Shadow AI Discovery — detect unknown models, providers, IP anomalies

2026-03-23

What We Built

Shadow AI discovery with 4 alert types: new_model (first-seen), unknown_provider, new_ip, usage_anomaly. 7-day learning period for baseline collection. Escalating severity (info→warning→critical based on IP count).

Lockstep Checklist

• [x] API: 3 endpoints at /v1/security/shadow-ai/
• [x] Tests: 13 tests for learning, detection, IP escalation, alert access
• [x] Docs: Ship log