Question 16 of 34
Do we have a complete AI inventory?
Published by AI Governance Institute · Practical Governance for Enterprise AI
Building and maintaining a centralized registry of every AI tool in use, including shadow AI discovered through procurement, network, and employee channels.
If you only do 3 things, do this:
- 1.Don't assume only approved tools are in use. Run all three discovery methods in parallel: contract audit, employee survey with amnesty, and network monitoring.
- 2.Assign a named owner to every inventoried system. An inventory without owners becomes outdated within months.
- 3.Build AI inventory checks into procurement and onboarding processes so the inventory stays current without periodic campaigns.
The Situation
Who this is for: IT security, GRC, and compliance teams responsible for maintaining an AI asset inventory
When you need this: At program launch, after a shadow AI incident, or when preparing for a regulatory examination
The Decision
Do we actually know what AI tools are in use across the organization, including tools that weren't formally approved?
The Steps
- 1Work with procurement to audit all vendor contracts for AI capabilities — including features added post-signature
- 2Send an employee survey with amnesty language, explaining how to get tools approved going forward
- 3Ask IT to monitor network traffic for connections to known AI API endpoints
- 4Consolidate findings into a single inventory; reconcile against any previous lists
- 5Assign a risk tier and a named owner to every entry
- 6Add AI capability checks to procurement workflows, employee onboarding, and the annual software audit
The Artifacts
- —AI inventory master template (system, owner, vendor, use case, data processed, risk tier, last reviewed)
- —Employee AI disclosure survey template (with amnesty language)
- —Network monitoring AI endpoint list (known API domains)
- —Procurement AI capability checklist
- —Quarterly inventory review agenda template
The Output
A complete AI inventory including shadow AI, with every system assigned a risk tier and a named owner, and ongoing discovery embedded in procurement and HR workflows.
Shadow AI is the largest gap in most inventories
Shadow AI refers to AI tools used by employees without organizational approval or awareness. The prevalence of consumer AI tools with free tiers, browser extensions, and mobile applications has made shadow AI a significant and growing risk. Employees are using AI to process customer data, draft confidential communications, and analyze proprietary information in tools that have not been vetted by IT, Legal, or Risk.
You cannot govern what you do not know about. The starting point for any AI governance program is a complete inventory, which requires actively looking for shadow AI rather than assuming that only approved tools are in use.
Discovery methods
Network monitoring: Work with IT to identify traffic to known AI API endpoints. Many AI tools communicate with a small number of providers (OpenAI, Anthropic, Google, Cohere) whose API domains can be monitored. This surfaces tools that employees are accessing from work devices and networks.
Procurement review: Audit vendor contracts and software subscriptions for AI capabilities. Many enterprise software products have added AI features that may not have been present when the contract was signed. Salesforce, Microsoft, Google Workspace, and most major platforms now include AI capabilities by default.
Employee survey: Ask employees directly what AI tools they use in their work. A well-designed survey with amnesty for past use and a clear path to get tools approved is more effective than trying to catch people after the fact. People generally want to use effective tools. Give them a legitimate channel to request approval.
Maintaining the inventory
An inventory compiled once and not maintained is worse than no inventory, because it creates false confidence. Build inventory maintenance into ongoing processes: require IT procurement to flag AI capabilities in new purchases, include AI tool disclosure in employee onboarding and annual acknowledgments, and review the inventory quarterly against network monitoring data.
Assign an owner to each inventoried system and a risk classification. The owner is responsible for monitoring the system for changes, ensuring ongoing compliance with applicable policies, and notifying the governance function if the system's use case or risk profile changes.