Three signs your small team has approved-tool, unapproved-capability shadow AI. Plus the 60-minute audit that catches it

You approved Notion for the team last year. You did not separately approve Notion AI agents reading from every page anyone on the team has access to. You approved Slack. You did not separately approve Slack AI summarising channels that contain client conversations. You approved Microsoft 365. You did not separately approve Copilot Studio letting any team member with the right entitlement build an agent against the tenant data. Three signs that this kind of shadow AI is already running in a 1-10 person team, and a 60-minute audit that catches it without buying new tools.

The enterprise version of this problem is at AM-168, which covers the structural shift from vendor-discovery (the 2024 shadow-AI problem) to intra-vendor capability discovery (the 2026 shadow-AI problem). The small-team version is faster to fix and harder to ignore, because the data exposure surface inside a 1-10 person team is usually disproportionately large per person.

Why this is the 2026 shadow-AI problem for small teams

A 2024 small-team shadow-AI problem was an engineer using ChatGPT on a personal account to debug client code, or a marketer pasting a contract into a personal Claude window. The fix was a one-page AI-use policy and a sanctioned-tool list.

A 2026 small-team shadow-AI problem is different. The team is using the sanctioned tools, Notion, Slack, Microsoft 365, exactly as intended. The vendors have added agentic capabilities inside those tools. The capabilities reach the data the tools already contain, which for a small team is the company’s working memory. The team did not separately authorise this; the vendor changed the product.

The discovery instrument the team had (the sanctioned-tool list) does not find this class of shadow AI because the tool is on the list. The thing that is new is the capability inside the tool, not the tool itself.

The three signs

Sign 1: SaaS bill line items the founder does not remember approving. The most common appearances in 2026 small-team bills: Notion AI add-on, Slack AI add-on, Microsoft 365 Copilot, Atlassian Intelligence, Google Workspace Gemini, Salesforce Einstein or Agentforce. Any line item with “AI”, “Agent”, “Copilot”, “Intelligence”, “Assist”, or “Einstein” in the name that the founder did not personally approve is the financial trace of an intra-vendor capability expansion the team is now paying for. The bill is the most reliable discovery surface because every paid capability shows up here within one billing cycle.

Sign 2: a team member casually mentioning a new feature inside an existing tool. “I built a little agent in Notion to summarise client meetings.” “Slack AI now writes our channel summaries automatically.” “Copilot just suggested a Power Automate flow for our invoice processing.” Any of these, without a corresponding conversation about what data the new feature is reaching, is the operational trace of the same gap. The conversation that should follow the mention is: what data did it touch, do we want it to be touching that data, who else has the same capability available.

Sign 3: vendor admin console notifications or banners advertising new AI capabilities that have been auto-enabled. Top of the Notion workspace, top of the Microsoft 365 admin centre, Slack workspace owner notifications, Atlassian product updates, vendors are now advertising agent capabilities as on-by-default features in mid-2026. The notification is the official trace; if the team has seen it but not acted on it, the capability is now part of the workspace whether or not the team wanted it.

Any one of the three is the trigger to run the 60-minute audit.

The 60-minute audit

Three passes, twenty minutes each. Full how-to in the FAQ.

Pass 1 (20 min): SaaS bill review. Last three months of invoices. List every AI-related line item and activation date. Common discoveries: Notion AI add-on activated six months ago and never reviewed; Slack AI bundled into the existing tier and on by default; M365 Copilot bought for one engineer’s evaluation and never disabled for the rest of the workspace.

Pass 2 (20 min): vendor admin console walk. Log in as admin to each primary SaaS tool. Find the AI/agent/intelligence section. Note what is enabled, who enabled it, the data scope, and whether per-workspace controls are available. Most vendors in 2026 expose admin controls; the granularity varies.

Pass 3 (20 min): team check-in. Ask each team member what new AI features they have used in each tool in the last 90 days, and what data those features reached. The team’s lived usage is often more revealing than the admin console because it shows what people are actually doing rather than what could be done.

Combine the three passes into a one-page inventory: per AI capability, the tool, the activation date, who is using it, the data class it reaches, and whether the team has explicitly OK’d that scope. The one-pager is the artefact. It is also the answer to the next client question about AI tool exposure.

What to do when the audit finds something the team did not OK

Two-step response.

The technical step is in the vendor’s admin console. Most of the named vendors now support per-workspace AI scope controls, disable the capability entirely, restrict it to a subset of users, restrict it from reaching a specific data class. The exact controls vary by vendor and by tier. The disable-or-restrict decision is made against the audit inventory: capabilities reaching client data classes the team is uncomfortable with get disabled or scoped; capabilities reaching internal-only data the team is happy with stay on.

The disclosure step is a short note to affected clients. What the capability was, what data it could have processed, the date range, and the team’s current control posture. The disclosure is not legally required in most jurisdictions for most small-team scenarios. The disclosure is the conversation that ages well. A client who learns about the gap from you, with the fix already in place, becomes a stronger account. A client who learns about it from a competitor’s pitch, a journalist’s story, or their own audit becomes a former client.

What the audit does not cover

The audit catches intra-vendor capability shadow AI, the AM-168 class. It does not catch the older class of unsanctioned-tool shadow AI (engineers using personal ChatGPT, marketers using personal Claude); the 1-page AI-use policy covers that. It does not cover the credential-management layer of the AI tools the team has sanctioned; the 5-step NHI starter kit at OPS-074 covers that. It does not cover the protocol-stack decision underneath any agentic features the team is building rather than consuming; the protocol picking piece at OPS-076 covers that.

The three pieces (the kit at OPS-074, the audit at OPS-075, the picking guide at OPS-076) compose into the small-team version of the same three problems enterprise IT runs in 2026. The order of operations for most 5-15 person teams: the NHI starter kit first (the cheapest and highest-leverage move), the shadow-AI audit second (the discovery surface), the protocol picking third (only if the team is building agentic features rather than only consuming them).

Calendar the audit for the next quiet Friday. The three twenty-minute passes are tractable for one person; the team check-in can be combined with the regular weekly stand-up if there is one. The inventory becomes a living document; the audit cadence settles into quarterly once the backlog is cleared.