Analyzing Egress Traffic Patterns
Finding shadow AI isn't about buying another tool. It's about using the data you already have. Start with your cloud provider's network logs, which are the ground truth for what's leaving your environment. In AWS, this means getting comfortable with VPC Flow Logs. You're looking for sustained connections from your compute instances or developer environments to the API endpoints of common LLM providers.
Don't just look for api.openai.com. You need a list that includes Anthropic, Google Gemini, Cohere, and others. The key is to correlate traffic spikes with specific resources. A single developer machine making a few calls is one thing; a production-role-assumed EC2 instance sending thousands of requests per hour is a P0 incident in the making. Your CNAPP from Wiz or Prisma Cloud might flag the outbound traffic, but it won't tell you the context: who's doing it and what data is in the payload.
Here’s a practical Amazon Athena query you can run against your VPC Flow Logs (assuming they're partitioned by date) to hunt for this traffic. This example targets the OpenAI API endpoint IP range, but you should expand this list significantly.
SELECT "start", "srcaddr", "dstaddr", "action", "protocol"
FROM "vpc_flow_logs"
WHERE dstaddr LIKE '104.18.33.0/24' -- Example IP range for a known AI service AND action = 'ACCEPT' AND "date" = '2024/05/20' -- Target the specific date LIMIT 100; Auditing Repository and CI/CD Integrations
Interactive chats are only half the problem. The more insidious leaks happen via developer tools and CI/CD integrations. For instance, a developer might link a personal Copilot account to a corporate GitLab repository, granting the AI read-access to proprietary code. Worse, they might check in a script with hardcoded API keys for a side project that uses an unsanctioned AI service.
Regularly scanning your code repositories for secrets is non-negotiable. Don't rely on developers to do the right thing; enforce it with pre-commit hooks and pipeline checks. Tools like truffleHog or git-secrets are a good start. Focus your searches on common key patterns, like OpenAI's sk- prefix or the formats used by other major providers.
Your search isn't just for keys. It's a hunt for configurations pointing to shadow LLMs. Look for Python scripts importing openai or anthropic libraries, Terraform files provisioning resources that call out to these services, or shell scripts in your CI/CD pipelines that curl these endpoints. These are the threads that, when pulled, unravel a hidden web of unmanaged AI usage.
Triage and Contain the Blast Radius Immediately

When you confirm a secret,like an IAM access key or a database password,has been pasted into a shadow LLM, you must assume it's public. The clock starts now. Your goal is to contain the potential damage as quickly as possible without taking down production systems. This is where most incident response plans fall apart; they’re too slow and too manual.
The first move is immediate containment. Don't waste time figuring out the full scope. Isolate the compromised credential. If it's an IAM user or role, your fastest, safest bet is to apply a restrictive, temporary policy that blocks all actions.
The 'Deny All' Failsafe Policy
This policy acts as an emergency brake. It attaches a blanket Deny statement to the compromised identity, overriding any Allow permissions it may have. The beauty of an explicit Deny in IAM is that it always wins. This instantly neutralizes the credential, preventing any further unauthorized access.
Here’s the policy JSON. It’s simple, effective, and should be part of your standard incident response toolkit.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*" } ]
}
Applying this will likely break whatever application or service was using the credential. That's the point. It's better to have a controlled, temporary outage you can manage than an uncontrolled, ongoing breach. This action forces the issue and gets the attention of the asset owner, which is critical for the next step in the remediation workflow.
Automated Secret Rotation: The Mandated Next Step
Containment buys you time, but the real fix is rotating the compromised secret. Doing this manually under pressure is a recipe for disaster. You forget a service, apply the wrong key, and suddenly your core application is down during peak hours. This process must be automated.
A complete rotation involves a precise sequence of events:
- Deactivate the Leaked Key: Use a command like
aws iam update-access-key --access-key-id <LEAKED_KEY_ID> --status Inactive. This prevents the key from being used for new sessions but doesn't invalidate existing ones immediately. - Generate a New Key: Create a replacement using
aws iam create-access-key --user-name <USER_NAME>. - Update Your Secret Store: Securely place the new key and secret into your central secret manager (e.g., AWS Secrets Manager, HashiCorp Vault).
- Trigger Application Updates: This is the hardest part. You need to force all services that depend on this secret to pull the new version. This might involve restarting pods in Kubernetes, redeploying Lambda functions, or cycling EC2 instances.
- Delete the Old Key: Once you've validated that all services are using the new key, permanently delete the old one with
aws iam delete-access-key.
Build Proactive Guardrails That Don't Kill Productivity

Containment and remediation fix the immediate problem. Proactive guardrails prevent it from happening again. Simply banning all AI tools is futile; developers will find workarounds. The smarter approach is to establish sanctioned pathways for AI usage and build technical controls that enforce them.
According to research from Withum AI, 57% of employees actively hide their AI usage. This highlights the futility of prohibition-only policies. Instead, the goal should be channeling this activity through controlled, observable systems.
Implementing an Egress Filtering Strategy with IaC
Use your infrastructure's software-defined nature to your advantage. Implement strict egress filtering that, by default, blocks traffic to all known public LLM endpoints. Then, create explicit allow-rules for a sanctioned AI gateway. This gateway could be a corporate-managed instance of a model via Azure OpenAI or Amazon Bedrock, or a proxy that inspects and sanitizes prompts before forwarding them to an external service.
Here’s a conceptual Terraform example using AWS Network Firewall to enforce this. This rule group denies traffic to common AI sites while allowing traffic to your approved internal gateway.
resource "aws_networkfirewall_rule_group" "managed_ai_access" { name = "SanctionedAIAccessControl" capacity = 150 type = "STATEFUL" rule_group { rules_source { stateful_rule { action = "DROP" header { protocol = "TLS" source = "ANY" source_port = "ANY" direction = "FORWARD" destination = "ANY" destination_port = "443" } rule_option { keyword = "tls.sni" settings = [ "chat.openai.com", "claude.ai", "gemini.google.com" ] } } stateful_rule { action = "PASS" header { protocol = "TLS" source = "ANY" source_port = "ANY" direction = "FORWARD" destination = "ANY" destination_port = "443" } rule_option { keyword = "tls.sni" settings = ["internal-ai-gateway.yourcompany.com"] } } } }
}
This approach aligns perfectly with the NIST Zero Trust Architecture, which mandates that you inspect and log all traffic, regardless of its origin. You're not trusting the network; you're verifying every request.
Enforcing Policy with Service Control Policies (SCPs)
For even broader protection, use AWS Organizations Service Control Policies (SCPs). SCPs are guardrails that apply to every account in your organization, including the root user. You can use them to prevent the creation of risky configurations in the first place.
For example, you could deploy an SCP that denies the ability to create IAM users with long-lived access keys, forcing everyone to use IAM roles and temporary credentials. Or you could block certain AWS regions where you don't have monitoring coverage. This proactively shrinks your attack surface and limits the potential blast radius of a future leak. It’s a powerful, top-down control that moves your posture from reactive to preventive.
From Alert Noise to Actionable AI Security Remediation
The rise of shadow AI is compounding the biggest problem in cloud security today: alert fatigue. Traditional tools are already flooding security teams with low-context alerts. As noted by Aman Patel on Medium, traditional DLP and SIEM tools are often blind to these AI interactions, and even when they see them, the alerts lack the business context to be actionable.
The OWASP Top 10 for Large Language Models outlines new threat vectors like prompt injection and insecure plugin design that most scanners aren't equipped to understand. This is why alerts for "unauthorized outbound connection" are often ignored; they're indistinguishable from thousands of other benign events. The risk is significant; research shows that among 500 security practitioners, three-quarters reported at least one prompt-injection incident, a clear sign that these aren't theoretical threats.
A more effective approach prioritizes alerts based on validated risk. An alert about a dev sandbox connecting to an LLM is a low priority. An alert about a production database's IAM role connecting to that same LLM is a critical incident. Tamnoon applies this logic automatically, ingesting alerts from your existing tools and enriching them with business context, asset criticality, and identity information. Instead of just forwarding an alert, the platform generates a production-safe remediation plan. This plan is vetted by human experts to ensure it won't cause unintended downtime, bridging the gap between security needs and operational stability.
Check out how Tamnoon helps orchestrate complex fixes for issues like shadow LLMs without breaking your production environment.
Tamnoon helps security teams remediate cloud risks faster with AI-augmented managed services — combining human expertise with automation so nothing falls through the cracks.
Learn more at tamnoon.io
