Shadow AI is the crisis.

— AI governance you can prove.

Discover every unmanaged AI tool in your organization, generate a board-ready policy, and prove governance to your auditors — in under 10 minutes. No MSP. No CCIE. No six-figure invoice.

Live · v1.0 launch May 2026 · category formalized at Google Cloud Next '26

Built for the Agent Governance category Google formalized at Cloud Next '26. SanctumShield is the first SaaS purpose-built for mid-market organizations (50–2,000 employees) in this category — designed by a CISSP-credentialed founder with deep industry expertise. Founder-direct support, no SDR layer, four-hour acknowledgment commitment.

80%+

AI tools unmanaged

in the enterprise today

details: 1 →

59%

Employees hide

their AI tool usage from IT

details: 2 →

Self-serve, sub-$1K/year platforms

for shadow AI governance at 50–2,000-employee orgs

Why SanctumShield for Shadow AI?

The only product that generates a customized, regulation-anchored AI risk assessment and AUP — the artifact every auditor, board, and insurer now asks for — in minutes, from a guided assessment you complete in a browser you already trust.

Observability is not governance. Enforcement is not governance.

AI-SPM observes. DLP enforces.
SanctumShield governs.

The modern security stack splits into three distinct layers, and conflating them is how most mid-market organizations end up with strong tooling and no defensible governance evidence. Observability — SIEM, SOC, AI-SPM platforms like Wiz, Palo Alto AI Access, and Cisco AI Defense — sees what is happening inside the perimeter at runtime. Enforcement — DLP, CASB, SSE, CNAPP, EDR, AI inferencing firewalls — controls what is allowed to happen at the perimeter. Both are necessary. Both produce telemetry and runtime actions.

Neither produces governance. Governance is the regulation-anchored Acceptable Use Policy, the severity-ranked risk assessment, the one-page Board Memo, and the third-party-queryable Verification URL that EU AI Act Article 17, Colorado SB 24-205 § 6-1-1703, HIPAA § 164.308(a)(1), NIST AI RMF GOVERN, and ISO/IEC 42001 Clause 6 require as documented evidence of an active program. Telemetry is not evidence; runtime blocks are not policy. Observability gets you observability. Enforcement gets you enforcement. Neither gets you governance.

SanctumShield is the governance layer — the artifact your auditor reads, your underwriter files, and your board acknowledges — generated by multi-LLM agentic synthesis against a continuously refreshed regulatory landscape, with human oversight at every accountable step. Layered underneath your existing observability and enforcement stack, not in place of it. See /under-the-hood for the full methodology.

Research-anchored · Harvard / MIT / HBR

Built on the peer-reviewed research that names the failure mode in human-in-the-loop AI oversight.

Randazzo et al. 2025 (Harvard Business School Working Paper 26-021) documents persuasion bombing — the pattern in which LLMs escalate persuasion tactics when challenged by a human reviewer, rather than correcting their output. Covered by MIT Sloan Management Review (Feb 2026) and Harvard Business Review (March 2026). SanctumShield is the first AI governance product to name this failure mode, cite the research, and prescribe specific controls that compensate for it — controls that ship inside every customer’s generated AUP. See the full citation chain on /under-the-hood.

Why now · obligations across jurisdictions

Operate on cadence, not on countdown.

AI governance obligations are arriving across jurisdictions on staggered, sometimes-moving timelines. EU AI Act high-risk obligations enforce August 2, 2026 (with a Digital Omnibus deferral under active EU legislative procedure that could shift the date to late 2027 if adopted). Colorado SB 26-189 (which repealed and replaced SB 24-205 on May 14, 2026 before the original could take effect) is effective January 1, 2027. Cyber insurance underwriters are asking on 2026 renewal questionnaires now — no future date attached. Anchor on the obligations, not the countdowns. The artifact a regulator verifies travels across every jurisdiction and survives every individual deadline shift — and it is built and shipping today.

§ 01 · The Problem

Standard DLP sees encrypted HTTPS to api.openai.com and stops there.

Enterprise security teams spent a decade chasing Shadow IT — employees using Dropbox instead of SharePoint, Slack instead of email. They mostly won that battle. Then generative AI arrived and reset the clock.

The critical difference: Shadow IT moved files. Shadow AI moves reasoning, context, and proprietary intelligence — the actual IP of the business — to unmonitored external systems. An employee pasting a customer contract into ChatGPT doesn't know they just trained a commercial model on confidential terms.

The Visibility Gap

Security teams have no native tooling to detect which AI services employees are using, what data they're sending, or at what volume.

The Extension Threat

Hundreds of AI-branded browser extensions silently harvest page content, clipboard data, and form inputs before IT knows they exist.

The Policy Vacuum

Most mid-market organizations have no AI Acceptable Use Policy. Those that do copied a generic template — unadapted for industry, regulation, or the tools their employees actually use.

The Mid-Market Desert

Cisco AI Defense and Palo Alto AI Access exist for the Global 2000. Every company between 50 and 2,000 employees is unserved. This is the market.

§ 02 · The Product

The Sanctum.
The Shield.

Two layers. One platform. The Sanctum defines what good AI governance looks like for your organization — the policy, the tool registry, the compliance mapping. The Shield enforces it — detecting what's actually happening inside your perimeter, tracking acknowledgments, and producing the evidence your auditors require.

01 · The Sanctum

Governance Layer

What good AI looks like

→
AI Acceptable Use Policy
2,500–4,000 word production-grade policy, 14 sections, customized to your industry, size, jurisdictions, and compliance frameworks.
→
AI Tools Registry
60+ pre-rated AI services. Training policies, enterprise tier availability, certifications. Saves hours of per-tool research.
→
Compliance Framework Mapping
HIPAA, GDPR, CCPA, SOC 2, NIST AI RMF, EU AI Act — mapped to your actual AI use, not boilerplate.

02 · The Shield

Enforcement Layer

What's actually happening now

→
Shadow AI Risk Calculator
12-question self-assessment. Instant departmental risk score and three headline findings. Free lead-in to the paid platform.
→
Network Log Analysis
Quantified outbound traffic counts derived from firewall, proxy, or DNS log analysis matched against 64 verified AI API endpoints. Works whether or not you run a CASB, SSE, or AI-SPM. Paste logs from any firewall, proxy, or DNS server.
→
Executive Risk Report
Synthesizes organization profile, deployed tool registry, and log hit counts into an 8–12 page board-ready report including five regulation-anchored findings and a prioritized 90-day action plan.

§ 03 · Why SanctumShield

Not what Palo Alto sells.
Not what consultancies charge for.

Vendor	Target	Starting Price	Deployment
Vanta	Funded co. pursuing SOC 2 / ISO / HIPAA	$7,500/yr (sales-led)	API integration, weeks to months
Palo Alto AI Access Security	Global 2000	$80,000+	Weeks, dedicated team
CrowdStrike Falcon	Endpoint security buyers	$25K+/yr	Managed EDR program required
Fortinet / Palo Alto NGFW	Network perimeter	Capex + config	Network re-architecture
MSP / MSSP managed service	Enterprise contract	$150K–500K/yr	Multi-quarter engagement
Big 4 / Large consultancy	Anyone who will pay	$50K–250K/engagement	6–12 weeks, PowerPoint
SanctumShield	SMB + mid-market (50–2,000)	$99/month	10 minutes, self-serve

SanctumShield is complementary to, not a replacement for, runtime agent governance tools like Cisco AI Defense. Cisco AI Defense protects the agents you deploy. SanctumShield discovers the shadow AI your governance hasn't reached yet.

SanctumShield is complementary to Vanta. If you already have Vanta, SanctumShield produces the board-ready AI-governance artifact Vanta isn't built to generate. See /vs-vanta.

§ 04 · Pricing

Two ways to use SanctumShield.

Start with the free Shadow AI Risk Calculator — no account, no email, no credit card. Pay for SanctumShield when you need the full audit report, the AI Acceptable Use Policy, and the log analysis. Month-to-month, cancel anytime.

Cost comparison bar chart: SanctumShield at $99 per month versus the incumbent options — outside privacy counsel ($5,000–$25,000 for an AUP alone), Big 4 advisory engagements ($40,000–$150,000 for AUP plus risk assessment), and enterprise security platforms ($50,000–$180,000 per year). Same body of regulatory and threat-research synthesis. Same audit-grade governance artifact. One-thousandth to one-hundredth the per-cycle cost. — Mid-market governance. Enterprise-grade artifact. Underserved-market price.

Free · No account required

Shadow AI Risk Calculator

Always free · No email gate

→ 12-question self-assessment
→ Instant departmental risk score (0–100)
→ Three headline findings tailored to your answers
→ No account, no email, no credit card
→ Run it as many times as you want

Full Platform

SanctumShield

Full Audit + Policy

$99/month

Month-to-month · Cancel anytime · Stripe charges immediately on subscribe · Current billing period is non-refundable (you keep all artifacts you generate this month) · See /trust for full subscription terms

→ Executive Risk Report — 5 findings, impact-first severity rationale, regulatory citations, 90-day action plan
→ AI Acceptable Use Policy — 14 sections + 3 appendices, ~3,500-4,500 words, customized to your industry / jurisdictions / frameworks
→ Board Memo — 1-page CEO-voice summary derived from the audit
→ Verification URL — embedded in every artifact, queryable for 5 years (insurer- and auditor-facing)
→ AI Tools Catalog (60+ pre-rated) + AI endpoint registry (64 domains)
→ Network log analysis (paste or CSV upload)
→ AUP clause-mapping engine — currently maps to seven frameworks in generated policy text (HIPAA, GDPR, CCPA, SOC 2, NIST AI RMF, EU AI Act, ISO 27001). Four additional frameworks (ISO/IEC 42001, Colorado AI Act, NAIC AI Model Bulletin, DORA) are on the active roadmap and inform the underlying risk methodology today.
→ Download as Word, Markdown, plain text, HTML
→ Scope flexibility — run for one department, one line of business, or company-wide; same $99/month. Larger organizations (2,000+ employees) routinely use SanctumShield department-by-department: a 300-person legal team, a 500-person clinical operations group, or a 200-person engineering line of business each gets their own scoped AUP and risk assessment.
→ Founder-direct support, four-hour acknowledgment

The math, plainly

A tailored AI Acceptable Use Policy alone — produced by outside counsel, a Big 4 advisory, or a security consultancy — typically costs $5,000 on the low end, $25,000+ on the high end, and six figures for the largest healthcare or financial services engagements. SanctumShield delivers the AUP plus the Executive Risk Report, the Board Memo, the verification URL, and quarterly landscape refreshes — for $99/month, month-to-month, no commit. See the actual artifacts before you decide.

Business and Scale tiers — with team acknowledgment tracker, policy version history, compliance evidence audit trail, REST API, white-label, and quarterly regulatory update reports — are in active development. Join the waitlist →

§ 05 · What You Actually Get

Get the AI Risk Assessment
your organization needs today.

Get the AI Acceptable Use Policy your organization needs today. Get the Executive Risk Report you can take to your board this week. Both, anchored to real regulatory clauses. Both, downloadable as Word documents your legal counsel can review offline. Both, generated in minutes from a guided assessment.

Big 4 Consulting

$50K–250K

6–12 weeks · PowerPoint deliverable · dedicated engagement team

Healthcare Privacy Counsel

$15K–40K

2–4 weeks · legally defensible · no log analysis

Palo Alto AI Access Security

$80K+/year

Enterprise-only · needs dedicated security team · quarterly rollout

SanctumShield

$99/month

Built, designed, and developed specifically for organizations that don’t have dedicated platform engineering or security teams.

Audit-ready documentation: a 14-section AI Acceptable Use Policy, a 60+ tool registry, an Executive Risk Report with five regulation-anchored findings, and a prioritized 90-day remediation roadmap.

Regulation-anchored. Log-verified (if you upload logs). Immediately useful. No consultant, no integration team, no implementation project. Month-to-month. Cancel anytime.

Sources · cited stats on the home page

¹80%+ of enterprise AI tools unmanaged — Zluri, State of AI in the Workplace 2025. Reports that IT and security teams have visibility and control over fewer than 20% of enterprise AI tools.
²59% of employees hide AI tool usage from IT — Cybernews 2025 AI Workplace Survey. Corroborated by KPMG's April 2025 global study of 48,000 people across 47 countries (57%).
³Mean-time-to-exploit: −7 days. Threat-actor handoff: 22 seconds. — Google Cloud / Wiz AI-SPM keynote at Google Cloud Next '26, April 2026. Exploitation now precedes public CVE disclosure on average; reconnaissance-to-initial-access handoff has compressed to 22 seconds. The single most quotable security statistic of 2026.