• AI Governance Overview
  • 358 pages and 90 vendors
  • 90 controls and 25 case studies
  • Mappings to EU AI Act and NIST AI RMF
Vertical Line
  • Agentic AI Governance
  • 19 case studies
  • 11 Agentic AI platforms
  • Companion to AI Governance Comprehensive
Marquee Hyperlink Example
YDC_AIGOV Shadow AI Governance Agents to highlight risks associated with AI embedded within vendor applications

Shadow AI Governance with ServiceNow CMDB

YDC’s Experience Using ServiceNow CMDB to Highlight Shadow AI to Improve Negotiating Posture and Drive AI Risk Assessments at a Mid-Size Company, YDC Used AI Agents for the Analysis
Sunil Soares, Founder & CEO, YDC December 20, 2024

Today, we will discuss a recent YDC project focused on Shadow AI Governance. We all know that AI introduces risk, which needs AI Governance and AI Risk Management. However, in this blog, we discuss the use of AI Governance to drive cost reduction by highlighting areas where organizations can highlight shadow AI to improve their negotiating posture and reduce costs.

The YDC team recently completed a study at a mid-size company. The hypothesis was that they had a number of applications with “Shadow AI.” We define Shadow AI as applications where vendors have added artificial intelligence capabilities into their application suite without the full knowledge of the company.

Inventory of CMDB COTS Applications

The ServiceNow team pulled a list of 800 commercial-off-the-shelf (COTS) applications from CMDB. The excel sheet included details such as Application Name, Vendor Name, Application Description, and Owner.

Appending Additional Information on Shadow AI

The YDC team conducted independent analysis and appended additional information to the CMDB file. This additional information included the existence of Embedded AI, the name of the AI, Vendor Privacy Policies on the Use of Customer Data to Train AI Models, and Opt-Out.

YDC_AIGOV AI Governance Agents Partially Automated the Process

The YDC team developed a number of agents to automate the extremely manual, time-consuming process of looking up vendor information relating to embedded AI, AI policies, etc. More of this in a future blog. For now, here is a sneak preview of our YDC_AIGOV agent in action in private preview on Hugging Face (I’ve hidden some of the details). We input the name of the vendor and receive the output in JSON format based on the YDC_AIGOV agents doing their work in the background.


Here are some of the key highlights from our analysis (we have disguised overall numbers but the percentages are pretty accurate):

    1. 32 Percent of Applications Included Embedded AI Necessitating AI Risk Assessments

      59 percent of the applications did not have embedded AI, nine percent had embedded AI but excluded customer data from training AI models, and 32 percent (256 apps) had embedded AI but did not exclude customer data from training AI models. These 256 apps were the starting point for, what will likely be, a lengthy exercise. For example, each AI-embedded app constitutes an AI use case that needs to undergo an AI risk assessment.

    2. Tag AI-Embedded Apps in ServiceNow CMDB and Alert TPRM and Procurement to Improve Negotiating Posture

      All 256 apps (32 percent) with embedded AI need to be tagged with an “Embedded AI” tag in CMDB. At the very minimum, the following additional steps need to occur:

        a. &nbspUpdate Third-Party Risk Management (TPRM): The TPRM process needs to be updated to ensure that vendor Master Services Agreements (MSAs) include clauses around the use of customer data to train AI models.
        b. &nbspAlert Procurement to Improve Negotiating Posture: If the vendors are using customer data for “free” to train AI models then they need to provide something in return (e.g., reduced pricing, vendor credits, free tickets to the vendor’s annual user conference).

    3. Populate 36 Percent of Application Records with Missing Vendor Name

      The YDC team discovered that 36 percent (288 apps) had null vendor names. We had to populate those fields to make sure that the activities in steps 1 and 2 above were effective.

    4. Update 47 Percent of Application Records with Missing or Incorrect Vendor Name

      The YDC team updated 47 percent (376 apps) with missing or incorrect vendor names. This list included the missing vendor names in step 3 above. Obviously, this step was critical to ensure that steps 1 and 2 above were effective.

Fairness & Accessibility

Component

Component ID: 5.0

Mitigate bias and manage AI accessibility.

List of Controls:

  • Bias
  • Accessibility
Mitigate Bias
Control
ID: 5.1

Ensure that AI systems are fair and manage harmful bias.
Component
Sub-Control
Regulation
 
Source
Address Fairness and Accessibility EU AI Act -Article 10(2)(f)(g) – Data and Data Governance (“Examination of Possible Biases”)

Vendors

Detect Data Poisoning Attacks
Control

ID: 10.4.1

Data poisoning involves the deliberate and malicious contamination of data to compromise the performance of AI and machine learning systems.

Component
Control
Regulation
Source
10. Improve Security10.4 Avoid Data and Model Poisoning AttacksEU AI Act: Article 15 – Accuracy, Robustness and Cybersecurity 

Vendors

Improve Security
Component

Component ID: 10

Address emerging attack vectors impacting availability, integrity, abuse, and privacy.  

List of Controls:

  • Prevent Direct Prompt Injection Including Jailbreak
  • Avoid Indirect Prompt Injection
  • Avoid Availability Poisoning
    • Manage Increased Computation Attack
    • Detect Denial of Service (DoS) Attacks
    • Prevent Energy-Latency Attacks
  • Avoid Data and Model Poisoning Attacks
    • Detect Data Poisoning Attacks
    • Avoid Targeted Poisoning Attacks
    • Avoid Backdoor Poisoning Attacks
    • Prevent Model Poisoning Attacks
  • Support Data and Model Privacy
    • Prevent Data Reconstruction Attacks
    • Prevent Membership Inference Attacks
    • Avoid Data Extraction Attacks
    • Avoid Model Extraction Attacks
    • Prevent Property Inference Attacks
    • Prevent Prompt Extraction Attacks
  • Manage Abuse Violations
    • Detect White-Box Evasion Attacks
    • Detect Black-Box Evasion Attacks
    • Mitigate Transferability of Attacks
  • Misuse of AI Agents
    • Prevent AI-Powered Spear-Phishing at Scale
    • Prevent AI-Assisted Software Vulnerability Discovery
    • Prevent Malicious Code Generation
    • Identify Harmful Content Generation at Scale
    • Detect Non-Consensual Content
    • Detect Fraudulent Services
    • Prevent Delegation of Decision-Making Authority to Malicious Actors

Identify Executive Sponsor

ID : 1.1 

Appoint an executive who will be accountable for the overall success of the program.

ComponentRegulationVendors
1. Establish Accountability for AIEU AI Act 
We use cookies to ensure we give you the best experience on our website. If you continue to use this site, we will assume you consent to our privacy policy.