AI Governance

How to Audit AI Usage in Your Company in 5 Steps

May 12, 20268 min

An AI audit isn't just about security — it's about understanding what's being used, what it costs, what data is being shared, and whether you have legal basis for all of it. Here's how to run one from scratch, even without a dedicated team.

Why audit AI usage?

Most companies don't know what's happening with AI internally. Tools are adopted through individual employee initiative — without IT approval, without security assessment, without adequate contracts, and without leadership awareness.

An AI usage audit is the mandatory starting point for any governance program. Without it, any policy or process you build will have blind spots — because you don't know what you're trying to control.

Step 1: Tool inventory — know what exists

The goal is simple: discover every AI tool actively in use at the company, including unauthorized ones.

How to build the inventory

Via Finance:

Pull all payments containing keywords: "AI," "GPT," "Copilot," "Claude," "Gemini," "artificial intelligence," "machine learning" from the last 12 months
Include individually expensed corporate cards — Shadow AI frequently appears there in small but cumulative per-user amounts

Via IT:

Analyze network access logs and DNS queries for known AI service domains
Check browser extensions installed on managed devices
Review applications installed on managed endpoints

Via direct survey:

Send a self-declaration form to all employees: "Which AI tools do you use at work, paid or free?"
Guarantee partial anonymity — people are significantly more honest when they don't fear immediate punishment

Expected output: A list of all tools with: name, estimated users, usage frequency, types of data shared, and whether a contract exists.

Step 2: Cross-reference with contracts and payments

For each tool identified, verify:

Does a formal contract with the vendor exist?
Is there a signed Data Processing Agreement (DPA)?
Who authorized the purchase, and did they have authority to do so?
Is the contract current, or is it personal-use software being expensed?
What is the real total cost (including individual plans summed across multiple users)?

Output: A status table for each tool: approved with contract, in use without contract, personal use being expensed, or unknown origin.

Step 3: Shadow AI discovery via interviews

System data and financial records capture tools that leave a trace. Shadow AI frequently doesn't.

Interview protocol

Interview at least one representative from each department (5–15 minutes each)
Key questions:
- "Do you use any AI at work that wasn't purchased by the company?"
- "Have you ever copied client data, contracts, or internal documents into an AI tool?"
- "What task do you use AI for that saves you the most time?"
Maintain a neutral, curious tone — you're learning, not investigating or threatening

Output: Identification of tools invisible to systems, and risk behaviors that need to be addressed through process rather than punishment.

Step 4: Data risk assessment by tool

For each tool discovered, classify the risk level:

Criterion	Low Risk	High Risk
Data type	Public or generic internal	Personal, financial, or sensitive data
DPA status	Exists and is signed	Does not exist
Training policy	Data explicitly not used for training	Policy unclear or data used for training
Data residency	Contractually defined	Unknown
Access control	Centrally managed with audit trail	Individual access without logging

Output: A risk map by tool that guides remediation prioritization — where to act first and why.

Step 5: Documentation and action plan

The audit only has value if it drives change. With the data in hand:

Document formally

The AI-BOM (complete inventory with risk metadata per tool)
Existing contracts and their renewal dates
Compliance gaps identified and their severity levels

Prioritize actions across three horizons

Immediate (0–30 days): Block high-risk tools without contracts; sign pending DPAs; communicate to users without punitive tone
Short-term (30–90 days): Create a formal acceptable use policy; implement an approval process for new tools; cancel inactive licenses
Medium-term (90–180 days): Train employees on the policy; establish semi-annual license reviews; create or appoint formal AI governance ownership

Present to leadership

The audit report is the document that justifies investment in AI governance. Include:

Number of tools discovered vs. number that were known and approved
Consolidated total cost vs. monitored spend
Risks identified with estimated financial and regulatory impact
Prioritized recommendations by urgency and implementation effort

Common mistakes in AI audits

Mistake 1: Focusing only on technology
An AI audit isn't just reviewing systems — it's understanding human behavior. Interviews with employees are as important as IT logs, and often reveal risks no system captures.

Mistake 2: Using an investigative tone
Communicating the audit as an "investigation into misuse" causes people to hide information. Frame it as "an initiative to improve how we use AI" — you'll get far better data.

Mistake 3: No executive sponsorship
An audit without leadership backing doesn't produce real change. Ensure at least one C-level executive is formally involved and committed to acting on the findings.

Mistake 4: Treating it as a one-time event
New tools emerge every week. An annual audit isn't sufficient — you need a continuous monitoring process with periodic structured reviews.

Frequently asked questions

How long does an AI audit take?
For companies of 50–200 employees: 2–4 weeks with one dedicated person. For larger organizations: 6–8 weeks with a small team of 2–3 people.

Do I need external consultants for this?
Not necessarily — but an external perspective helps ensure you're not normalizing risks that would be obvious to someone without organizational blind spots.

What if I find very widespread use of unapproved tools?
Don't try to ban everything at once — that creates resistance and drives Shadow AI further underground. Understand why people use those tools, and offer approved alternatives that meet the same needs with less risk.

How to Audit AI Usage in Your Company in 5 Steps

May 12, 20268 min

Why audit AI usage?

Step 1: Tool inventory — know what exists

The goal is simple: discover every AI tool actively in use at the company, including unauthorized ones.

How to build the inventory

Via Finance:

Pull all payments containing keywords: "AI," "GPT," "Copilot," "Claude," "Gemini," "artificial intelligence," "machine learning" from the last 12 months
Include individually expensed corporate cards — Shadow AI frequently appears there in small but cumulative per-user amounts

Via IT:

Analyze network access logs and DNS queries for known AI service domains
Check browser extensions installed on managed devices
Review applications installed on managed endpoints

Via direct survey:

Send a self-declaration form to all employees: "Which AI tools do you use at work, paid or free?"
Guarantee partial anonymity — people are significantly more honest when they don't fear immediate punishment

Expected output: A list of all tools with: name, estimated users, usage frequency, types of data shared, and whether a contract exists.

Step 2: Cross-reference with contracts and payments

For each tool identified, verify:

Does a formal contract with the vendor exist?
Is there a signed Data Processing Agreement (DPA)?
Who authorized the purchase, and did they have authority to do so?
Is the contract current, or is it personal-use software being expensed?
What is the real total cost (including individual plans summed across multiple users)?

Output: A status table for each tool: approved with contract, in use without contract, personal use being expensed, or unknown origin.

Step 3: Shadow AI discovery via interviews

System data and financial records capture tools that leave a trace. Shadow AI frequently doesn't.

Interview protocol

Interview at least one representative from each department (5–15 minutes each)
Key questions:
- "Do you use any AI at work that wasn't purchased by the company?"
- "Have you ever copied client data, contracts, or internal documents into an AI tool?"
- "What task do you use AI for that saves you the most time?"
Maintain a neutral, curious tone — you're learning, not investigating or threatening

Output: Identification of tools invisible to systems, and risk behaviors that need to be addressed through process rather than punishment.

Step 4: Data risk assessment by tool

For each tool discovered, classify the risk level:

Criterion	Low Risk	High Risk
Data type	Public or generic internal	Personal, financial, or sensitive data
DPA status	Exists and is signed	Does not exist
Training policy	Data explicitly not used for training	Policy unclear or data used for training
Data residency	Contractually defined	Unknown
Access control	Centrally managed with audit trail	Individual access without logging

Output: A risk map by tool that guides remediation prioritization — where to act first and why.

Step 5: Documentation and action plan

The audit only has value if it drives change. With the data in hand:

Document formally

The AI-BOM (complete inventory with risk metadata per tool)
Existing contracts and their renewal dates
Compliance gaps identified and their severity levels

Prioritize actions across three horizons

Immediate (0–30 days): Block high-risk tools without contracts; sign pending DPAs; communicate to users without punitive tone
Short-term (30–90 days): Create a formal acceptable use policy; implement an approval process for new tools; cancel inactive licenses
Medium-term (90–180 days): Train employees on the policy; establish semi-annual license reviews; create or appoint formal AI governance ownership

Present to leadership

The audit report is the document that justifies investment in AI governance. Include:

Number of tools discovered vs. number that were known and approved
Consolidated total cost vs. monitored spend
Risks identified with estimated financial and regulatory impact
Prioritized recommendations by urgency and implementation effort

Common mistakes in AI audits

Mistake 4: Treating it as a one-time event
New tools emerge every week. An annual audit isn't sufficient — you need a continuous monitoring process with periodic structured reviews.

Frequently asked questions

How long does an AI audit take?
For companies of 50–200 employees: 2–4 weeks with one dedicated person. For larger organizations: 6–8 weeks with a small team of 2–3 people.

How to Audit AI Usage in Your Company in 5 Steps

Why audit AI usage?

Step 1: Tool inventory — know what exists

How to build the inventory

Step 2: Cross-reference with contracts and payments

Step 3: Shadow AI discovery via interviews

Interview protocol

Step 4: Data risk assessment by tool

Step 5: Documentation and action plan

Document formally

Prioritize actions across three horizons

Present to leadership

Common mistakes in AI audits

Frequently asked questions

Further reading

Related articles

How to Audit AI Usage in Your Company in 5 Steps

Why audit AI usage?

Step 1: Tool inventory — know what exists

How to build the inventory

Step 2: Cross-reference with contracts and payments

Step 3: Shadow AI discovery via interviews

Interview protocol

Step 4: Data risk assessment by tool

Step 5: Documentation and action plan

Document formally

Prioritize actions across three horizons

Present to leadership

Common mistakes in AI audits

Frequently asked questions

Further reading

Related articles