Shadow AI Discovery: Detect Unmanaged AI Agents and MCP Servers
Your developers are running AI agents right now. You don't know which ones, what they can access, or whether any of them are governed.
That's not a hypothetical. That's the default state of most engineering organizations in 2026.
Shadow IT has been a governance problem for decades. A shadow SaaS tool stores documents somewhere unapproved — annoying, auditable, fixable. A shadow AI agent is a different category of problem. It has access to source code, API credentials, and database connections. It operates with delegated authority to read, write, and execute on the developer's behalf. It inherits whatever credentials are in the shell environment. And it leaves no login event, no OAuth token, no SAML assertion that your existing tools can see.
The difference matters more than most security teams realize.
Traditional shadow IT is discoverable. SSO logs catch new SaaS logins. CASB tools flag unknown OAuth grants. Endpoint agents report installed software. Shadow AI runs as a background process in dotfiles. Claude Code, Cursor, Windsurf — installed with a single command, running with full filesystem access, invisible to every monitoring tool you have. There is no login page. There is no network traffic your SIEM recognizes. The agent exists only as a process and a set of config files.
We built opena2a detect to answer the question those tools can't: what AI is actually running in this project, and is any of it governed?
What it finds
opena2a detect is a local-first discovery tool. One command, no account required, runs in under a second.
It scans for three things:
Running AI agents
Detects 20+ tools from the process list: Claude Code, Cursor, GitHub Copilot, Windsurf, Aider, Continue, Cline, Amazon Q, Tabnine, Ollama, and more. For each one, it reports whether governance rules are in place.
MCP servers
Discovers server configurations across Claude Code, Cursor, Windsurf, Cline, and VS Code extensions. Describes each server's capabilities in plain language — “Can run commands on your computer”, “Can access payment systems”, “Can read and modify databases” — because most developers who install an MCP server don't fully know what they've granted.
AI config files
Scans for .cursorrules, CLAUDE.md, .copilot, .windsurfrules, LangChain configs, and other AI tool configurations. Flags configs that contain credential references or grant broad permissions.
Everything rolls up into a governance score from 0 to 100, with a recovery path: “Governance: 45/100 → 100/100 by addressing 2 findings.” Every finding explains what it is, why it matters, and the exact command to fix it.
npx opena2a-cli detectFrom discovery to governed
Discovery is step one. Once you know what's running, the path forward is straightforward:
# Step 1: See what's running
$ npx opena2a-cli detect
Governance: 45/100 -> 100/100 by addressing 2 findings
# Step 2: Register a project identity
$ npx opena2a-cli identity create --name my-project
Identity created: aim_KYln0LNiDMoHfPTz
# Step 3: Add governance rules
$ npx opena2a-cli harden-soul
Governance written to: SOUL.md -- 72 controls covered
# Step 4: Verify
$ npx opena2a-cli detect
Governance: 100/100 -- fully governedFor MCP servers specifically, opena2a mcp handles identity:
$ opena2a mcp sign filesystem # cryptographic identity
$ opena2a mcp verify filesystem # verify later
$ opena2a mcp audit # trust scores from the registryEach signed server gets an Ed25519 keypair stored in .opena2a/mcp-identities/. The detect command cross-references discovered servers against signed identities — so you can see at a glance which servers are verified and which are running unsigned.
For security teams and CISOs
If you're running this across an engineering org rather than a single project, there are three use cases that matter:
Asset inventory for auditors
SOC 2 Type II auditors ask about automated tools with access to production data. ISO 27001 requires asset inventories that include software agents. Run opena2a detect --export-csv assets.csv across developer workstations and you get a structured inventory with hostname, username, timestamp, and every AI tool discovered — machine-readable, version-controllable, diffable over time.
Executive reporting
Run opena2a detect --report to generate a self-contained HTML dashboard with governance scores, plain-language findings, MCP server capabilities, and remediation commands. Send it to your CISO or attach it to an audit response.
CI/CD monitoring
Add opena2a detect --ci --format json to your pipeline. Monitor for new ungoverned agents appearing in project configs between deploys. Pair with opena2a review for a full 6-phase security assessment that includes shadow AI as one of the dimensions.
Here's what the JSON output looks like from a real scan — structured specifically to produce audit evidence:
{
"scanTimestamp": "2026-03-15T15:00:00.000Z",
"summary": {
"totalAgents": 1,
"ungoverned": 1,
"mcpServers": 14,
"governanceScore": 45,
"recoverablePoints": 55
},
"agents": [{
"name": "Claude Code",
"identityStatus": "no identity",
"governanceStatus": "no governance",
"risk": "high"
}],
"findings": [{
"severity": "high",
"title": "No agent identity for this project",
"whyItMatters": "An agent identity is a cryptographic key pair that lets you track which agent did what in this project.",
"remediation": "opena2a identity create --name my-project"
}]
}Shadow AI isn't a future risk. It's running on your developers' machines today — inheriting their credentials, operating outside your identity perimeter, leaving no audit trail.
The path from shadow to governed starts with knowing what's there.
npx opena2a-cli detectApache-2.0. All source on GitHub.
Shadow AI agents should be discoverable, identifiable, and governable. opena2a.org