15 April 2026
How to Audit AI Usage in Your Organisation
A step-by-step guide to discovering what AI tools your team is using — and whether they're creating risk you don't know about.
Sam Hawkins
Syntra Automate
You cannot govern what you cannot see. And right now, most UK businesses cannot see the full picture of their AI usage.
Teams adopt AI tools independently. Employees sign up for free accounts. AI features appear inside existing software without anyone in compliance being notified. The result is an AI estate that is far larger, more complex, and more risky than leadership realises.
An AI usage audit fixes that. It gives you a factual picture of every AI system in your organisation — approved and unapproved — so you can assess risk, establish governance, and prepare for regulatory requirements including the EU AI Act (Regulation (EU) 2024/1689), which applies its high-risk obligations from 2 August 2026.
This article walks you through how to do it, step by step.
Why you need to audit AI usage
Shadow AI is everywhere. The UK Cyber Security Breaches Survey 2025 found that only 24% of businesses using or considering AI reported having processes in place to manage AI risks. Where there is no framework, there is no visibility. Employees are using AI tools that nobody in leadership knows about.
Data is leaving your control. When an employee pastes client information, financial data, or internal documents into an AI tool, that data may be stored on external servers, used for model training, or processed in jurisdictions with different data protection standards.
Compliance requires an inventory. The EU AI Act requires organisations to identify and classify their AI systems. The UK GDPR requires you to know what personal data is being processed and by whom. You cannot meet either obligation without knowing what AI tools are in use.
You cannot assess risk you have not identified. Risk assessments, DPIAs, and the EU AI Act's risk classification all depend on having a complete picture of your AI systems. An audit provides that picture.
Step 1: Conduct a shadow AI survey
The most important — and most often overlooked — step is simply asking your people what they use. Technology scans alone will miss browser-based tools, personal accounts, and AI features embedded in everyday applications.
Design an anonymous survey. Anonymity is critical. You are not looking to discipline anyone — you are looking for honest answers. Make this explicit in the survey introduction.
Template questions to include:
- Which AI tools do you use for work purposes? (Provide a checklist of common tools: ChatGPT, Microsoft Copilot, Google Gemini, Claude, Midjourney, Jasper, Grammarly, Otter.ai, and include an open text field for others.)
- How often do you use them? (Daily, weekly, occasionally)
- What do you use them for? (Drafting text, summarising documents, analysing data, generating images, coding, research, customer communications, other)
- What types of data do you enter into these tools? (Internal documents, customer data, financial data, personal data, publicly available information, other)
- Were these tools formally approved by your organisation?
- Are you aware of an AI usage policy in your organisation?
- Do you use personal accounts or company accounts to access these tools?
Distribute broadly. Every department, every level. AI usage is not confined to technical teams. Marketing, HR, finance, legal, operations, and customer service teams are all likely users.
Step 2: Review your IT asset register
Your IT team or managed service provider should maintain a register of approved software. Cross-reference this against known AI tools and AI-enabled platforms.
Look specifically for:
- Any software with "AI" or "intelligence" features that may not have been flagged as AI during procurement
- SaaS platforms that have added AI features since they were originally approved (many have in the past two years)
- Browser extensions with AI capabilities installed on company devices
- API integrations that connect to AI services
Step 3: Audit SaaS subscriptions
Review your SaaS subscription management tool or payment records for AI-related subscriptions. Many AI tools are purchased on monthly subscriptions using company credit cards or even personal cards that are later expensed.
Check:
- Company credit card statements for payments to AI tool providers
- Expense reports for AI tool subscriptions claimed by employees
- Software procurement records for any AI-enabled tools
This step often reveals tools that were never formally procured or assessed.
Step 4: Conduct a network and access review
Work with your IT team or provider to review:
- DNS logs or web filtering data for traffic to known AI service domains (openai.com, anthropic.com, gemini.google.com, midjourney.com, and similar)
- Single sign-on (SSO) logs for AI tool integrations
- OAuth connections — third-party apps authorised to access company data via AI services
This technical review complements the employee survey by catching tools that people may have forgotten to mention or did not realise were AI-powered.
Step 5: Consolidate and classify what you find
Bring all findings together into a single AI inventory. For each tool or system identified, record:
System name and provider
Department(s) using it
How it was procured (formally approved, self-service, personal account)
What it is used for
What data it processes (personal data, confidential business data, public data)
Whether it influences decisions about people (recruitment, credit, customer outcomes)
Data processing location (if known)
Whether the provider uses input data for model training
Step 6: Map against EU AI Act risk tiers
With your inventory complete, classify each system against the EU AI Act's risk categories:
Unacceptable risk — Is the system doing anything prohibited? (Social scoring, manipulative techniques, real-time biometric identification in public spaces.) Unlikely for most commercial businesses, but check.
High risk — Does the system fall into an Annex III category? Key areas: employment and recruitment, credit scoring, insurance risk assessment, education, critical infrastructure. If yes, full compliance obligations apply from 2 August 2026, with fines up to EUR 35 million or 7% of worldwide annual turnover.
Limited risk — Is the system a chatbot or generative AI tool interacting with individuals? Transparency obligations apply.
Minimal risk — No specific AI Act obligations.
Focus your governance effort on high-risk systems first, then work down.
Step 7: Assess data protection exposure
For each AI system that processes personal data, assess:
- Is there a lawful basis for processing under the UK GDPR?
- Has a DPIA been conducted (required where processing is likely to result in high risk to individuals)?
- Is there a data processing agreement with the provider?
- Where is the data processed and stored?
- Does the provider use input data for model training? If so, what are the implications for data protection?
Step 8: Act on the results
An audit is only valuable if it leads to action. Based on your findings:
Develop or update your AI usage policy. Set clear rules on which tools are approved, what data can be entered, and when human review is required.
Create an approved tools list. Evaluate the tools you have discovered. Approve those that meet your data protection and security standards. Provide guidance on tools that are not approved and why.
Decommission or restrict high-risk tools. If you find tools processing sensitive data without safeguards, take immediate action. This might mean blocking access, migrating to an enterprise version with better data controls, or finding an alternative.
Deliver targeted training. Focus training on the specific risks your audit revealed. If the survey shows employees are entering client data into AI tools, make that the centrepiece of your awareness programme.
Establish ongoing monitoring. An audit is a point-in-time exercise. New tools appear constantly. Build AI usage review into your regular IT governance cycle — quarterly at minimum.
Build your AI risk register. Use the audit findings to populate a structured risk register that records each system, its risk classification, data sensitivity, controls in place, and review dates.
Common pitfalls to avoid
Making it punitive. If employees fear disciplinary action, they will not be honest in the survey. Frame the audit as a governance exercise, not a witch hunt.
Only surveying IT. AI usage is spread across every function. If you only audit the technology team, you will miss the majority of tools in use.
Treating it as a one-off. The AI landscape moves fast. An audit done in June is outdated by September if you do not build in regular reviews.
Forgetting third-party tools. AI is embedded in CRM platforms, marketing automation, HR software, and accounting tools. These count. If a tool uses AI to process data or influence decisions, it belongs in your inventory.
Not acting on findings. The worst outcome is conducting an audit, discovering risks, and doing nothing. That creates a paper trail showing you knew about the risks and chose not to address them — precisely the wrong position if a regulator comes calling.
The bottom line
An AI usage audit is the foundation of everything that follows — governance, risk management, compliance, and responsible AI adoption. Without one, you are governing blind.
The process is straightforward: ask your people, check your systems, consolidate what you find, classify the risks, and act on the results. Most organisations can complete a thorough audit in two to four weeks.
The question is not whether you can afford to do it. It is whether you can afford not to.