Alert rules

Overview

The Rules page lets you configure automated alerts for Shadow AI activity. When a rule's conditions are met, the system sends notifications so you can respond to new risks or policy violations without manually monitoring dashboards.

Rules tab

The default view displays all configured alert rules as cards. Each card shows the rule name, trigger type, threshold values, notification settings, and an active/inactive toggle.

You can enable or disable a rule at any time using the toggle switch. Disabled rules do not fire alerts but are preserved for future use.

Creating a rule

Click "Create rule" to open the creation modal. Fill in the following fields:

1. Rule name: A descriptive name (required)
2. Description: Optional notes about the rule's purpose
3. Trigger type: The condition that fires the alert (see below)
4. Configuration: Threshold or parameters specific to the trigger type
5. Notify me: Check this to receive in-app and email notifications when the rule fires
6. Active: Toggle whether the rule is active immediately after creation

Trigger types

Each rule monitors one type of event. The available triggers are:

• Risk score exceeded: Fires when a tool's nightly risk score meets or exceeds the minimum threshold you set (1-100).
• New user detected: Fires when a previously unseen user is observed accessing any AI tool.

Understanding usage thresholds

The usage threshold is the cumulative number of network events (API calls, page visits) recorded for a single AI tool across all users. For example, setting the threshold to 100 means the alert fires once a tool has been accessed 100 times total.

Understanding risk score triggers

The risk score (0-100) is calculated nightly using a weighted formula: approval status (40%), data and compliance policies (25%), usage volume (15%), and department sensitivity (20%). Tools that are unapproved with weak compliance posture in sensitive departments score highest.

Deleting a rule

Click the trash icon on a rule card to delete it. You will be asked to confirm. Deleting a rule removes the rule definition but preserves any alert history that was already generated.

Cooldowns and alert batching

To prevent alert fatigue, each rule has a configurable cooldown period and the system enforces a per-batch alert cap.

Per-rule cooldown

When you create a rule, you select a cooldown period that controls the minimum time between repeated alerts for the same trigger context (e.g., the same tool or the same user). If a rule fires for a given context, it will not fire again for that same context until the cooldown expires.

The "context" that determines deduplication depends on the trigger type: for tool-based triggers (new tool detected, usage threshold, blocked attempt, risk score exceeded), the cooldown applies per tool per rule. For sensitive department triggers, it applies per department per rule. For new user detected, it applies per user email per rule.

Per-batch alert cap

As a safety net, the system limits the number of alerts that can fire in a single ingestion batch to 50. If more than 50 alerts are triggered by a single batch of events, the excess alerts are silently dropped. This prevents a flood of notifications from a misconfigured rule or a sudden traffic spike.

Alert history tab

Switch to the "Alert history" tab to view a chronological log of all triggered alerts. The table shows:

• Rule: Name of the rule that fired
• Trigger: The trigger type that caused the alert
• Fired at: Timestamp of when the alert was triggered

Click column headers to sort. The table supports pagination for large alert volumes.