Shadow AI Audit (AI Usage at Work)

Anonymous inventory of which AI tools your employees actually use – with what data and through which accounts. The basis for your AI policy and tool approvals.

Shadow AI Audit (AI Usage at Work) – questionnaire preview

Shadow AI emerges when employees use AI tools without official approval – often with private accounts and sometimes with confidential data. Bans rarely help; transparency does. This audit anonymously captures which tools are in use, how often, through which accounts and which data types are entered. The result is an honest risk map from which you can derive tool approvals, training and a workable AI policy – also as a building block for ISO 27001 or your information security management.

When should you use this template?

This template is a great fit for:

  • Before introducing or revising an AI policy
  • As a risk inventory for information security and data protection (ISMS, GDPR)
  • To identify demand for officially approved AI tools and licences

Every question in this template

  1. 1

    I understand that participation is voluntary and anonymous, and I take part. *

    Consent
  2. 2

    Which AI tools have you used for work tasks in the last three months? *

    Multiple answers possible – occasional use counts too.

    Multiple choice
    • ChatGPT
    • Microsoft Copilot
    • Google Gemini
    • Claude
    • DeepL / DeepL Write
    • Image generators (e.g. Midjourney, DALL·E)
  3. 3

    How often do you use AI tools for your work?

    Single choice
    • Never
    • Less than monthly
    • Several times a month
    • Several times a week
    • Daily
  4. 4

    Through which account do you mostly use AI tools?

    Single choice
    • Private account (free)
    • Private account (paid by myself)
    • Account provided by the company
    • Mixed
    • I do not use AI tools
  5. 5

    Which kinds of information have you entered into AI tools?

    Please answer honestly – responses are anonymous.

    Matrix
    NeverOnceOccasionallyRegularly
    Internal documents or notes
    Personal data (customers or colleagues)
    Customer or partner data (e.g. offers, contracts)
    Source code or configurations
    Figures from finance or controlling
  6. 6

    Does our organisation have rules on using AI tools?

    Single choice
    • Yes, and I know them
    • Yes, but I am unsure what exactly applies
    • No, there are no rules
    • I don't know
  7. 7

    Would you like more officially approved AI tools?

    Single choice
    • Yes, urgently
    • Yes, it would help
    • No, current tools are enough
    • Not sure
  8. 8

    Which AI use cases bring you the most value in your daily work?

    Long text

From questionnaire to dashboard

In DataLion, the answers turn into a risk map of your organisation's AI usage – filterable by department and location:

  • Tool adoption: Bar chart of the AI tools from the multiple-choice question – your real tool landscape instead of the assumed one.
  • Risk heatmap: data types × frequency: The matrix question on data types as a heatmap instantly shows where confidential data regularly flows into unapproved tools.
  • Account types: Share of private versus company accounts as a donut – the fastest indicator of uncontrolled data flows.
  • Policy awareness: Stacked bars on awareness of AI rules, crossed with departments – shows where policy communication is missing.
  • AI topic analysis of use cases: Analyse the open question on valuable use cases with AI topic analysis – this becomes your approval roadmap.

Related survey templates

Browse all survey templates →

Frequently asked questions

What is shadow AI?
Analogous to shadow IT, shadow AI means using AI tools without official approval or IT's knowledge – for example ChatGPT via a private account for work tasks. The main risks are uncontrolled data flows and missing contractual bases (data processing agreements).
Why should the audit be anonymous?
Because you need honest answers. Anyone fearing sanctions will not admit shadow usage – and your risk map stays incomplete. So state explicitly that the goal is approvals and rules, not monitoring individuals.
What do we do with the results?
A three-step approach works well: vet and officially approve the most-used tools (with DPAs and company accounts), address risky data practices through training, and align the AI policy with real usage. Repeat after six months to measure progress.

Start with this template

Load the template into DataLion, adapt it to your brand and start collecting responses — GDPR-compliant, in minutes.