Shadow AI discovery
We identify which AI tools the team already uses, how often and with what kind of data, without pointing fingers.
Shadow AI is the use of ChatGPT, Copilot or any other AI outside the company's control. We put a single entry point in front of the AI models so you know which tools are used, who uses them and what data leaves through them.
When someone on your team pastes a contract, a customer database or the source code into a free AI, that data leaves your perimeter without anyone knowing. It's rarely bad faith: the tool solves the problem faster than the official channel. The real risk isn't that AI gets used, it's that it gets used without control: leaks of confidential information, breach of the GDPR if personal data is involved, and zero traceability if something goes wrong.
An AI Gateway is the layer that sits between your team and the AI models. It filters which data can leave, decides which tools are allowed by role or department, logs every query so it can be audited later, and applies the usage policies the company defines instead of leaving it to each person's judgement. It's not about blocking AI: it's about everyone using it, but through the channel you actually control.
Article 4 of Regulation (EU) 2024/1689 (the AI Act), applicable since 2 February 2025, requires providers and deployers to ensure a sufficient level of AI literacy among their staff. A gateway with no usage policy or criteria behind it doesn't cover that obligation: we support both pieces, the technical one and the governance one. And the Spanish data protection authority (AEPD) expressly recommends not entering the organisation's confidential information or employee or customer data into uncontrolled AI tools.
If personal data passes through those tools, the data-minimisation principle of GDPR Article 5 comes into play, along with the processor agreement of Article 28 when the AI provider handles the data on your behalf, and the international-transfer safeguards if the provider is outside the EU.
We start with a shadow AI discovery: which tools the team already uses, how often and with what kind of data, without pointing fingers. On that basis we build the usage policy, the gateway configuration and the audit records needed to show, if required, what was done and why. The goal is to reduce the real risk of leaks and give you cover against the AI Act and the GDPR, not to promise a compliance no one can certify in advance.
We identify which AI tools the team already uses, how often and with what kind of data, without pointing fingers.
We define which tools are allowed by role or department and what data cannot leave through them.
We set up the single entry point to the AI models, with the sensitive-data filtering already defined in the policy.
We put in place the audit logs for every query, so you can show what was done and why if required.
The operational detail: what we deliver as part of the work and what we keep alive afterwards.
Shadow AI discovery
A map of which AI tools the team uses, how often and with what data.
AI usage policy
A document listing the tools allowed by role or department and the data that cannot leave through them.
AI Gateway configuration
Setup of the single entry point with sensitive-data filtering.
Audit logs
Traceability of every query made through the gateway.
Processor agreement review
Check of the GDPR Article 28 contracts with the AI providers that process personal data.
AI literacy briefing session
A one-off briefing for staff on permitted AI use, aligned with Article 4 of the AI Act.
The use of artificial intelligence tools —ChatGPT, Gemini, Copilot and others— by employees or departments without the company's approval or oversight, outside any internal policy.
Article 4 of the AI Act has required, since 2 February 2025, that staff using AI systems have a level of knowledge appropriate to their role and the system's risk. Most of the regulation's obligations apply from 2 August 2026, and the governance and penalty framework —coordinated in Spain by the AESIA— is being phased in from 2 August 2025. We help you build that cover in a documented way.
No. The gateway is the technical piece that enforces the policy; with no policy behind it, it just filters traffic without criteria. We work on both together.
That's the most common situation, not an exception. We start with a discovery that points no fingers, and migrate that usage to governed tools instead of banning it overnight.
If personal data of customers or employees passes through those tools, the data minimisation of Article 5 applies, along with the processor agreement of Article 28 when the AI provider handles that data on your behalf, and the international-transfer safeguards when the provider is outside the EU. The gateway helps keep those flows controlled and logged.