← Blog

Shadow AI Discovery Quiz: A 12-Question Tool to Score Your Organization Against the Six-Week Discovery Framework

Most organizations that decide to address shadow AI start by buying a tool. The tool fires alerts on day one and produces a report nobody can act on. A working discovery program is a sequenced six-week path that begins with what the organization already has and adds inspection only after the surface is mapped. This 12-question quiz scores your organization against each step of the framework and tells you where the next two weeks of work belongs.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Problem-Awareshadow-aidiscoveryai-inventoryself-assessmentfree-toolai-governance
Shadow AI Discovery Quiz: A 12-Question Tool to Score Your Organization Against the Six-Week Discovery Framework

The IBM Cost of Data Breach Report shows that 1-in-5 breached organizations in 2025 traced the breach to shadow AI. Average incremental cost: $670,000 per incident. The Netwrix data shows that only 37% of organizations have any detection or governance policies in place for AI usage. The gap between "we have a shadow AI problem" and "we have an actionable discovery program" is the gap most enterprise compliance teams sit in right now.

The discovery quiz scores your organization against the six-week framework. Twelve questions, structured output, no contact form required.

The six-week framework, abridged

The full framework lives in Shadow AI Discovery Framework: The Six-Week Path From Blind to Inventoried. The quiz scores against six stages:

  • Weeks 1-2: enumerate what you already have. DNS logs, expense reports, SSO data. No new tools yet.
  • Weeks 2-3: scope and prioritize. Which AI usage matters most for which regulatory exposure.
  • Weeks 3-4: light instrumentation. Browser extension, network egress monitor, or proxy in passive mode.
  • Weeks 4-5: classify the traffic. What data classes are in the prompts, what destinations are receiving the traffic.
  • Weeks 5-6: produce the inventory. Use-case-by-use-case map of who is doing what with which model.
  • Week 6 onward: standing program. The inventory becomes a living artifact maintained by the AI risk function.

The quiz scores your organization's current state against each stage. The output is a score plus the specific next step.

The 12 questions

The quiz takes 6 to 8 minutes. The questions:

  1. Do you have a current AI usage inventory (any format) updated within the last 90 days?
  2. Have you queried DNS or proxy logs in the last 30 days for traffic to known AI provider domains?
  3. Do you have expense-report visibility into individual or team AI subscriptions?
  4. Does your SSO catalog name the AI applications employees have authenticated to?
  5. Have you classified your AI use cases by regulatory exposure (EU AI Act, HIPAA, DORA, sector-specific)?
  6. Do you have a passive inspection point (proxy, gateway, or browser extension) deployed in any segment?
  7. If a passive inspection point exists, does it produce per-request data-class verdicts?
  8. Has the inventory been reviewed by your AI risk function or compliance team in the last 90 days?
  9. Does the inventory name the natural persons (or roles) on each AI use case?
  10. Does the inventory name the data class flowing through each use case (PII, PHI, source code, contract content, none)?
  11. Is there a documented decision authority for adding or removing use cases from the inventory?
  12. Is the inventory queryable by a regulator or auditor with under 24 hours of preparation?

Each question carries a yes / no / partial answer. The scoring weights the questions toward the later stages (the inventory's existence is necessary but not sufficient; queryability is the hard part).

The output format

The quiz returns a score and a stage assignment:

[@portabletext/react] Unknown block type "code", specify a component for it in the `components.types` prop

The action plan is the artifact a compliance lead can hand to engineering on day one of the next sprint.

Why most discovery programs slip

The pattern we see most often is "buy the tool first." A vendor's traffic-inspection product lands in week one. The product fires alerts on every prompt it sees. The alert volume overwhelms the on-call team. The compliance team cannot triage. The program stalls at week three with a tool license and no inventory.

The framework's first two weeks are deliberately tool-free. DNS logs, expense reports, SSO data. The deployer's existing observability stack carries the first answer. Tools come in week three, after the deployer knows what the tools should be measuring.

The quiz exists to catch the "buy the tool first" mistake before it lands. An organization that scores Weeks 1-2 with a score of 10 / 30 is not ready to deploy inspection in week three. The quiz says so, and names the specific gap.

What the quiz does not do

The quiz does not produce the inventory. It scores readiness to produce the inventory. The inventory itself is the artifact of the six-week framework, which the deployer's team runs.

The quiz does not name vendors. The action plan names categories (passive network egress monitor, browser extension, proxy in passive mode) without recommending specific products. Vendor selection sits inside the deployer's existing procurement process.

When to take the quiz

Three triggers:

  1. Before a board or risk-committee briefing on AI. The score gives you a defensible answer to "where are we on shadow AI."
  2. At the start of a discovery program. The next-action plan is the first sprint's scope.
  3. At the 90-day mark of a running program. The quiz scores progression. A score that jumps from 34 to 67 between the two runs is the proof that the program is producing the artifact.

The quiz's scoring against IBM's data

The IBM Cost of Data Breach 2025 data set has organizations at various stages of shadow AI maturity. The pattern in the data: organizations that have completed the framework's first three stages (DNS query, SSO catalog, expense visibility) carry incident costs roughly $300,000 below the shadow-AI breach average. Organizations that have completed all six stages plus a running inventory program carry costs at or below the cross-industry baseline.

The framework's value, in IBM-quantified terms, is the difference between a $670,000-premium breach and a baseline-cost breach.

DeepInspect

DeepInspect's platform supports the framework's later stages directly. The passive inspection mode in week three runs against the deployer's existing traffic. The classification verdicts in week four feed the inventory's data-class field. The audit records produced by the gateway in week five become the queryable substrate the inventory references.

For deployers at Weeks 1-2, the platform is not the next step. The quiz tells you that. For deployers at Weeks 4-6, the platform is the operational answer.

Take the quiz at deepinspect.ai/tools/shadow-ai-discovery-quiz.

Let's talk today.

Frequently asked questions

Does the quiz require my data?

No. The 12 questions are about your organization's processes and tooling, not your traffic. The quiz scores readiness; it does not see prompts or logs.

How long does the quiz take?

6 to 8 minutes for a single respondent. The most accurate scores come from a 30-minute working session that involves a compliance lead, an IT operations lead, and a security engineer. The three perspectives produce different answers on questions 2, 3, and 11.

Can the quiz score progress over time?

Yes. The exported report stamps the date and the score. Run the quiz quarterly during a discovery program and the score progression is the artifact you bring to the risk committee.

Does the quiz replace a formal AI risk assessment?

No. The quiz is a readiness tool. A formal AI risk assessment (under NIST AI RMF Govern, EU AI Act Article 9, or sector-specific frameworks) requires the artifacts that the six-week framework produces. The quiz scores how close the organization is to having those artifacts.

← All posts