Across state and local government, AI governance has followed a straightforward assumption: if the device is managed, the AI usage is governed. It's a reasonable starting point but it leaves a gap. An employee on a managed laptop can open ChatGPT, sign in with a personal Gmail, and start working with sensitive information in a session that never touches a corporate identity. The device is governed. The AI session isn't.

For IT security and compliance teams, this is one of the hardest gaps to close. Traditional identity and access tools weren't built to see what account an employee is signed into inside a browser tab. And without that visibility, there's no way to enforce that AI usage stays tied to the organization's identity perimeter, the same perimeter every other governance policy relies on.

Darwin's Shadow Account Enforcement closes that gap. Darwin now captures the signed-in email for every AI session on supported tools and gives compliance teams the visibility and enforcement to ensure AI usage on managed devices is always tied to a verified organizational identity.

The AI Navigator's Tool Drawer—every user's signed-in email is visible at a glance, with shadow accounts flagged directly in the list.

Visibility Into Every Signed-In Identity

Shadow Account Enforcement makes the signed-in email a first-class attribute of every AI session Darwin governs. In Records Explorer, a new Signed-in Email field appears on every record, filterable to show only sessions where the account doesn't match your organization's domain, instantly surfacing personal account activity across your entire fleet.

The same visibility carries through the platform. In the AI Navigator, each supported tool's drawer now includes a dedicated Shadow Usage tab showing the email used in every session, so investigating a specific tool shows exactly which identity was used and when. In the Risk Center, personal account sessions matching your enforcement rule appear as alerts with full session context, ready for investigation and response.

A Policy Rule Built for Verified Identity

At the heart of Shadow Account Enforcement is a dedicated policy rule—Usage with a Non-Organizational Account—available under Policy Hub → AI Access Control. When active, the rule detects any AI session where the signed-in email doesn't match your organization's domain and enforces the response you choose:

  • Block the session entirely
  • Alert compliance teams for review
  • Warn the user in the moment
  • Allow the user to request access when blocked

Enforcement scope is yours to define. The rule applies to all tools in the classification you target, or you can exclude specific tools where personal account usage is deliberately permitted. Either way, enforcement runs consistently across every session, without depending on manual review or ad hoc exceptions.

Coverage Across the AI Tools Employees Actually Use

Shadow Account Enforcement works across the AI tools your workforce is already using: ChatGPT, Claude, Gemini, Microsoft Copilot, Microsoft 365 Copilot Cloud, Grammarly, Perplexity AI, Grok, and Qwen. The same signed-in identity check applies uniformly, whether an employee is drafting a memo in Copilot or running research in Perplexity.

That consistency matters. A governance policy is only as strong as the tools it can enforce across, and Shadow Account Enforcement extends the identity perimeter to where AI work is actually happening.Built for the Way IT and Compliance Teams Actually Work

State and local government agencies are being asked to demonstrate that every AI interaction is tied to a verified, accountable identity, not just that the device is managed. Darwin's Shadow Account Enforcement gives IT security, AI governance, and compliance teams the visibility and enforcement to make that demonstrable, at scale, across the tools employees use every day.

Ready to close the personal account gap? Book a demo or reach out to your Darwin AI contact to get a walkthrough.

Interested in Learning More?