本文目前仅提供英文版本。
How to Audit Your Company's AI Tools: A Practical Step-by-Step Guide
Most organisations have more AI running in their business than anyone realises. This is the practical guide to conducting an AI tools audit — finding everything, assessing what matters, and fixing what needs fixing. No compliance team required.
Key Takeaways
The average organisation with 50-500 employees uses 15-40 AI-enabled tools — most leaders know about 5-10 of them. The audit finds the rest.
Four discovery methods find different parts of your AI footprint: software inventory review (approved tools), expense and credit card analysis (employee-purchased tools), vendor contract review (AI features in existing software), and department interviews (how people actually work).
Risk classification after discovery determines what action is needed: tools that process customer personal data get priority review, tools used in hiring or performance get immediate policy attention, tools in regulated activities get compliance assessment.
The output of a good AI audit is not a document — it is a decision: for each tool, either explicitly approve it with documented conditions, or explicitly prohibit it with documented reasons. The worst outcome is a grey zone where tools exist but no decision has been made.
A well-run AI audit for a 100-200 person company takes 3-5 days of focused effort. It does not require external consultants — it requires someone with access to financial systems, IT, and the authority to interview department heads.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
Why your AI footprint is larger than you think
The shadow AI problem — AI tools used by employees that have not been centrally approved or inventoried — is universal. The reasons are structural: AI capability has been added to tools that were already in use (your CRM, your email platform, your accounting software) without procurement review; employees have started using consumer AI tools like ChatGPT and Claude for work purposes on their own initiative; and business units have purchased specialised AI tools through software budgets that don't trigger IT or legal review. The result is that most organisations have a material AI footprint that no one has mapped.
The shadow AI footprint creates governance risk because unapproved tools may be processing customer personal data without appropriate protections, handling confidential business information in ways that breach supplier agreements or regulatory obligations, or introducing inaccuracies into business processes that no one is monitoring. The audit finds this footprint so that decisions can be made about it.
The four discovery methods
Software inventory review covers the tools IT knows about — software licences, SaaS subscriptions managed through IT procurement, and cloud services in the IT asset register. This finds the approved and managed AI tools. It typically covers 30-50% of the actual AI footprint.
Expense and credit card analysis covers employee-purchased tools — SaaS subscriptions paid on corporate credit cards or expense accounts, particularly low-cost monthly subscriptions in the $10-100 range that don't require purchase order approval. Search transaction data for payments to AI providers: OpenAI, Anthropic, Google (Workspace AI add-ons), Microsoft (Copilot add-ons), Notion, Otter.ai, Grammarly, Jasper, Copy.ai, and hundreds of others. This finds the self-service AI tools that employees have adopted without central approval.
Vendor contract review covers AI features embedded in existing software — the AI capabilities that have been added to tools already in use without separate procurement. Review the current terms of service or customer agreements for your top 20 software vendors. Look specifically for: AI features added since the original contract, data processing terms for AI features, and any opt-in or opt-out provisions for AI processing.
Department interviews cover how people actually work — the tools and practices that don't show up in financial or IT systems. Brief interviews (15-20 minutes) with department heads and senior individual contributors in each function: "Walk me through how you and your team use digital tools in a typical day. Are there any AI or automation tools you find particularly useful?" These interviews often surface the most interesting and most risky AI uses.