How Shadow AI List verifies

Most AI tool lists are an analyst's opinion or a single traffic number. Shadow AI List ranks by a composite, multi-signal index and re-verifies every release. The maintained, verified data and the weekly cadence are the product.

The AI Exposure Index (AEX)

AEX is a composite score of how exposed an AI tool makes enterprise data: how widely it is used, how deeply it embeds, how visible it is to a standard security stack, and how its data handling raises risk. Tools compete inside their category, so an image generator is never ranked against a foundation model. The specific signals and their weighting are proprietary.

The signals

AEX draws on several families of evidence - developer adoption, consumer interest, enterprise footprint, and a detection layer (the domains a tool can be found by) - rather than any single source. No one source can drive a rank: we combine across sources and cap outliers so a single noisy or gamed signal cannot move a tool. The signal mix and the weighting are proprietary and maintained release to release.

Verification, every release

Before a release ships, each tool passes four checks: its domain resolves and matches the vendor, at least two independent signals are current, vendor identity is confirmed, and every new entry gets a human pass. New tools are reviewed on entry; the top of the list is re-reviewed regularly; the long tail is spot-checked.

How risk scores are assessed

Risk scores (0-100) combine human assessment with model-assisted scoring against a fixed internal rubric, plus automated sanity checks, re-verified each release. We are explicit about the distinction: the original curated entries were hand-assessed by a person; tools added later are scored with model assistance and a second review pass rather than hand-audited, and which is which is tracked internally. A higher score means a tool is more likely to reach sensitive enterprise data.

What is open, what is paid

The full ranked directory, the risk scores, the detection domains, and the maintained, re-verified weekly releases are the paid pack. The free top 100 and the public API are free to cite with attribution.

Shadow AI List is a risk-informational index for planning. It is not legal, compliance, or investment advice.