{"id":51282,"date":"2025-09-11T09:22:42","date_gmt":"2025-09-11T17:22:42","guid":{"rendered":"https:\/\/www.sumologic.com\/?post_type=blog&#038;p=51282"},"modified":"2026-02-17T11:17:24","modified_gmt":"2026-02-17T19:17:24","slug":"rise-shadow-ait","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/blog\/rise-shadow-ait","title":{"rendered":"The rise of shadow AIT"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0d652506f82b000a392973813b918ee25d5b4211 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-1f7b3997080fc292474d26ff00c905d99d3520fa e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-a1b32f66e1749758df41d5aea14f647cd10e362c e-div--card-btn-link\"><div class=\"e-img \">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"200\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/Meta_Shadow-AIT_Blog_700x200-1.png\" alt=\"Sumo Logic: Shadow AIT\" class=\"wp-image-51372\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/Meta_Shadow-AIT_Blog_700x200-1.png 700w, https:\/\/www.sumologic.com\/wp-content\/uploads\/Meta_Shadow-AIT_Blog_700x200-1-300x86.png 300w, https:\/\/www.sumologic.com\/wp-content\/uploads\/Meta_Shadow-AIT_Blog_700x200-1-575x164.png 575w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p>If <a href=\"https:\/\/www.sumologic.com\/blog\/leading-full-stack-observability-logs\">shadow IT<\/a> was the SaaS era\u2019s guilty pleasure, shadow AIT is GenAI\u2019s sugar rush: unsanctioned AI models, tools, and autonomous agents quietly wired into business workflows\u2014often without approvals, logging, or controls. It\u2019s fast, it\u2019s useful, and it can bite.&nbsp; <\/p>\n\n\n\n<p><a href=\"https:\/\/www.netskope.com\/netskope-threat-labs\/cloud-threat-report\/generative-ai-2025\" target=\"_blank\" rel=\"noreferrer noopener\">Netskope\u2019s 2025 GenAI<\/a> report finds orgs now use nearly six GenAI apps on average; the top quartile uses 13+, and they\u2019re tracking 300+ distinct GenAI apps overall. They also measured a &gt;30\u00d7 increase in data sent to GenAI apps year-over-year. <a href=\"https:\/\/www.menlosecurity.com\/press-releases\/menlo-securitys-2025-report-uncovers-68-surge-in-shadow-generative-ai-usage-in-the-modern-enterprise\" target=\"_blank\" rel=\"noreferrer noopener\">Menlo Security&#8217;s AI report<\/a> flags a 68% surge in shadow GenAI, turning &#8220;helpful&#8221; into hazardous. <a href=\"https:\/\/newsroom.cisco.com\/c\/dam\/r\/newsroom\/en\/us\/interactive\/cybersecurity-readiness-index\/2025\/documents\/2025_Cisco_Cybersecurity_Readiness_Index.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Cisco\u2019s 2025 Readiness Index<\/a> says ~60% of orgs lack confidence in identifying unapproved AI tools, reinforcing the need to monitor. <a href=\"https:\/\/www.gartner.com\/en\/articles\/ai-trust-and-ai-risk\" target=\"_blank\" rel=\"noreferrer noopener\">Gartner<\/a> ties this to GenAI data programs gone rogue.<\/p>\n\n\n\n<p>Shadow AI is spreading across orgs and job functions, bringing real data-exposure and governance risks\u2014especially when employees bring their own AI.<\/p>\n\n\n\n<p>This article is a practical, telemetry-first guide to spotting and governing shadow AIT. We\u2019ll map detections to MITRE ATLAS, OWASP Top 10 for LLM Apps, and NIST AI RMF, and we\u2019ll get specific about the logs you should collect (CloudTrail, CloudWatch, endpoint, app logs, and Model Context Protocol\/MCP telemetry). We\u2019ll also show Sumo Logic-style queries you can drop into your SIEM today.<\/p>\n\n\n<style><\/style><style><\/style>\n<section class=\"e-stn e-stn-56e7d4c8a7de949ca8e7ef6e847c233907af1c86 e-pt-40 e-pb-40\"><style>@media only screen and (max-width: 9999px) {\n\t\t\t\t\t\t\t\t\t.e-stn.e-stn-56e7d4c8a7de949ca8e7ef6e847c233907af1c86 { \n\t\t\t\t\t\t\t\t\t\tbackground-color: #f8f8f8; \n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}@media only screen and (max-width: 1200px) {\n\t\t\t\t\t\t\t\t\t.e-stn.e-stn-56e7d4c8a7de949ca8e7ef6e847c233907af1c86 { \n\t\t\t\t\t\t\t\t\t\tbackground-color: #f8f8f8; \n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}<\/style><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row justify-content-center\">\n<div class=\"wp-block-b3rg-column e-col e-col-aa7dff73b9f028db5f3d310beef8385bc537c675  col-sm-10\">\n<h3 class=\"wp-block-heading has-text-align-center\" id=\"respond-faster-with-sumo-logic-dojo-ai-1\">Respond faster with Sumo Logic Dojo AI<\/h3>\n\n\n\n<p class=\"has-text-align-center\">Cut through the noise, detect threats faster, and resolve issues before they disrupt your operations.<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-fffd27ee wp-block-group-is-layout-flex\" style=\"padding-top:0;padding-bottom:var(--wp--preset--spacing--60)\"><div class=\"e-btn e-btn--underline-black-common-link-with-arrow\"><a class=\"e-btn__link\" href=\"https:\/\/www.sumologic.com\/solutions\/dojo-ai\" target=\"_self\">\n<p class=\"title\">Explore Dojo AI<\/p>\n<\/a><\/div><\/div>\n\n\n\n<div id=\"wistia-block_c896ed3d920e768817bb32cd2fd34bde\" class=\"wistia-video-block\" data-wistia-video=\"wistia_471zkno1sb\">\n\n    <script src=\"https:\/\/fast.wistia.com\/player.js\" async><\/script>\n    <script src=\"https:\/\/fast.wistia.com\/embed\/471zkno1sb.js\" async type=\"module\"><\/script>\n\n    <style>\n        wistia-player[media-id='471zkno1sb']:not(:defined) {\n            background: center \/ contain no-repeat url('https:\/\/fast.wistia.com\/embed\/medias\/471zkno1sb\/swatch');\n            display: block;\n            filter: blur(5px);\n            padding-top: 56.25%;\n        }\n    <\/style>\n\n    <wistia-player\n        media-id=\"471zkno1sb\"\n        aspect=\"1.7777777777777777\">\n    <\/wistia-player>\n\n<\/div>\n\n<style>\n    div[data-wistia-video=\"wistia_471zkno1sb\"] {\n        position: relative;\n        width: 100%;\n        padding-top: 56.25%;\n        background: center \/ cover no-repeat url('https:\/\/fast.wistia.com\/embed\/medias\/471zkno1sb\/swatch');\n    }\n\n    div[data-wistia-video=\"wistia_471zkno1sb\"] wistia-player {\n        position: absolute;\n        top: 0;\n        left: 0;\n        width: 100%;\n        height: 100%;\n        filter: none;\n    }\n<\/style>\n<\/div>\n<\/div>\n<\/div><\/section>\n\n\n\n<style>\n a.e-btn__link { text-decoration: none !important; }\n\n.e-stn--glossary-inner-content .e-col--content-wrapper h3, .e-stn--glossary-inner-content .e-col--content-wrapper .h3 { padding: 0 !important; }\n\n@media (min-width: 992px) {\n    .e-stn--glossary-inner-content .e-col--content-wrapper h3, .e-stn--glossary-inner-content .e-col--content-wrapper .h3 { padding: 0 !important; }\n}\n<\/style>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-shadow-ait\">What is shadow AIT?<\/h2>\n\n\n\n<p>Shadow AIT is any unauthorized use of AI services, AI tools and the agentic glue (plugins\/tools, MCP servers, Bedrock Agents, LangChain tools, etc.) that can touch production data and systems\u2014often beyond security\u2019s line of sight.&nbsp;<\/p>\n\n\n\n<p>The AI train has left the station, and the predicament businesses find themselves in is that if they don\u2019t allow AI tools, they are incentivising shadow AI. Employees have experienced the value AI brings to all aspects of our lives, and <a href=\"https:\/\/www.sumologic.com\/blog\/ai-security-policies\">to tell them it can\u2019t be used just pushes its usage into the shadows<\/a>. It&#8217;s the AI equivalent of shadow IT, but on steroids, because AI doesn&#8217;t just process data; it learns from it, hallucinates wild outputs, has access to the most sensitive systems and sometimes spills secrets like a tipsy uncle at a family reunion.<\/p>\n\n\n\n<p>Why the surge? Blame it on the democratizing power of AI \u2013 tools are now so accessible that even non-techies can spin up an agent to automate tasks or a copilot to code like a pro. But without oversight, it&#8217;s creating risk blind spots across enterprises, from data leaks to compliance nightmares.&nbsp;<\/p>\n\n\n\n<p>In the near future, I expect to hear of post-incident meetings where leaders say, \u201cI didn\u2019t know that application used AI.\u201d Or \u201cwho authorized AI to be used that way?\u201d. To bring light to darkness, you need to lean in with the team&#8217;s AI strategy, support innovation, but wrap controls and governance around it without introducing too much friction.&nbsp;<\/p>\n\n\n\n<p>If you&#8217;re mature enough to conduct AI red team or pen test assessments, you get bonus points. Work with those assessors to capture the log telemetry during their tests, so when they get in, you can create detections to capture future adversarial behaviors or AI abuse.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"frameworks-to-anchor-your-program\">Frameworks to anchor your program<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ai-trism\">AI TRiSM<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.gartner.com\/en\/information-technology\/glossary\/ai-trism\" target=\"_blank\" rel=\"noreferrer noopener\">AI TRiSM<\/a> stands for Artificial Intelligence Trust, Risk, and Security Management. Coined by Gartner, it\u2019s a framework designed to ensure that AI systems are trustworthy, compliant, and secure throughout their lifecycle. In plain English,<strong><em> Trust<\/em><\/strong> asks can you explain how the AI makes decisions? Is it fair, reliable, and free from bias? <strong><em>Risk <\/em><\/strong>addresses what could go wrong? Think of data leaks, hallucinations, adversarial hacks, or regulatory issues. <strong><em>Security<\/em><\/strong> tackles how you protect the model, data, and its infrastructure from attacks, misuse, or unauthorized access?<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"nist-ai-rmf-1-0-generative-ai-profile-ai-600-1\">NIST AI RMF 1.0 + Generative AI Profile (AI 600-1)&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/ai\/nist.ai.100-1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">NIST&#8217;s AI Risk Management Framework<\/a> is your governance GPS, with core functions like Map (identify risks), Measure (quantify them), Manage (mitigate), and Govern (oversee everything). Apply it to Shadow AI by mapping unauthorized AI usage in your environment, then measuring risks via metrics like data exposure rates while following incident response requirements for AI systems.<strong><br><br><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mitre-atlas\">MITRE ATLAS&nbsp;<\/h3>\n\n\n\n<p>This is your adversarial playbook for AI systems, like MITRE ATT&amp;CK but tailored for machine learning threats. It maps out tactics like data poisoning (where bad actors tamper with training data) or model evasion (tricking AI into wrong decisions). Use <a href=\"https:\/\/atlas.mitre.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">ATLAS<\/a> to assess Shadow AI risks by cross-referencing your logs against its matrices \u2013 for instance, spotting unusual API calls that might indicate an evasion technique in a rogue copilot.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"owasp-top-10-for-llm-apps-2025-refresh\">OWASP Top 10 for LLM Apps (2025 refresh)<\/h3>\n\n\n\n<p>This gem <a href=\"https:\/\/owasp.org\/www-project-top-10-for-large-language-model-applications\/\" target=\"_blank\" rel=\"noreferrer noopener\">lists vulnerabilities specific to large language models (LLMs)<\/a>, like prompt injection (crafty inputs that hijack the model) or sensitive information disclosure (leaking PII in outputs). In Shadow AI scenarios, employees might unwittingly trigger these \u2013 e.g., a marketing team using an unsanctioned LLM app that&#8217;s vulnerable to overreliance (blindly trusting hallucinatory outputs), leading to bad business decisions.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-to-log-and-why\">What to log (and why)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cloud-model-apis\">Cloud\/Model APIs&nbsp;<\/h3>\n\n\n\n<p>Start by hooking into API logs from services like AWS Bedrock (a hotbed for Shadow AI experiments). For example, monitor converse and converse_stream calls. Track metrics like input\/output tokens, latency, and calls per minute.&nbsp;<\/p>\n\n\n\n<p>Most cloud providers have documented telemetry. For example with AWS, <strong>Bedrock<\/strong> you have the following instrumentation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.aws.amazon.com\/bedrock\/latest\/userguide\/logging-using-cloudtrail.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>CloudTrail<\/strong> management\/data events<\/a> for <em>InvokeModel \/ Converse \/ ConverseStream<\/em> and <strong>Agents<\/strong> (<em>InvokeAgent<\/em>). Great for identity, model IDs, and cross-region anomalies.<\/li>\n\n\n\n<li><a href=\"https:\/\/docs.aws.amazon.com\/bedrock\/latest\/userguide\/monitoring-agents-cw-metrics.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>CloudWatch<\/strong> <strong>Agents<\/strong> metrics<\/a>: invocations, token counts, time-to-first-token (TTFT), throttles, client\/server errors\u2014perfect for guardrail block rates and cost\/abuse outliers.<\/li>\n\n\n\n<li><a href=\"https:\/\/docs.aws.amazon.com\/bedrock\/latest\/userguide\/model-invocation-logging.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Invocation logging<\/strong> (inputs\/outputs) to CloudWatch Logs\/S3<\/a>\u2014critical for forensics and red-team prompts (with careful PII governance).<\/li>\n<\/ul>\n\n\n\n<p>Sumo Logic ships a <a href=\"https:\/\/help.sumologic.com\/docs\/integrations\/amazon-aws\/amazon-bedrock\/\" target=\"_blank\" rel=\"noreferrer noopener\">Bedrock app that stitches CloudTrail + CloudWatch + invocation logs into dashboards and queries out of the box<\/a>.<\/p>\n\n\n\n<p>Regardless of the model, you don\u2019t need a heavy, proprietary stack to monitor GenAI usage. OpenAI-style APIs already return the telemetry you care about (latency, errors, token counts, moderation results). If your devs roll their own AI features, instrument the SDK calls. For example, wrap your SDK calls with a small Python \u201cagent,\u201d emit structured events, and forward them to any SIEM\/observability platform you use. The telemetry commonly includes call rate, error rate, input and output token counts, and (optionally) sampled prompts\/responses. Forward JSON events to your SIEM via an HTTPS collector. (OpenTelemetry\u2019s emerging GenAI semantic conventions can standardize these fields if you want trace\/span context, but it\u2019s optional.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"detect-unauthorized-agents\">Detect unauthorized agents<\/h3>\n\n\n\n<p>Agents (those autonomous AI doers) love to chat with APIs. Use log patterns to flag unusual behaviors, like unexpected API keys or geolocations. Tie this to MITRE ATLAS by alerting on tactics like &#8220;ML Supply Chain Compromise&#8221; \u2013 e.g., logs showing downloads from shady model hubs. On the endpoint\/CLI\/proxy, capture shell history and egress DNS\/HTTP to catch unsanctioned calls to public LLMs or agent backends (e.g., <code>api.openai.com, api.anthropic.com, *.hf.space, *.perplexity.ai, *.deepseek.com<\/code>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mcp-model-context-protocol-audit\">MCP (Model Context Protocol) audit<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.sumologic.com\/blog\/mcp-vs-mcp2\">MCP<\/a> standardizes how LLM apps connect to <strong>tools<\/strong>, <strong>resources<\/strong>, and <strong>prompts<\/strong> over JSON-RPC. That\u2019s gold for auditing: <code>log tools\/list, tools\/call, resources\/read, prompts\/get<\/code>, user approvals, and correlation IDs across client\/server. The latest spec explicitly calls out logging, capability negotiation, and security considerations\u2014use them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-shadow-ait-looks-like-in-telemetry-three-real-world-patterns\">What shadow AIT looks like in telemetry: three real-world patterns<\/h2>\n\n\n\n<p>It\u2019s important to highlight here that the line between shadow AIT and insider threats can get blurry pretty quickly. Sometimes employees are innovating with AI and are unaware of potential security risks, or perhaps they fall victim to malicious actors using AI. These patterns and detections can help your team, regardless of the intent behind the patterns.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"pattern-one-prompt-to-tool-pivot-owasp-llm07-llm08-atlas-prompt-injection\">Pattern one \u2014 Prompt-to-Tool Pivot (OWASP LLM07\/LLM08; ATLAS: prompt injection)<\/h3>\n\n\n\n<p>A benign-looking prompt causes the agent to call high-risk tools (e.g., read secrets, execute actions). You\u2019ll see a normal chat request immediately followed by sensitive <code>tools\/call<\/code> or Bedrock <strong>Agent<\/strong> actions.<\/p>\n\n\n\n<p><strong>What to log and alert on<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/modelcontextprotocol.io\/docs\/learn\/server-concepts\" target=\"_blank\" rel=\"noreferrer noopener\">MCP<\/a> <code>tools\/call<\/code> to sensitive tools (secrets, prod APIs) without matching business context or user approval flag<br><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sumologic.com\/blog\/defenders-guide-to-aws-bedrock\">Bedrock<\/a> <strong>InvokeAgent<\/strong> spikes or new <strong>action groups<\/strong> creation by \u201cfirst-seen\u201d identities (UEBA).<br><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"pattern-two-cost-dos-via-token-flood-owasp-llm04-atlas-resource-exhaustion\">Pattern two \u2014 Cost\/DoS via Token Flood (OWASP LLM04; ATLAS: resource exhaustion)<\/h3>\n\n\n\n<p>A tampered prompt or loop causes runaway tokens or repeated retries.<\/p>\n\n\n\n<p><strong>What to log and alert on<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.aws.amazon.com\/bedrock\/latest\/userguide\/monitoring-agents-cw-metrics.html\" target=\"_blank\" rel=\"noreferrer noopener\">CloudWatch <strong>InputTokenCount\/OutputTokenCount<\/strong> outliers<\/a> per identity\/model; rising <strong>InvocationThrottles<\/strong>.<br><\/li>\n\n\n\n<li>Invocation logging showing expanding context windows (sudden 4\u00d7 input size).<br><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"pattern-three-unsanctioned-genai-usage-shadow-ait-classic\">Pattern three \u2014 Unsanctioned GenAI usage (Shadow AIT \u201cclassic\u201d)<\/h3>\n\n\n\n<p>Endpoints talk to consumer AI APIs from corporate networks, then copy\/paste results into enterprise systems.<\/p>\n\n\n\n<p><strong>What to log and alert on<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Egress\/DNS for known LLM domains by identities not in an <strong>allowlist<\/strong>; keyboard macros\/copy buffers appear in helpdesk investigations. Industry surveys show teams often lack visibility into what AI services are running\u2014your logs fix that.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"sumo-logic-style-detections-you-can-drop-in\">Sumo Logic-style detections you can drop in<\/h2>\n\n\n\n<p><strong>Bedrock API usage by new identities (Recon\/Enumeration) \u2192 ATLAS TA0002; OWASP LLM10<\/strong><\/p>\n\n\n\n<p>This <a href=\"https:\/\/www.sumologic.com\/solutions\/cloud-siem\">Cloud SIEM<\/a> First Seen Rule, <a href=\"https:\/\/www.sumologic.com\/blog\/defenders-guide-to-aws-bedrock\">adapted from our Bedrock defender guidance<\/a>, will trigger when a new user is observed using certain Bedrock API calls in your AWS environment.<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"623\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-rise-of-shadow-1-1024x623.png\" alt=\"\" class=\"wp-image-51289\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-rise-of-shadow-1-1024x623.png 1024w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-rise-of-shadow-1-300x183.png 300w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-rise-of-shadow-1-768x468.png 768w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-rise-of-shadow-1-1536x935.png 1536w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-rise-of-shadow-1-575x350.png 575w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-rise-of-shadow-1.png 1892w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p><strong>Cross-region InvokeModel from long-lived keys (Account Misuse) \u2192 ATLAS Initial Access; OWASP LLM10<\/strong><\/p>\n\n\n\n<p>This search query will identify potential reuse of access keys to instantiate Bedrock resources in more than one region:<\/p>\n\n\n\n<code>_sourceCategory=aws\/observability\/cloudtrail\/logs<br>| json \"eventName\",\"userIdentity.accessKeyId\",\"awsRegion\",\"userIdentity.type\" as en, key, region, utype<br>| where en=\"InvokeModel\" and utype in (\"IAMUser\",\"AssumedRole\")<br>| timeslice 1h<br>| count as c by key, region, _timeslice<br>| count_distinct(region) as regions by key, _timeslice<br>| where regions > 2<br><\/code>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Guardrail\/Trace anomalies on Bedrock Agents (OWASP LLM06, LLM04)<\/strong><\/p>\n\n\n\n<p>The following query checks for unusual rates of errors or throttling activity from Bedrock Agents, indicating potential misuse of agents:<\/p>\n\n\n\n<code>_sourceCategory=aws\/observability\/cloudwatch\/metrics<br>(metric=ModelInvocationClientErrors or metric=ModelInvocationServerErrors or metric=InvocationThrottles)<br>| quantize to 5m<br>| sum by metric, agentAliasArn, modelId, account, region<br>| outlier window=1d threshold=3 \/\/ flag unusual error\/throttle bursts<br><\/code>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Shadow AIT egress (unsanctioned LLM endpoints)<\/strong><\/p>\n\n\n\n<p>The following query will search proxy and firewall logs for connections to unsanctioned LLM endpoints. If desired, create a lookup table of users allowed to connect to these endpoints and add the lookup table path:<\/p>\n\n\n\n<code>(_sourceCategory=proxy OR _sourceCategory=fw)<br>| parse regex field=url \"(?i)https?:\/\/(?&lt;host>[^\/]+)\"<br>| where host in (\"api.openai.com\",\"api.anthropic.com\",\"*.hf.space\",\"*.perplexity.ai\",\"*.deepseek.com\")<br>| lookup user as u1 from path:\/\/{path_to_lookup_table} on user=user<br>| where isNull(u1)<br>| count by user, host, src_ip<br><\/code>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>MCP audit: high-risk tool calls without approval (OWASP LLM07\/LLM08)<\/strong><\/p>\n\n\n\n<p>Assuming you emit app logs like the below:<\/p>\n\n\n\n<code>{<br>\u00a0\u00a0\"ts\":\"2025-08-20T15:01:12Z\",<br>\u00a0\u00a0\"event\":\"mcp.tools.call\",<br>\u00a0\u00a0\"session_id\":\"s-9a2f\",<br>\u00a0\u00a0\"client_id\":\"webapp-01\",<br>\u00a0\u00a0\"server_uri\":\"secrets:\/\/v1\",<br>\u00a0\u00a0\"tool\":\"secrets.read\",<br>\u00a0\u00a0\"inputs\":{\"path\":\"prod\/db\/password\"},<br>\u00a0\u00a0\"approved\":\"false\",<br>\u00a0\u00a0\"user\":\"dba_alice\"<br>}<br><\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>Query:<\/p>\n\n\n\n<code>_sourceCategory=app\/mcp<br>| json \"event\",\"tool\",\"approved\",\"user\",\"server_uri\" as evt,tool,ok,u,server nodrop<br>| where evt=\"mcp.tools.call\" and tool matches \/(secrets|prod|delete|exec)\/ and ok=\"false\"<br>| count by u, tool, server<br><\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>(Backed by MCP\u2019s JSON-RPC spec and server concepts; instrument <code>tools\/list\/call, resources\/read, prompts\/get<\/code>, and user approvals.)&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chatgpt-monitoring-case-study\">ChatGPT monitoring case study<\/h2>\n\n\n\n<p>One of Sumo Logic\u2019s strengths is its versatility. While we offer turnkey apps and detections, the real value comes from how customers extend the platform. To illustrate, I asked Bill Milligan, one of our lead professional services engineers, to share a recent project where he helped a customer monitor their use of OpenAI\u2019s ChatGPT\u2014end-to-end, from log ingestion to actionable insights.<\/p>\n\n\n\n<p>The customer\u2019s challenge: Can Sumo Logic track ChatGPT prompt exchanges to identify potential insider threats, or even early signs of mental health concerns that could potentially lead to workplace violence, based on conversation context?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-one-data-ingest\">Step one &#8211; Data ingest<\/h3>\n\n\n\n<p>Enterprise customers of OpenAI can use the ChatGPT Compliance API to access detailed logs and metadata, including user inputs, system messages, outputs, uploaded files, and GPT configuration data. However, there\u2019s currently no pre-built cloud-to-cloud connector or catalog app for this feed (yet!).<\/p>\n\n\n\n<p>Bill solved this using Sumo Logic&#8217;s Universal API Collector, which can ingest any data source with an API endpoint. The collector also supports JPath, letting you extract specific JSON fields (e.g., $.user.id, $.message.text) and map them directly into searchable fields in Sumo.<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"539\" height=\"322\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image1.png\" alt=\"\" class=\"wp-image-52200\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image1.png 539w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image1-300x179.png 300w\" sizes=\"auto, (max-width: 539px) 100vw, 539px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-two-building-a-simple-parser\">Step two &#8211; Building a simple parser<\/h3>\n\n\n\n<p>Once the data was flowing in successfully from the OpenAI API, Bill turned to Sumo Logic&#8217;s powerful built-in parsing language. It allows customers to identify timestamps, assign metadata values like product and vendor, and slice and transform the messages in various ways. Fortunately, parsers can be developed and tested directly in the UI with historical data, making iteration fast and visible.<\/p>\n\n\n\n<p>The \u201cparser\u201d parses raw logs as they are forwarded to Cloud SIEM, extracting fields of interest along with the vendor, product, and event id.<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"569\" height=\"469\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image3.png\" alt=\"\" class=\"wp-image-52208\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image3.png 569w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image3-300x247.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-three-mapping-to-our-schema-or-data-model\">Step three &#8211; Mapping to our schema or data model<\/h3>\n\n\n\n<p><br>Parsing and mapping are distinct steps in Sumo Logic. After parsing, Bill created a custom mapper to align fields with Sumo\u2019s data model. He also concatenated multiple prompt\/response pairs into a single conversation field (description) for easier keyword detection.&nbsp;<\/p>\n\n\n\n<p>Pro-tip: by default, a Sumo Logic tenant restricts log messages to 64kb. Because these conversations can get quite large, requesting that limit be increased to 256kb did the trick to avoid unnecessary truncation of logs.<\/p>\n\n\n\n<p>When a \u201clog mapper\u201d matches the vendor, product, and event id, it will map the extracted fields from the parser to a normalized record, before it is analyzed by the rules engine.<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"833\" height=\"742\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image7.png\" alt=\"\" class=\"wp-image-52224\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image7.png 833w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image7-300x267.png 300w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image7-768x684.png 768w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image7-575x512.png 575w\" sizes=\"auto, (max-width: 833px) 100vw, 833px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"818\" height=\"764\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image2.png\" alt=\"\" class=\"wp-image-52204\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image2.png 818w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image2-300x280.png 300w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image2-768x717.png 768w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image2-575x537.png 575w\" sizes=\"auto, (max-width: 818px) 100vw, 818px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-four-writing-a-custom-rule\">Step four &#8211; Writing a custom rule<\/h3>\n\n\n\n<p><br>Finally, Bill implemented a custom match rule to monitor for sensitive keywords. Rules are scoped to entities (users) to reduce noise and tuned with MITRE tags for context. Following best practices, rules are first deployed in prototype mode before going live. This allows the rules to fire against any entity (users in this case), without blowing up the alert triage that security analysts are monitoring.<\/p>\n\n\n\n<p>This is an example of a rule expression for a \u201cmatch\u201d rule, one of the six powerful rule types that may be written in Cloud SIEM.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"514\" height=\"443\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image4.png\" alt=\"\" class=\"wp-image-52212\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image4.png 514w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image4-300x259.png 300w\" sizes=\"auto, (max-width: 514px) 100vw, 514px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p>By adding MITRE tags to his custom rule, Bill ensured that when it fired, the resulting signals carried meaningful context. Because Sumo Logic automatically ties signals and behaviors back to individual entities, this rule could combine with others to elevate a user\u2019s activity into a high-fidelity, actionable alert.<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"508\" height=\"679\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image6.png\" alt=\"\" class=\"wp-image-52220\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image6.png 508w, https:\/\/www.sumologic.com\/wp-content\/uploads\/blog-shadow-ait-image6-224x300.png 224w\" sizes=\"auto, (max-width: 508px) 100vw, 508px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p>Although the workflow may look complex at first glance, breaking it down into clear steps makes it very straightforward to ingest custom log sources and tackle even the most advanced use cases.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bottom-line\">Bottom line<\/h2>\n\n\n\n<p>The average org now runs a surprising number of gen-AI apps, many unsanctioned. Expect more of this, not less. Shadow IT and its edgier cousin, shadow AI: the sneaky underbelly where teams deploy unvetted tools (or free AI chats) without a whisper to IT, risking leaks and biases galore.&nbsp;<\/p>\n\n\n\n<p>Solution? Your logs are the snitch: monitor network flows and app usage in Sumo Logic dashboards to unearth shadows early. Educate, don&#8217;t dictate\u2014turn rogues into allies with governed AI sandboxes. Need some direction? Use cloud proxy\/CASB logs to enumerate AI usage, apply AI TRiSM-style governance, and create SIEM detections for risky combinations (e.g., sensitive data classes \u2192 unsanctioned AI domains; sudden spikes in agent tool calls). This is less about blocking all AI and more about replacing the unknown with the observable and governed.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.sumologic.com\/blog\/ai-security-policies\">Learn more about how to write an AI security policy.<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":78,"featured_media":51377,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"9","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[127],"blog-tag":[],"translation_priority":[221]},"selected_primary_terms":{"blog-category":[]},"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"4668,71369,71176","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[127],"blog-tag":[],"class_list":["post-51282","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/51282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/users\/78"}],"version-history":[{"count":31,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/51282\/revisions"}],"predecessor-version":[{"id":69853,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/51282\/revisions\/69853"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media\/51377"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media?parent=51282"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-category?post=51282"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-tag?post=51282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}