
Shadow AI is the AI your coworkers use without asking.
In this four-hour, hands-on workshop, you find it, sort it, and decide what to do about it.
Course Length: 4 Hours
Includes a Certificate of Completion
Next scheduled date: September 25th, 2026 @ 12:00 PM ET
Description
Shadow AI is the AI your coworkers use without asking.
In this four-hour, hands-on workshop, you find it, sort it, and decide what to do about it.
You’ll work a real log file from a fictional mid-size firm. You’ll spot the AI traffic in the noise. You’ll sort each finding into “shadow,” “sanctioned,” or “unclear.” You’ll score it and pick the top three to escalate, writing a two-sentence note for each.
Walk out with a step-by-step playbook you can run on your own org next week. Students also get a free PDF copy of Gears Don’t Guess: The Executive’s Practical Guide to Thriving in the Face of AI Hype and Risk (soon to be published).
Who Should Take This Workshop
The in-house go-to person on AI risk or the person who wants to be.
Job titles vary: cybersecurity analyst, information security officer, GRC analyst, IT director, internal auditor, privacy officer, team lead. The pattern is the same: hands on the work, eyes on the boss’s calendar, and a need for tools you can use Monday morning.
This is for the practitioner who briefs the boss.
What You’ll Learn
By the end of the workshop, you will be able to:
• Spot shadow AI in your own org using three clear signal sources.
• Sort findings into shadow, sanctioned, or unclear without overthinking it.
• Score each finding on a simple risk rubric.
• Pick the top three to escalate.
• Explain each call to your boss in two sentences.
• Hand a written action plan to your boss the day you leave class.
-
System Requirements
- A laptop with a web browser.
- A way to open and filter a CSV of about 5,000 rows. Any one of these works:
- Excel, Google Sheets, or Numbers using column filters.
- grep or awk on the command line.
- Python (pandas optional, plain stdlib is enough).
- ChatGPT, Claude, Gemini, Copilot, or any other generative AI tool your employer has approved.
- You will pick one of these lanes and stay in it. The student packet has worked examples in all four, so you can compare notes with a partner who chose a different tool. Manual scanning will not fit inside the work block; the lab is sized to make that obvious.
Syllabus
Four hours, split into four blocks. Breaks built into the agenda.
Block 1 (45 min): Frame the problem
What shadow AI is. Why it grows inside firms of every size. The three signal sources that catch it in everyday log feeds: DNS, web proxy, and SaaS audit events.
Block 2 (45 min): Walk through one finding end to end
The instructor pulls one planted item from the data and works it on screen. Spot it, classify it, score it, and write the note. You see the full loop before you run it yourself.
Block 3 (90 min): Hunt the logs
Paired work. You pull AI traffic from the noise. You sort each finding into shadow, sanctioned, or unclear. You score each one on the rubric.
Block 4 (60 min): Trade, debrief, take home
Pairs swap top-three lists and try to poke a hole in each other’s calls. The instructor walks through three planted cases on screen and the right answer for each. You leave with a one-page playbook to run in your own org.
FAQ
No VM. No special platform.
The lab runs against a CSV of about 5,000 log lines you download before class. The file mixes three event types: DNS queries, web proxy events, and SaaS audit events. Roughly 40 AI-related items are planted in the noise.
The dataset size is deliberate. Manual scanning will not fit inside the work block. You will use a filter: Excel’s column filter, grep, awk, Python, or an AI assistant. The cheat sheet of known AI domains is the load-bearing reference.
Your student packet includes:
• A one-page briefing on the fictional company.
• Their written AI use policy.
• Their approved-tools list (sanctioned, pilot, prohibited, under review).
• A cheat sheet of known AI service domains plus red herrings.
• A blank scorecard with dropdowns and a built-in risk rubric.
• Worked-example snippets in grep, awk, Python, and spreadsheet form.
You work in pairs. The instructor sets the pace and runs the debrief.
You should be able to:
• Open a CSV file and read a row.
• Search inside a file (Ctrl-F counts).
• Trade ideas out loud with a partner.
About the Instructor
Kip Boyle
Bio
Kip Boyle is a husband, dad, small business owner, and experienced cybersecurity hiring manager. Over the years, Kip has built many InfoSec teams in a variety of settings including as a captain on active duty in the US Air Force, as the CISO of PEMCO Insurance in Seattle, and vCISO in his own company, Cyber Risk Opportunities LLC. Kip is a primary author and leader of the open source “Cybersecurity Hiring Manager Handbook”. He’s also the co-host of The Cyber Risk Management Podcast and the co-host of the Your Cyber Path Podcast.
Register for Upcoming
Workshop: Hunting Shadow AI
Live Training Kip Boyle
- Certificate of completion
- 6 months class recording access via Discord
For tuition assistance with this course please send an email to: [email protected]
Related products
-
Dale HobbsLive4 Hrs
Workshop: Intro to Active Directory
View Course This product has multiple variants. The options may be chosen on the product page -
Kip BoyleLive16 Hrs
Owning AI Risk: Hands-On Playbooks
View Course -
Chris TraynorLive4 Hrs
Workshop: Offensive Tooling Foundations
View Course -
Tim PappaLive4 Hrs
Workshop: How to Befriend and Bedazzle Online Threat Actors
View Course This product has multiple variants. The options may be chosen on the product page

