparency and risk controls for any system with persistent data access. Colorado AI Act classifies unmanaged AI processing of identifiable information as in-scope when used by HR or Legal.
Fireflies.ai
Meeting transcription
 high
Recommendation
Require signed DPA before next meeting recording.
Ingests and stores full meeting transcripts including proprietary discussions. Default plan trains on customer data. Colorado AI Act classifies meeting intelligence tools as consequential when processing personal information about identifiable participants.
Glean
Enterprise AI search
 high
Recommendation
Audit data connectors. Disable until reviewed.
Enterprise AI search indexes all connected SaaS data — Drive, Slack, email. The scope of ingestion typically exceeds what employees or counsel understand. EU AI Act Annex III classifies AI systems used in employment-related decisions (including HR knowledge retrieval) as high-risk and requires documented inventory of all training and grounding data sources. California CPPA ADMT applies because HR-facing knowledge retrieval bears on significant employment decisions; risk assessment obligations are already running.
Cursor.sh
AI code editor
 high
Recommendation
Enable Privacy Mode in settings. Verify with Engineering lead.
AI code editor sends code context — including proprietary logic — to remote model providers by default. Standard plan does not exclude customer code from training. Colorado AI Act applies if code generation is used in consequential decisions. Direct intellectual property exposure under most employment agreements.
OpenAI
ChatGPT — consumer plan (×2 personal accounts)
 high
Recommendation
Ban personal accounts on company cards. Migrate to ChatGPT Team or Enterprise.
Personal Plus accounts opt into model training by default. Two instances appear on Marketing and Operations cards. Colorado AI Act requires documented opt-out controls for AI processing personal information. EU AI Act Art. 13 requires documented risk management for AI embedded in employee workflows.
Microsoft 365 (Copilot)
Embedded AI — 87 seats
 high
Recommendation
Document Copilot data residency. Review tenant-level data sharing.
Copilot is enabled tenant-wide across 87 seats including HR and Finance. Colorado AI Act applies because Copilot output is used in consequential employment, financial, and legal workflows. California CPPA ADMT applies to Copilot use in HR and finance workflows that touch significant decisions. EU AI Act Annex III imposes high-risk obligations when used in HR decisions affecting EU subjects.
Jasper AI
Marketing content generation
 medium
Recommendation
Enable Enterprise Privacy Mode. Add to AI inventory.
Business plan does not train on customer data, but AI-generated public content carries human-review disclosure obligations. EU AI Act Art. 50 requires transparency labeling when AI generates public-facing content.
Otter.ai
Meeting transcription
 medium
Recommendation
Restrict to internal meetings. Update retention policy.
Transcripts stored on Otter servers for one year by default. Colorado AI Act consumer notice requirements apply when customer-facing calls are recorded. Lower threat level than Fireflies.ai because Otter is not configured for enterprise-wide auto-recording in your inventory.
GitHub Copilot Business
Embedded AI — 22 developers
 medium
Recommendation
Verify Business tier excludes customer code from training.
Copilot Business by default does not retain or train on customer code suggestions. Verify your tenant configuration matches the default. Colorado AI Act Article 13 documentation applies if Copilot output is used in consequential decisions.
Adobe Creative Cloud
Embedded AI — Firefly
 low
Recommendation
Verify "Content Analysis" opt-out is enabled in admin console.
Firefly and Sensei AI features are on by default. Admin opt-out is available. Low risk if enterprise agreement is in place. Must still appear in your AI inventory for EU AI Act Art. 50 documentation completeness when used to generate public-facing creative content.
Action plan

Recommended actions

Week 1 — immediate
Containment
  • Ban Monica.im across all endpoints
  • Migrate OpenAI to Team or Enterprise tier
  • Enable Cursor Privacy Mode
  • Disable Glean data connectors pending review
Weeks 2–3 — remediation
Documentation and review
  • Sign DPAs with Fireflies.ai and Glean
  • Audit Glean-indexed data sources
  • Verify Microsoft 365 Copilot tenant settings
  • Restrict Otter.ai to internal meetings
  • Begin AI Tool Inventory document
Week 4+ — governance
Program build-out
  • Publish company-wide AI usage policy
  • Schedule monthly Shadow AI re-scan
  • Target Regulatory Exposure Score: 70+
  • Brief leadership ahead of August 2, 2026
Terms used in this report
DPA
Data Processing Agreement. A contract between a service provider and a customer that defines how the provider may handle the customer's data, including processing limits, retention rules, and security obligations.
ADMT
Automated Decision-Making Technology. Used in both the Colorado AI Act (SB26-189) and California CPPA regulations to refer to technologies that influence or make consequential decisions. Colorado's trigger is "materially influences"; California's is "replaces or substantially replaces human decision-making." The two definitions are not identical and may surface different findings against the same tool.
CCPA / CPPA
The California Consumer Privacy Act (CCPA) is the underlying California privacy statute. The California Privacy Protection Agency (CPPA) is the state regulator that promulgates regulations under the CCPA, including the ADMT regulations referenced in this report. Customer-facing references say "California CPPA ADMT regulations" to distinguish the regulations from the underlying statute.
WISP
Written Information Security Program. A documented set of administrative, technical, and physical safeguards required by the Massachusetts Data Security Regulation (201 CMR 17.00) for any organization that holds personal information about Massachusetts residents.
Annex III
The schedule of high-risk AI system categories within the EU AI Act, including biometrics, employment, education, essential services, and law enforcement. Systems falling under Annex III are subject to risk management, documentation, and human-oversight obligations.
Article 13 / Article 50
EU AI Act sections. Article 13 sets transparency and documentation obligations for high-risk AI systems. Article 50 sets transparency-labeling obligations for AI-generated content (text, images, audio, video) intended to be made public.
GPAI
General-Purpose AI. Foundation-model AI systems capable of being adapted to many downstream applications. Subject to a separate governance regime under the EU AI Act, with obligations effective August 2, 2025.
Shadow AI
AI tools and features used inside an organization without IT approval, governance review, or inclusion in formal tool inventories. Common examples include browser-extension AI assistants, AI features embedded in consumer SaaS plans, and personal AI accounts used for business purposes.
Important notice. This report provides technical and operational risk guidance only. It does not constitute legal advice, a formal compliance certification, or a guarantee of regulatory immunity. Findings are based on the technology spend data you submitted, publicly available vendor data processing agreements, and current regulatory classifications — not a live audit of your systems. Umbravi is a risk readiness service, not a licensed auditor. Engaging qualified legal counsel is recommended before making formal compliance representations to regulators, investors, or enterprise customers.
Report generated April 30, 2026  ·  Report ID UMB-2026-04-1837  ·  Umbravi by Kango Labs LLC