Shadow AI Audit (AI Usage at Work)
Anonymous inventory of which AI tools your employees actually use – with what data and through which accounts. The basis for your AI policy and tool approvals.
Shadow AI emerges when employees use AI tools without official approval – often with private accounts and sometimes with confidential data. Bans rarely help; transparency does. This audit anonymously captures which tools are in use, how often, through which accounts and which data types are entered. The result is an honest risk map from which you can derive tool approvals, training and a workable AI policy – also as a building block for ISO 27001 or your information security management.
When should you use this template?
This template is a great fit for:
- Before introducing or revising an AI policy
- As a risk inventory for information security and data protection (ISMS, GDPR)
- To identify demand for officially approved AI tools and licences
Every question in this template
- 1Consent
I understand that participation is voluntary and anonymous, and I take part. *
- 2Multiple choice
Which AI tools have you used for work tasks in the last three months? *
Multiple answers possible – occasional use counts too.
- ChatGPT
- Microsoft Copilot
- Google Gemini
- Claude
- DeepL / DeepL Write
- Image generators (e.g. Midjourney, DALL·E)
- 3Single choice
How often do you use AI tools for your work?
- Never
- Less than monthly
- Several times a month
- Several times a week
- Daily
- 4Single choice
Through which account do you mostly use AI tools?
- Private account (free)
- Private account (paid by myself)
- Account provided by the company
- Mixed
- I do not use AI tools
- 5Matrix
Which kinds of information have you entered into AI tools?
Please answer honestly – responses are anonymous.
Never Once Occasionally Regularly Internal documents or notes Personal data (customers or colleagues) Customer or partner data (e.g. offers, contracts) Source code or configurations Figures from finance or controlling - 6Single choice
Does our organisation have rules on using AI tools?
- Yes, and I know them
- Yes, but I am unsure what exactly applies
- No, there are no rules
- I don't know
- 7Single choice
Would you like more officially approved AI tools?
- Yes, urgently
- Yes, it would help
- No, current tools are enough
- Not sure
- 8Long text
Which AI use cases bring you the most value in your daily work?
From questionnaire to dashboard
In DataLion, the answers turn into a risk map of your organisation's AI usage – filterable by department and location:
- Tool adoption: Bar chart of the AI tools from the multiple-choice question – your real tool landscape instead of the assumed one.
- Risk heatmap: data types × frequency: The matrix question on data types as a heatmap instantly shows where confidential data regularly flows into unapproved tools.
- Account types: Share of private versus company accounts as a donut – the fastest indicator of uncontrolled data flows.
- Policy awareness: Stacked bars on awareness of AI rules, crossed with departments – shows where policy communication is missing.
- AI topic analysis of use cases: Analyse the open question on valuable use cases with AI topic analysis – this becomes your approval roadmap.
Related survey templates
- Employee Net Promoter Score (eNPS)Measure in just three questions how loyal your employees are and how likely they are to recommend your company as an employer.
- Psychosocial Risk Assessment (Workplace)Anonymous employee survey to fulfil the psychosocial risk assessment required under the German Occupational Safety Act (§5 ArbSchG), along the recognised GDA assessment areas.
- AI Literacy Assessment (EU AI Act Art. 4)Anonymous self-assessment of your employees' AI literacy – as a needs analysis and documentation basis for the training obligation under Article 4 of the EU AI Act.
- Employee SatisfactionAnonymous survey on the satisfaction and engagement of your employees – along the key drivers from tasks and leadership to work-life balance.
Frequently asked questions
What is shadow AI?
Why should the audit be anonymous?
What do we do with the results?
Start with this template
Load the template into DataLion, adapt it to your brand and start collecting responses — GDPR-compliant, in minutes.