A leadership-only field checklist for finding out what your team is actually doing with AI—the unsanctioned tools, the data walking out the door, and the quiet non-adoption killing your official rollout. Work through it discreetly. The goal is a picture and a plan, not a witch hunt.
Ground rule: announce a no-blame amnesty window before you start asking questions. People tell the truth about shadow tools exactly once—when honesty is safe. Burn that, and every future audit is fiction.
Phase 1 — Discovery (What's Actually in Use)
Check
Done
Findings
Pull the network/DNS logs (or ask IT) for traffic to consumer AI domains over the last 90 days
☐
Inventory browser extensions and installed apps on company machines for AI tools
☐
Check expense reports and credit-card statements for AI subscriptions
☐
Interview one person per department: “What do you use AI for? What would you use it for if you could?”
☐
List every sanctioned AI tool and who is licensed vs. who actually logs in
☐
Phase 2 — Exposure (What Data Is Leaving)
Check
Done
Findings
Identify whether customer drawings, CAD, or specs have been pasted/uploaded into consumer tools
☐
Identify whether pricing, cost sheets, or customer lists have been used in prompts
☐
Check whether any AI accounts in use train on submitted data (consumer vs. business tier)
☐
Review NDAs and customer flow-downs for clauses AI use could already be violating
☐
Flag any export-controlled or regulated data (ITAR/EAR, HIPAA, etc.) in the exposure paths above