Skip to content

CASB shadow-AI detection

CASB telemetry helps Venturi detect unsanctioned or uninstrumented AI access paths without treating detected activity as request-level attribution.

Release state

This guide documents the read-only casb_shadow_ai connector implemented in the platform connector surface.

Required access

Grant read-only access to the CASB sources you use:

Scope Purpose
netskope.events.readonly Read Netskope event rows.
zscaler.logs.readonly Read Zscaler log rows.
microsoft_defender_cloud_apps.alerts.readonly Read Defender for Cloud Apps alerts.

Do not grant policy-write, quarantine, block, or remediation permissions.

Setup

  1. Choose the CASB sources you want Venturi to read.
  2. Create a read-only API credential for each selected source.
  3. Store credential references in the tenant secrets flow.
  4. Set ARGMIN_CASB_SHADOW_AI_LOOKBACK_HOURS if the default 24-hour poll window is not appropriate.
  5. In Venturi, open Administration -> Connectors -> CASB shadow AI and run Test connection.

Verification

  • The connector reports at least one ready source when a configured source is reachable.
  • Shadow-AI events appear as detected-only discovery entries, not fabricated chargeback rows.
  • The Known limitations register remains accurate for detected-only pathways.

Rotation and offboarding

Rotate each CASB credential through that vendor's administration flow. Removing the connector stops new detected-only shadow-AI observations from those sources.