SAIL 2.0

/

AI Policy & Safe experimentation (Plan)

/

Unmonitored AI and Agent Experimentation

1.4

.

Unmonitored AI and Agent Experimentation

sail
1.4
Risk

Unmonitored AI and Agent Experimentation

Description

Unauthorized or hidden "shadow" AI environments corporate access from unmanaged personal devices/agents, or unapproved AI tools used from corporate devices and sessions.

Example

Developer runs Claude Code on a personal laptop with corporate repo access and community MCP servers, outside any logging or proxy.

Assets Affected

Agentic Platform

Notebook

Model Files

AI Agent

MCP Server

Mitigation
  • Require registration/approval of experiment sandboxes and endpoint agents
  • asset inventory
  • alert on new/rogue environments
  • periodic discovery scans
  • log analysis.
Standards Mapping
  • ISO: A.3.2, A.4.2
  • OWASP agentic: ASI10
  • EU AI Act: Art. 17
  • DASF: Operations 11.1, Agents-Core 13.13
  • AIUC-1: E008, E010