Survey employees, check network logs for AI tool traffic, evaluate discovered tools against your security criteria, and either approve or phase out each tool. Most employees will cooperate when approached constructively.
How to Audit AI Tools Your Employees Already Use
Shadow AI Is Everywhere
If your company has not formally adopted AI tools, your employees are probably using them anyway. Shadow AI, the use of unauthorized AI tools for work, is widespread. A 2025 survey found that over 70 percent of employees use AI tools at work, many without their employer's knowledge.
This is not necessarily malicious. People use AI because it helps them work better. But unapproved tools create data security risks that you need to address.
Step 1: Survey Your Team
Start with a non-judgmental survey. Frame it positively: we want to understand how our team uses AI so we can provide better tools and guidelines. Ask what tools they use, what tasks they use them for, and what data they enter. Make it anonymous if you want more honest responses.
Step 2: Check Network Logs
Ask IT to check network traffic for connections to known AI services including ChatGPT, Claude, Gemini, Copilot, and others. This reveals tool usage that the survey might miss. Focus on identifying tools, not catching individuals.
Step 3: Evaluate Each Tool
For each discovered tool, assess data protection features, whether data is used for training, compliance with your industry requirements, and overall security posture. Use your standard evaluation criteria.
Step 4: Make Decisions
For each tool, decide whether to approve it with appropriate enterprise licensing, approve it with restrictions for specific data types only, or phase it out and provide an approved alternative. Communicate decisions clearly with reasoning.
Step 5: Transition
Give employees time to transition to approved tools. Provide training on the approved alternatives. Set a clear deadline after which unapproved tools must not be used for work. Make the transition as smooth as possible to avoid resistance.
Ongoing Monitoring
Shadow AI is not a one-time problem. New tools launch constantly, and employees will try them. Establish a regular check at least quarterly and create an easy process for employees to request evaluation of new tools.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.