I parsed my own firewall logs and found which AI tools my org was really talking to — including one routing data to China

I pointed a scanner I wrote at my own network traffic for one afternoon. It came back with eight AI services I'd never sanctioned, running quietly in the background. One of them was DeepSeek, which routes data to servers in China.

No alert fired. No DLP rule tripped. Nothing in the stack had flagged any of it — because the traffic looked exactly like what it was: ordinary HTTPS to legitimate-looking domains.

That gap — between "we have an AI policy" and "we can prove what's actually running" — is the whole problem with Shadow AI. This is how I closed part of it from logs I already had, the one matching detail most detectors get wrong, and the blind spot I won't pretend my tool doesn't have.

Why your DLP probably can't see this

The uncomfortable consensus in 2026 security circles: pattern-based DLP and CASB are structurally blind to Shadow AI. An employee pasting Q3 financials into a chatbot exposes sensitive data as a natural-language conversation over HTTPS to a legitimate host. There's no signature to match, no file to quarantine, no rule to trip.