How to Audit Your Company's AI Tools: A Practical Step-by-Step Guide

Most organisations have more AI running in their business than anyone realises. This is the practical guide to conducting an AI tools audit — finding everything, assessing what matters, and fixing what needs fixing. No compliance team required.

Key Takeaways

The average organisation with 50-500 employees uses 15-40 AI-enabled tools — most leaders know about 5-10 of them. The audit finds the rest.
Four discovery methods find different parts of your AI footprint: software inventory review (approved tools), expense and credit card analysis (employee-purchased tools), vendor contract review (AI features in existing software), and department interviews (how people actually work).
Risk classification after discovery determines what action is needed: tools that process customer personal data get priority review, tools used in hiring or performance get immediate policy attention, tools in regulated activities get compliance assessment.
The output of a good AI audit is not a document — it is a decision: for each tool, either explicitly approve it with documented conditions, or explicitly prohibit it with documented reasons. The worst outcome is a grey zone where tools exist but no decision has been made.
A well-run AI audit for a 100-200 person company takes 3-5 days of focused effort. It does not require external consultants — it requires someone with access to financial systems, IT, and the authority to interview department heads.

"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."

How to audit your company's AI tools — a practical guide

Most organisations don't know what AI tools their employees are using. Shadow AI — employees using personal AI accounts for work tasks — is pervasive. A 2026 estimate suggests nearly 90% of logins to generative AI tools are made with personal accounts, invisible to organisational identity systems. An AI audit surfaces what's actually happening, what risks exist, and what needs governance attention.

Step 1 — Discovery

IT inventory review. Check approved software lists, SaaS subscriptions, API integrations, browser extensions. Look for AI vendor names: OpenAI, Anthropic, Google (Gemini/Vertex), Microsoft (Copilot), Jasper, Copy.ai, Midjourney, Eleven Labs, and others.

Network traffic analysis. Review DNS logs or proxy logs for AI vendor domains (api.openai.com, api.anthropic.com, gemini.google.com, etc.). This reveals usage that doesn't appear in IT procurement records.

Employee survey. Ask employees what AI tools they use for work, what data they input, and what they use the outputs for. Anonymous surveys typically produce more honest results. Frame positively — the goal is understanding, not punishment.

Procurement review. Check purchasing records, expense reports, and credit card statements for AI subscriptions. Individual employee subscriptions are often invisible to IT but visible in finance.

Vendor audit. For known AI vendors, request usage reports showing volume, users, and feature usage. Enterprise-tier tools typically provide admin dashboards; consumer-tier tools may not.

Step 2 — Classification

For each discovered AI tool, classify: what data goes in (public, internal, client, regulated); what comes out (drafts, decisions, customer-facing content); what tier (consumer, business, enterprise); what risk level (low for brainstorming, medium for internal drafting, high for client-facing or regulated use).

Step 3 — Gap analysis

Compare discovered use against your AI policy (if you have one). Common gaps: employees using consumer-tier tools with client data; AI tools used in regulated processes without compliance assessment; no DPA in place with AI vendors processing personal data; AI outputs used in client deliverables without disclosure; AI vendor sub-processors (foundation model providers) not assessed.

Step 4 — Remediation

For each gap: approve, migrate, or prohibit the AI tool. Approve: the tool is appropriate for the use case with current data handling. Migrate: move users from consumer-tier to enterprise-tier, or from an inappropriate tool to an approved alternative. Prohibit: the tool cannot be used for this purpose with this data. Document decisions and communicate to affected employees.

Step 5 — Governance establishment

The audit is a point-in-time exercise. Ongoing governance requires: an approved AI tools list with data handling rules; an AI tool request process for new tools; periodic re-audit (quarterly for high-risk environments, annually for others); staff training on AI policy and approved tools.

What to document

The audit produces a report covering: AI tools inventory with classification; gap analysis against policy and regulatory requirements; remediation actions with owners and timelines; governance recommendations. This documentation has value beyond the audit — it demonstrates due diligence to regulators, insurers, and clients who ask about AI governance.

Primary sources: NIST AI RMF · ISO/IEC 42001