Shadow AI discovery
Find the AI agents, models, and MCP servers your org already uses but does not govern, from egress logs, MCP scans, identity events, and cloud audit trails.
You can only govern what you can see. Shadow AI discovery ingests signals you already produce and surfaces the AI usage that never went through AxioRank: an engineer's script hitting a model API, a SaaS app someone connected through single sign-on, an MCP server wired into a developer's editor, a Bedrock or Vertex model called from a cloud function. Each finding is a candidate to bring under governance.
Plan
Shadow AI discovery is a Pro and above feature (shadowDiscovery). The ingest
endpoints return 402 for a workspace without the entitlement.
Four signal families
Discovery reads four independent signal families, so an agent that hides from one still shows up in another. Each posts to its own ingest endpoint.
| Signal | Endpoint | Source |
|---|---|---|
| Egress logs | POST /api/discovery/ingest | Vendor-neutral proxy, DNS, or firewall logs. Outbound calls to AI model hosts, classified against AxioRank's catalog of AI destinations. |
| MCP scan | POST /api/discovery/mcp-scan | A mcpaudit JSON report (mcpaudit scan --report <url>). MCP servers found in your environment, with their risk findings. |
| Identity (Microsoft Entra, CASB) | POST /api/discovery/entra, POST /api/discovery/casb | AI SaaS apps from OAuth consent grants and sign-in events, plus the identities using them. |
| Cloud audit trails | POST /api/discovery/cloudtrail, POST /api/discovery/gcp | AWS CloudTrail (Bedrock model invocations) and Google Cloud audit logs (Vertex AI invocations). Only model-invocation events count. |
From raw signal to a governed agent
Every family normalizes into the same shape and lands in a discovery table you triage:
- Ingest: raw events are accepted and aggregated by date, source, and destination, so high-volume logs collapse into one finding per source-to-destination pair.
- Classify: destinations are matched against AxioRank's catalogs of AI model hosts and AI SaaS apps. Unknown destinations are flagged for review.
- Surface: findings appear on the Discovery page as discovered shadow agents (egress), discovered MCP servers (scan), or discovered AI apps (identity).
Each finding carries a triage status: new, acknowledged, governed, or
ignored. Marking a finding governed is the bridge to the rest of the
platform: route that agent or MCP server through the gateway
or register it as an inbound surface.
Knowing who, not just what
Identity signals add the missing column. Microsoft Entra sign-in events map a source IP to a user principal name, so an anonymous egress flow ("something at 10.0.0.4 is calling an AI host") becomes attributable ("Dana's laptop is calling an ungoverned model"). The correlation enriches egress findings with the identities behind them.
Closing the loop with your SIEM
Discovery is not a dead end. Any log stream marked to
forward discoveries receives new findings on a schedule (the stream-discovery
job runs every five minutes), with a per-destination cursor for at-least-once
delivery. So a finding AxioRank surfaces can open a ticket, fire a SOAR
playbook, or land in Splunk or Datadog alongside the rest of your security
telemetry.
Next steps
- MCP gateway and mcpaudit: scan MCP servers and report them in.
- Audit export: stream findings out to your SIEM.
- Inbound surfaces: bring a discovered surface under governance.
Inbound surfaces
Verify the AI agents that reach into the surfaces you operate, a website, an HTTP API, an MCP server, an A2A agent, or a webhook, with one verify endpoint and a per-kind challenge.
Claims and verification
Every "first" or "only" claim AxioRank makes, stated precisely, with how to verify it yourself.