This is you. Ten minutes into your AI audit. Clipboard in hand, admin console open, and the slow realization setting in that nobody — not you, not Legal, not the person who clicked “Enable” — actually knows what half of this does.
Don’t panic. That’s what the rest of this post is for.
If you read my last post about the Workday lawsuit, you probably had one of two reactions.
The first reaction: “Interesting case. Glad that’s not us.”
The second reaction: “Wait. What’s actually running in our stack?”
If you had the first reaction, I’d gently encourage you to read it again. If you had the second — good. That instinct is exactly right, and this post is for you.
The uncomfortable truth is that most small and mid-sized businesses have AI features active in their software that nobody deliberately approved. Not because anyone did anything wrong. Because these features are being added quietly, bundled into updates, tucked behind toggles in admin screens that nobody checks between quarterly reviews. Your vendors are moving fast. Your team is busy. And somewhere in the gap between those two things, decisions are being made about your customers, your employees, and your data.
The good news: finding out what’s running doesn’t require a security team, a consultant, or a budget. It requires about 30 minutes and a spreadsheet.
Here’s how to do it.
The Framework
Think of this as four short phases. Each one builds on the last. By the end, you’ll have a clear picture of where you stand — and a short list of things to act on.
Phase 1: Build Your Platform List (5 minutes)
Before you can audit anything, you need to know what you’re auditing.
Grab a blank spreadsheet and list every software platform your business pays for or actively uses. Don’t overthink it — start with the obvious categories: HR and hiring, CRM and sales, customer support, IT management, finance and accounting, productivity and collaboration. If people are logging into it regularly and it touches business data, it goes on the list.
Most SMBs end up with somewhere between 8 and 20 platforms. If your list is longer than that, you may have a separate problem worth addressing — but finish the audit first.
Phase 2: Find What’s Active (10 minutes)
For each platform on your list, log into the admin console and go looking. You’re searching for settings labeled AI, Intelligence, Automation, Assistant, Copilot, Insights, or Smart anything. Vendors love that word right now.
For each platform, note three things: what AI features exist, which ones are enabled, and which ones are actively being used. These are different categories with meaningfully different risk profiles. A feature that exists but is off is a conversation to have later. A feature that’s on but nobody’s using is worth understanding. A feature that’s on and making decisions about real people or real data right now is where your attention goes first.
If you can’t find the AI settings in the admin console, search the vendor’s help documentation or call your account rep. “What AI features are currently active in our instance?” is a completely reasonable question. If they can’t answer it clearly, that’s information too.
Phase 3: Ask the Four Questions (10 minutes)
For every AI feature you find that’s currently active, answer these four questions. They don’t require technical expertise — just honest answers.
What data does it access? AI doesn’t work without data. Find out what it’s pulling from. Is it touching employee records, customer data, financial information, support tickets? The sensitivity of the data tells you how much scrutiny this feature deserves.
Is it informational or decisional? This is the most important distinction in the whole audit. Informational AI surfaces insights, suggests options, and summarizes things — a human still makes the call. Decisional AI filters, ranks, routes, approves, or rejects — it’s making calls on its own, or close enough that the difference is academic. Decisional AI touching sensitive data is where your legal and ethical exposure lives. Flag it.
Who turned it on, and when? You’re not looking to blame anyone. You’re looking to understand whether there was a deliberate decision made by someone with the authority and context to make it — or whether it just kind of… happened. “We’re not sure” is a valid answer, and it tells you exactly what to do next.
Is this covered in your vendor agreement? Check your Data Processing Agreement with the vendor. Does it address AI features? Does it cover the data this feature is using? Agreements signed two or three years ago often predate the AI capabilities that have since been added to the platform. If there’s a gap, you need to know about it.
Phase 4: Triage (5 minutes)
Now take everything you’ve found and give each active AI feature one of three ratings.
Red means stop and review before this feature runs another cycle. Red is: decisional AI, touching sensitive data, with no clear record of who approved it or whether your vendor agreement covers it. This doesn’t necessarily mean turn it off immediately — it means someone with authority and context needs to make an actual decision about it, today.
Yellow means document and monitor. Yellow is: active, lower risk, but not something anyone consciously reviewed. These features probably aren’t creating immediate exposure, but they deserve a proper review within the next 30 days. Put it on the calendar now, or it won’t happen.
Green means you’re good. Green is: reviewed, understood, deliberately enabled, covered in your agreements. The goal of this audit is to turn everything into green or a documented decision. Not everything will get there today. That’s fine.
What To Do With What You Find
If you finished the audit with nothing but greens, either you’re very well-governed or you should check whether you missed any platforms. Both are possible.
More likely, you found a yellow or two and maybe a red. Here’s what to do:
Brief the right people. Whoever owns Legal, HR, Finance, and Operations in your business needs to know what AI features are active that touch their domain. Not as an alarm — as an update. “Here’s what’s running, here’s what it does, here’s what I need from you to make sure we’re covered.” Short conversation, right people in the room.
Ask your vendors the hard questions. What AI features have been added in the last 12 months? What data do they use? How is the model trained, and on whose data? Is our usage covered under our current agreement? Vendors who can’t answer these questions clearly are vendors worth watching closely.
Document everything. A spreadsheet that lives in a shared drive is enough. The goal is a record that says: we looked, here’s what we found, here’s what we decided. That record matters if something goes wrong later.
Repeat this quarterly. AI features are being added constantly, often bundled into routine updates. What was accurate today may not be accurate in 90 days. Put it in the calendar now.
One Last Thing
This audit isn’t about being anti-technology. The platforms you use every day, including the ones with AI features, are probably making your business more efficient in genuine ways. The goal isn’t to turn things off. It’s to make sure that when AI is running in your business, it’s running because someone made an informed decision — not because a button got clicked and nobody asked what it did.
The downloadable template below walks through each phase in a format you can fill in as you go, share with your team, and keep on file. It takes about the same 30 minutes, just with less scrolling back to this post.
If you find something surprising in your audit, I’d genuinely like to hear about it. That’s how these posts get better — and it’s probably something other people need to know too.
