⚠️ EU AI Act Deadline: 8 months (August 2, 2026) 40-60% of AI systems are shadow AI Find Your Shadow AI β†’
1) AI System Inventory & Lifecycle πŸ“š MIR Playbook (Model Inventory & Registration) 11 Compliance Checks
πŸ”

Shadow AI Discovery

Find every AI system in your organization β€” even the ones you didn't know existed

11
Compliance Checks
MIR
Professional Playbook
4-6
Weeks to Complete
100%
Coverage Guarantee

Why Shadow AI Discovery is Critical

You can't govern what you can't see. Shadow AI is the #1 compliance risk for organizations today.

The Shadow AI Problem

πŸ“Š Industry Data:

  • β€’ 40-60% of AI systems are shadow AI (Gartner, 2024)
  • β€’ 73% of organizations don't have complete AI inventory
  • β€’ €35M or 7% revenue penalty for non-compliance (EU AI Act)
  • β€’ First compliance requirement in EU AI Act Article 71

🚨 Common Shadow AI Examples:

  • β€’ Employees using ChatGPT, Claude, Copilot without approval
  • β€’ Third-party SaaS tools with embedded AI (Salesforce Einstein, etc.)
  • β€’ Departmental ML models built by data teams
  • β€’ Legacy AI systems with no current ownership
  • β€’ Acquired companies' AI systems
  • β€’ API calls to AI services (OpenAI, Google, AWS)

βš–οΈ Regulatory Requirements:

  • β€’ EU AI Act Article 71: AI System Database registration mandatory
  • β€’ EU AI Act Article 6: Risk classification required for all systems
  • β€’ ISO 42001 Section 4.1: Complete AI context assessment
  • β€’ NIST AI RMF MAP 1.1: AI inventory as foundation

Business Impact of Shadow AI

πŸ’° Financial Risks:

  • β€’ €35M fines for EU AI Act non-compliance
  • β€’ $10M+ penalties for bias violations (NYC LL144)
  • β€’ Lost revenue from compliance delays
  • β€’ Audit failures due to incomplete inventory

⚠️ Operational Risks:

  • β€’ Ungoverned AI making business decisions
  • β€’ No oversight of model performance or drift
  • β€’ Data leakage to external AI services
  • β€’ Inconsistent standards across departments

🎯 Strategic Risks:

  • β€’ Can't build AI governance without inventory
  • β€’ Can't prioritize high-risk systems
  • β€’ Can't measure AI compliance progress
  • β€’ Can't deploy new AI safely

What You Get with Shadow AI Discovery

Comprehensive AI system inventory built using proven professional methodology

πŸ“‹

Complete AI Inventory

  • βœ“ Every AI system documented
  • βœ“ Business purpose identified
  • βœ“ Risk level classified
  • βœ“ Ownership assigned
  • βœ“ Data sources mapped
  • βœ“ Deployment status tracked
βš–οΈ

Risk Classification

  • βœ“ EU AI Act risk levels (High/Limited/Minimal)
  • βœ“ Prohibited use case screening
  • βœ“ High-risk criteria assessment
  • βœ“ Regulatory applicability matrix
  • βœ“ Compliance roadmap per system
  • βœ“ Priority ranking for governance
πŸ“Š

Audit-Ready Reports

  • βœ“ AI System Inventory Report
  • βœ“ Risk Classification Matrix
  • βœ“ Regulatory Applicability Summary
  • βœ“ Shadow AI Exposure Analysis
  • βœ“ Governance Gap Assessment
  • βœ“ Executive Dashboard

Deliverables Timeline

Week 1-2: Discovery kickoff, data collection screens, stakeholder interviews
Week 3-4: System identification, risk classification, ownership assignment
Week 5-6: Report generation, executive review, compliance roadmap
Ongoing: Continuous inventory updates, new system onboarding

Why TrustRail is Different

Professional playbook methodology vs automated scanning tools

Capability Other Vendors (Automated Scanning) TrustRail (MIR Playbook)
Discovery Method ❌ Network scanning for AI APIs
Misses 60-70% of shadow AI 		βœ“ Systematic data collection guided by MIR Playbook
Comprehensive methodology covers all AI sources
What Gets Found ❌ Only AI with network traffic
Misses SaaS AI, desktop tools, manual processes 		βœ“ All AI including SaaS, APIs, models, manual
Comprehensive coverage across all categories
Risk Classification ❌ Generic risk scoring algorithm
Not aligned with EU AI Act definitions 		βœ“ EU AI Act Article 6 risk classification
Exact regulatory requirements mapped
Data Collection ❌ Upload your spreadsheet
No guidance on what data to collect 		βœ“ Guided screens show exactly what's needed
Every field mapped to compliance requirement
Business Context ❌ Technical metadata only
No business purpose or impact analysis 		βœ“ Full business context captured
Purpose, stakeholders, decisions, impacts
Methodology ❌ Black box algorithm
Can't explain to auditors 		βœ“ Professional MIR Playbook methodology
Transparent, repeatable, auditor-approved
Reports ❌ Export to CSV/PDF
You format for compliance 		βœ“ Compliance-ready from day 1
Accepted by auditors immediately
Expert Support ❌ Documentation + support tickets
DIY approach 		βœ“ Professional services available
We do your first assessment with you
Time to Complete ❌ 6-12 months (DIY)
Trial and error process 		βœ“ 4-6 weeks (guided)
Proven methodology accelerates completion
πŸ“š

MIR Playbook Methodology

Not generic checklists. Our Model Inventory & Registration (MIR) Playbook provides comprehensive, battle-tested methodology.

  • βœ“ Used in real financial services implementations
  • βœ“ Auditor-approved process
  • βœ“ Covers all AI types (not just ML models)
🎯

Manual Assessment Process

Automated scanning misses 60-70% of shadow AI. We guide you through systematic data collection across all sources.

  • βœ“ Human expertise > algorithms
  • βœ“ Captures business context
  • βœ“ Finds AI in SaaS, Excel, manual processes
⚑

Jump Start Available

Professional services team does your first Shadow AI Discovery assessment with you. Transfer knowledge to your team.

  • βœ“ 4-6 weeks vs 6-12 months DIY
  • βœ“ Compliance-ready from day 1
  • βœ“ Training included

How Shadow AI Discovery Works

MIR Playbook guides you through a comprehensive assessment process

Assessment Process

Our proprietary MIR Playbook guides you through a comprehensive, systematic assessment process designed specifically for AI compliance:

Organization Context Assessment

Understand your organization's AI landscape, governance structure, and stakeholder environment

Systematic AI Discovery

Professional methodology ensures complete coverage across all AI sourcesβ€”SaaS platforms, internal models, third-party APIs, and employee tools

Comprehensive System Documentation

Capture business purpose, decisions, data sources, ownership, and technical details for each AI system

EU AI Act Risk Classification

Article 6 compliant risk assessment determining prohibited, high-risk, limited-risk, and minimal-risk categorization

Audit-Ready Reporting

Generate compliance-ready inventory reports, risk matrices, and regulatory roadmaps accepted by auditors

Professional Assessment Experience

Our MIR Playbook provides guided assessment screens that show you exactly what information to collect and why it matters for compliance:

βœ“ Guided Data Collection

Professional assessment screens walk you through systematic discovery across all AI sources in your organization

βœ“ Compliance Mapping

Every question is tied to specific regulatory requirementsβ€”you always know why you're providing information

βœ“ Business Context Capture

Unlike automated scanning, our methodology captures the business purpose, stakeholders, and impacts of each AI system

πŸ’‘ Our professional methodology ensures completeness while making the process efficient and transparent

Typical Implementation Timeline

1

Week 1: Discovery

  • β€’ Kickoff meeting
  • β€’ Stakeholder interviews
  • β€’ Data collection screens
  • β€’ Initial system identification
2

Week 2: Documentation

  • β€’ System profiling
  • β€’ Risk classification
  • β€’ Ownership assignment
  • β€’ Compliance gap analysis
3

Week 3: Reporting

  • β€’ Report generation
  • β€’ Executive review
  • β€’ Compliance roadmap
  • β€’ Handoff & training

11 Compliance Checks Addressed

Shadow AI Discovery is the foundation for multiple compliance requirements

EU AI Act (4 checks)

EU-001: AI System Inventory & Identification
Article 71 - EU Database registration requires complete inventory
EU-002: AI Risk Classification
Article 6 - Risk-based system classification (High/Limited/Minimal)
EU-003: Prohibited AI Use Case Identification
Article 5 - Screen for prohibited practices
EU-017: AI System Registration Readiness
EU database registration obligations

ISO 42001 (4 checks)

ISO-001: AI Management System Scope Definition
Section 4.1 - Define AI systems within scope
ISO-002: Organizational & AI Context Assessment
Section 4.2 - Understand AI context and stakeholders
ISO-005: Roles & Responsibilities
Section 5.3 - Assign AI system ownership

NIST AI RMF (3 checks)

NIST-001: AI Inventory (MAP 1.1)
Document AI systems and their intended purposes
NIST-002: AI Categorization (MAP 1.2)
Categorize AI systems by type and impact
NIST-003: Context Mapping (MAP 1.3)
Map organizational context and stakeholders
NIST-010: Accountability (GOVERN 1.3)
Assign clear accountability for AI systems

MIR Playbook: What's Inside

Model Inventory & Registration Playbook - Battle-tested methodology from real implementations

Playbook Structure

  • πŸ“–
    Comprehensive Professional Methodology
    Multi-section framework covering organization context through final reporting
  • πŸ“‹
    Extensively Documented Process
    Detailed guidance for every assessment step developed from real-world implementations
  • βœ“
    Guided Assessment Screens
    Professional data collection forms ensure completeness
  • 🎯
    11 Compliance Requirements Mapped
    Every step tied to specific EU AI Act, ISO 42001, and NIST AI RMF regulations
  • πŸ“Š
    Professional Report Templates
    Audit-ready outputs included

Why MIR Works

βœ“ Proven in Banking

Used by banks and fintech companies for EU AI Act readiness

βœ“ Auditor-Approved Process

Big 4 consulting firms accept MIR methodology and reports

βœ“ Covers All AI Types

Not just ML models - includes GenAI, decision engines, RPA, etc.

βœ“ Continuously Updated

Evolved with regulatory guidance and real-world learnings

Sample Report Outputs

πŸ“Š AI System Inventory Report

Complete listing of all AI systems with:

  • β€’ System name and identifier
  • β€’ Business purpose
  • β€’ Risk classification
  • β€’ Ownership
  • β€’ Deployment status
  • β€’ Compliance requirements

βš–οΈ Risk Classification Matrix

EU AI Act Article 6 assessment showing:

  • β€’ High-risk systems (Annex III)
  • β€’ Limited-risk systems
  • β€’ Minimal-risk systems
  • β€’ Prohibited use cases
  • β€’ Regulatory applicability
  • β€’ Priority for governance

🚨 Shadow AI Exposure Report

Analysis of ungoverned AI including:

  • β€’ % of shadow AI discovered
  • β€’ High-risk shadow systems
  • β€’ Data exposure risks
  • β€’ Governance gaps
  • β€’ Remediation priorities
  • β€’ Timeline for compliance

Get Started with Shadow AI Discovery

Choose the option that fits your needs

Platform Only

$2,500/mo

Self-service access to MIR Playbook and platform

  • βœ“ Full MIR Playbook access
  • βœ“ Guided assessment screens
  • βœ“ Report generation
  • βœ“ Documentation & support
  • – No expert support
  • – DIY timeline: 4-6 weeks
Start Free Trial
RECOMMENDED

Platform + Services

$25,000+

Expert-led first assessment + platform access

  • βœ“ Everything in Platform
  • βœ“ We do it with you
  • βœ“ Expert guidance throughout
  • βœ“ Stakeholder interviews
  • βœ“ Knowledge transfer
  • βœ“ Guided timeline: 4-6 weeks
Schedule Consultation

Enterprise

Custom

Ongoing support for large organizations

  • βœ“ Everything in Services
  • βœ“ Dedicated account team
  • βœ“ Continuous inventory updates
  • βœ“ New system onboarding
  • βœ“ Quarterly reviews
  • βœ“ Multi-year contracts
Contact Sales

Shadow AI Discovery Outcomes

❌ Without TrustRail

  • β†’
    6-12 months manual discovery
    Internal teams interviewing departments, reviewing systems
  • β†’
    $200K-$500K in consulting fees
    Big 4 rates: $300-$500/hour for AI compliance experts
  • β†’
    Only 60-70% coverage achieved
    Shadow AI remains hidden, compliance gaps persist
  • β†’
    €35M penalty risk remains
    EU AI Act Article 71 non-compliance: incomplete inventory

βœ… With TrustRail MIR Playbook

  • βœ“
    4-6 weeks complete inventory
    Systematic data collection guided by expert playbook
  • βœ“
    Fixed scope, predictable cost
    Professional services included, no hourly billing surprises
  • βœ“
    100% coverage guarantee
    All AI systems discovered including shadow AI
  • βœ“
    EU AI Act Article 71 compliant
    Audit-ready documentation, certification-ready database

Your ROI with TrustRail

10-50x
Faster than manual discovery
$200K+
Savings vs. Big 4 consulting
100%
Coverage guarantee (vs. 60-70%)

Ready to Find Your Shadow AI?

Get complete AI system inventory in 4-6 weeks with expert guidance

Schedule Consultation

Free consultation β€’ No obligation β€’ 2-3 week typical timeline