How to audit your company's AI tools, a practical guide

Most organisations don't know what AI tools their employees are using. Shadow AI, employees using personal AI accounts for work tasks, is pervasive. A 2026 estimate suggests nearly 90% of logins to generative AI tools are made with personal accounts, invisible to organisational identity systems. An AI audit surfaces what's actually happening, what risks exist, and what needs governance attention.

Step 1, Discovery

IT inventory review. Check approved software lists, SaaS subscriptions, API integrations, browser extensions. Look for AI vendor names: OpenAI, Anthropic, Google (Gemini/Vertex), Microsoft (Copilot), Jasper, Copy.ai, Midjourney, Eleven Labs, and others.

Network traffic analysis. Review DNS logs or proxy logs for AI vendor domains (api.openai.com, api.anthropic.com, gemini.google.com, etc.). This reveals usage that doesn't appear in IT procurement records.

Employee survey. Ask employees what AI tools they use for work, what data they input, and what they use the outputs for. Anonymous surveys typically produce more honest results. Frame positively, the goal is understanding, not punishment.

Procurement review. Check purchasing records, expense reports, and credit card statements for AI subscriptions. Individual employee subscriptions are often invisible to IT but visible in finance.

Vendor audit. For known AI vendors, request usage reports showing volume, users, and feature usage. Enterprise-tier tools typically provide admin dashboards; consumer-tier tools may not.

Step 2, Classification

For each discovered AI tool, classify: what data goes in (public, internal, client, regulated); what comes out (drafts, decisions, customer-facing content); what tier (consumer, business, enterprise); what risk level (low for brainstorming, medium for internal drafting, high for client-facing or regulated use).

Step 3, Gap analysis

Compare discovered use against your AI policy (if you have one). Common gaps: employees using consumer-tier tools with client data; AI tools used in regulated processes without compliance assessment; no DPA in place with AI vendors processing personal data; AI outputs used in client deliverables without disclosure; AI vendor sub-processors (foundation model providers) not assessed.

Step 4, Remediation

For each gap: approve, migrate, or prohibit the AI tool. Approve: the tool is appropriate for the use case with current data handling. Migrate: move users from consumer-tier to enterprise-tier, or from an inappropriate tool to an approved alternative. Prohibit: the tool cannot be used for this purpose with this data. Document decisions and communicate to affected employees.

Step 5, Governance establishment

The audit is a point-in-time exercise. Ongoing governance requires: an approved AI tools list with data handling rules; an AI tool request process for new tools; periodic re-audit (quarterly for high-risk environments, annually for others); staff training on AI policy and approved tools.

What to document

The audit produces a report covering: AI tools inventory with classification; gap analysis against policy and regulatory requirements; remediation actions with owners and timelines; governance recommendations. This documentation has value beyond the audit, it demonstrates due diligence to regulators, insurers, and clients who ask about AI governance.

Primary sources: NIST AI RMF · ISO/IEC 42001

Related reading