Shadow AI & AI Security Analytics
Overview
You've built the governance controls. Now review the analytics to see the full picture: which AI tools employees tried to use, what was redirected, what was blocked, and how to use this data in a customer conversation.
In this lab environment, you may not see much data in the analytics dashboards — the lab generates only a handful of requests compared to a production environment with hundreds or thousands of employees.
The goal of this module is not to analyze large volumes of data, but to explore the dashboard features, understand the available filters and panels, and learn how to navigate the analytics so you can demonstrate them confidently in a customer conversation.
What You Are Reviewing
- AI security report dashboard
- Shadow IT discovery for AI applications
- Gateway HTTP logs for redirect and DLP block events
Step 1: View the AI Security Report
- Go to one.dash.cloudflare.com
- Navigate to Insights > Dashboards > AI security report
- Review the available panels:
- Top 5 visited AI applications by user count — Most accessed AI tools over time (ChatGPT, Gemini, etc.)
- Statuses applied to AI applications by application count — How many AI apps are Unreviewed, In Review, Approved, or Unapproved
- Data uploaded to Artificial Intelligence applications by status — Data transfer volume broken down by approval status
- MCP servers behind Access over time — Number of MCP servers protected by Access policies (will populate after M5)
- Access login events to MCP servers — Login activity to Access-protected MCP servers (will populate after M5)
Expected Result
The report should reflect your lab activity:
- Gemini traffic
- ChatGPT / Claude: redirected to Gemini
Step 2: Explore Shadow IT Discovery
- Navigate to Insights > Dashboards > Shadow IT: SaaS analytics
- Filter by Application type: Artificial Intelligence
- Review:
- Which AI applications were accessed
- Whether they are marked as Approved, Unapproved, In Review, or Unreviewed
- User count and data transfer volume per application
Expected Result
You should see AI applications categorized with usage volume. Before your policies were active, multiple AI tools may appear. After the redirect policy, usage should concentrate on Gemini.
You can mark Google Gemini as Approved directly in the Application Library (Zero Trust > Team & Resources > Application library). This makes the analytics report cleaner and shows a clear distinction between approved and unapproved AI tools.
Application Library and Confidence Scorecards
The Application Library (Zero Trust > Team & Resources > Application library) is where you manage approval statuses for discovered SaaS applications. Each application card shows:
- Application Posture Score (5 points) — Evaluates security compliance, data management, security controls, incident history, and financial stability
- Generative AI Posture Score (5 points) — Evaluates ISO 42001 compliance, deployment security, system cards, and training data governance
These automated scores help security teams identify risks in Shadow AI and Shadow IT deployments without manual auditing. Changes made in the Application Library sync with the Shadow IT Discovery dashboard within one hour.
Step 3: Review Gateway Logs for the Full Story
- Navigate to Insights > Logs > HTTP request logs
- Review three categories of events:
Redirect events
- Filter by Policy name:
Redirect to Gemini - Shows employees who tried to use ChatGPT, Claude, or other AI tools
- Each event shows the original URL and the redirect destination
DLP block events
- Filter by policy:
Block sensitive data to Gemini - Shows prompts that contained sensitive data
- Click into an event to decrypt and view the captured prompt (using your private key from the DLP step)
Allow events
- Filter by policy:
Allow sanctioned Gemini - Shows clean Gemini usage that passed DLP inspection
Expected Result
A clear audit trail of every AI interaction:
- who tried to use unsanctioned AI (redirected)
- who sent sensitive data to the sanctioned tool (blocked + logged)
- who used the sanctioned tool cleanly (allowed)
Step 4: Map This to a Customer Conversation
Before Cloudflare
| Customer says | Reality |
|---|---|
| "We just block all AI" | Employees use personal devices or VPNs to bypass |
| "We only use ChatGPT Enterprise" | Shadow IT shows Gemini, Claude, Perplexity in use |
| "We have an AI policy" | No enforcement = no compliance |
After Cloudflare
| What you show them | Impact |
|---|---|
| Shadow IT discovery | "Here are all the AI tools your employees used this week" |
| Application confidence scorecards | "Here are the risk scores for each AI app — no manual auditing required" |
| Redirect policy logs | "We funneled everyone to your sanctioned tool instead of blocking" |
| DLP block + prompt log | "We caught an employee sending PII to Gemini and blocked it — here's the captured prompt" |
| AI security report | "One dashboard shows all AI activity, policy outcomes, and user behavior" |
The 60-second pitch
"We redirected all unsanctioned AI traffic to Gemini, your approved tool. Then we added DLP inspection so sensitive data can't leave through Gemini prompts either. Every blocked prompt is captured and encrypted with your key — only your team can read them. And Shadow IT shows you which AI tools employees were trying to use before governance was in place."
Validation
- Viewed the AI security report dashboard
- Explored Shadow IT discovery filtered by Artificial Intelligence
- Reviewed Gateway logs showing redirect, DLP block, and allow events
- Can articulate the before/after customer story
- Understand how visibility + governance drives the deal
Next
You've now protected inbound AI apps (M2-M3) and governed outbound AI usage (M4). In Module 5, you'll secure the agent path — providing controlled access to approved MCP servers via a portal and blocking shadow MCP.