Practical AI and SaaS for Business

Shadow AI Audit Checklist: 10 Steps to Take This Quarter

A practical quarterly process for finding unapproved AI tools, assessing how they handle business data and deciding what to keep, restrict, replace or stop.

Last verified: 14 July 2026. References checked against current legislation.

Editorial Perspective

You are Morgan, an operations manager who suspects staff are using unapproved AI tools with company or customer data. The pressure is not stopping useful work, it is finding the hidden risks before they become incidents. This checklist gives you a concrete ten-step audit you can run this quarter, with clear decisions at the end. You do not need specialist technical knowledge. Start with the tools and people you already have.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

If you have already accepted that unapproved AI use may be happening in your business, the next question is how to find it without turning the exercise into a technical investigation. This shadow AI audit checklist gives you a repeatable quarterly process to identify tools, understand what data they touch, make proportionate decisions and communicate the result.

In short: A useful shadow AI audit is an inventory and decision process, not a hunt for rule-breakers. Find the AI tools and features staff actually use, record the data and business purpose involved, rate the risk, then decide whether each use should be kept, replaced, restricted or stopped.

What a shadow AI audit should achieve

Shadow AI means AI tools or AI features being used for work without being formally reviewed or approved. The practical risk is not simply that an unfamiliar product exists. It is that staff may be pasting customer records into a chatbot, summarising confidential documents with a browser extension, or using an AI feature added to software that the business approved before that feature existed.

Morgan, an operations manager, may begin with a software list that shows only approved systems. After the audit, Morgan has a register showing the writing assistant used by marketing, the meeting bot connected by sales, the image generator used by a contractor and the AI features enabled inside existing office software. Each entry has an owner, a business purpose, a data category, a risk rating and a decision.

Before you start

Set a clear scope and keep the first audit manageable. Include employees, contractors, browser extensions, mobile apps, software integrations and AI features inside products you already license. Choose one person to coordinate the work, but involve IT, security, privacy, HR or legal advisers where those functions exist.

Tell staff that the purpose is visibility and safer use, not automatic punishment. People are more likely to disclose useful tools when they believe the business will assess them fairly. A simple spreadsheet or AI register is enough to begin.

The 10-step shadow AI audit checklist

1. List every software tool currently in use

Start with procurement records, expense claims, single sign-on applications, company card transactions and department software lists. Include free products and personal accounts used for work because they may not appear in purchasing data. Record the tool name, team, account owner and main business purpose.

2. Flag products that contain an AI feature

Do not limit the audit to well-known chatbots. Search product settings, release notes and admin consoles for features described as assistants, copilots, transcription, summarisation, prediction, generation, smart search or automated recommendations. An approved product can become a new risk when an AI feature is added or enabled later.

3. Ask staff what they actually use

Use a short, non-accusatory survey and follow it with team discussions. Ask which tools save time, which tasks they support, whether work data is entered and whether the output affects customers, employees or business decisions. Staff disclosure often finds tools that technical logs cannot identify, including personal subscriptions and web-based services.

4. Check browser extensions, integrations and mobile apps

Review managed browser extension lists, connected apps, marketplace integrations and mobile device inventories where your systems allow it. Pay close attention to extensions that can read page content, email, calendars, documents or customer systems. Use this as supporting evidence, not as the only discovery method, because unmanaged devices and personal accounts may remain invisible.

5. Record each use in an AI register

Create one entry for each distinct business use, even when the same tool appears more than once. A meeting assistant used for internal notes is different from the same assistant recording customer calls. Record the tool, owner, purpose, users, data entered, output produced, integrations, vendor, account type and review date.

6. Rate the risk level

Use a simple low, medium and high scale that staff can apply consistently. Consider the sensitivity of the data, whether people are affected by the output, whether the result is checked by a person, how widely the tool is used and how difficult an error would be to correct. A tool used to brainstorm internal event themes is usually lower risk than one used to screen job applicants or draft individual customer advice.

7. Check where the data goes and under what terms

Review the vendor's privacy notice, business terms, security information and account controls. Check what data is collected, where it may be stored, whether prompts or files may be used to improve models, how long data is retained, whether administrators can control sharing and what happens when an account is closed. Where the answers are unclear, record the uncertainty rather than assuming the safest outcome.

8. Decide: keep, replace, restrict or stop

Make a clear decision for every entry. Keep a tool when the business value is real and the controls are suitable. Replace it when an approved alternative can perform the same task with better terms or administration. Restrict it to certain data or teams when the risk depends on how it is used, and stop the use when the risk cannot be reduced to an acceptable level.

9. Communicate the decision and the reason

Tell the affected team what was decided, what they can do next and who can approve a new use. Avoid sending only a list of banned products. Staff need approved alternatives, examples of data that should not be entered and a simple route for requesting review. Communication is also the point where a short AI policy and basic training become useful.

10. Schedule the next quarterly review

Set the next audit date before closing the current one. Recheck the register, newly purchased software, feature changes, connected apps, staff departures and unresolved actions. Quarterly review is frequent enough to catch material changes without turning governance into a continuous administrative project.

How this aligns with recognised risk frameworks

The checklist is a planning tool, not a substitute for advice on laws that apply to a particular business. It follows the same broad logic used in recognised governance frameworks: establish responsibility, understand the context, assess risk and manage it over time.

The NIST AI Risk Management Framework organises voluntary AI risk work around Govern, Map, Measure and Manage. ISO/IEC 42001 provides a management-system approach for organisations that want a more formal structure for AI governance. Neither source turns a software inventory into automatic compliance, but both support the case for documented ownership, repeatable review and risk-based decisions.

Regulatory expectations differ by region and use case. The European Commission's AI Act overview describes a risk-based framework for AI providers and deployers, while the US Federal Trade Commission's business guidance emphasises keeping privacy and security promises and protecting sensitive information. Businesses should use the audit findings to identify where regional authorities or professional advisers need to be consulted.

Common mistakes to avoid

Looking only for standalone chatbots. AI is increasingly embedded in office suites, customer systems, design products and browser tools. Review features and integrations as well as product names.

Treating every use as equally risky. A blanket ban can drive useful activity further out of sight. Rate the actual use, data and consequence, then apply controls that match the risk.

Running the audit once. Vendors change terms, add features and alter defaults. Staff also discover new tools. A dated register without scheduled review becomes unreliable quickly.

Quarterly checklist summary

  1. List all software used for work.
  2. Flag products with AI features.
  3. Ask staff which AI tools they use.
  4. Check extensions, integrations and mobile apps.
  5. Log each use in an AI register.
  6. Rate the risk as low, medium or high.
  7. Check data handling, storage and vendor terms.
  8. Choose keep, replace, restrict or stop.
  9. Communicate the decision and approved alternative.
  10. Book the next quarterly audit.

Frequently asked questions

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our free AI acceptable use policy template and our AI governance by region.

Free tools: AI Tool Pricing Tracker to check current pricing across the major AI platforms | AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice.

How long should a shadow AI audit take?

A first audit for a small or medium business may take several working sessions across two to four weeks, depending on the number of teams and systems. Later quarterly reviews should be faster because the register, questions and decision method already exist.

Should employees be disciplined for using unapproved AI?

Not automatically. First establish whether the business gave clear guidance, provided suitable alternatives and explained how approval works. Deliberate misuse may need a separate HR process, but the audit itself works better when staff can disclose tools honestly.

Can IT logs find every shadow AI tool?

No. Logs can reveal managed applications, extensions and network activity, but they may miss personal devices, personal accounts and tools used outside monitored systems. Combine technical checks with staff surveys, expense reviews and team discussions.

Do we need to ban free AI tools?

No, but free accounts often provide fewer administrative, security and data controls than business plans. Assess the specific terms and use case, then decide whether the tool can be restricted, replaced with a managed version or stopped.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Start with the broader shadow AI guide, then use this checklist to build a repeatable review process for your business.

Read the Shadow AI Guide