How to Run an AI Tools Audit: Find Every AI Tool Your Team Uses

A step-by-step guide to auditing AI tool usage across your business. Covers IT inventory gaps, OAuth grant analysis, and employee surveys — so you know exactly what is running and what data it can access.

·7 min read
To find every AI tool your team uses, check three sources: your IT asset inventory (which will be incomplete), OAuth app grants in your Google Workspace or Microsoft 365 admin console (which reveals everything employees have signed into with their work account), and a direct anonymous employee survey (which captures browser extensions and personal accounts used for work). No single source is sufficient — the combination is what gives you an accurate picture.
4.2
avg AI tools per employee
65%
IT unaware of at least one tool in use
38%
tools with access to email or calendar
1 in 3
OAuth grants from departed employees

Why manual IT inventories are never the full picture

Most IT asset inventories capture software that was provisioned through IT. They miss everything else. Browser-based AI tools require no installation. Mobile apps bypass corporate device management. Extensions install silently. And employees routinely sign into SaaS tools with their work Google or Microsoft account — granting data access — without anyone in IT ever seeing a ticket.

This is not a discipline problem. It is a structural gap. The tooling employees need to do their jobs is now accessible in seconds from a browser, and the friction of going through IT is often higher than the friction of just trying the tool and moving on. Shadow AI is the natural result.

An accurate audit acknowledges this gap and uses multiple sources to close it.

Source 1: Your IT asset inventory

Start here, but expect it to be incomplete. Pull your current list of sanctioned software and identify any tools that include AI capabilities — these include obvious AI tools (ChatGPT, Copilot, Gemini) and embedded AI features in tools you already use (Notion AI, Grammarly, Zoom AI Companion, Salesforce Einstein). Document each tool's:

  • Data handling and privacy policy tier (enterprise vs consumer)
  • Whether a Data Processing Agreement is in place
  • Who approved it and when
  • Which employee groups have access

Source 2: OAuth grant audit

OAuth grants are the most reliable signal for discovering shadow AI. When an employee clicks "Sign in with Google" or "Sign in with Microsoft" on any third-party tool, they authorise that tool to access their account — and your admin console records it.

For Google Workspace: navigate to Admin Console → Security → API Controls → App Access Control. You will see every third-party app that has been granted access, the scopes it holds (read email, read calendar, access Drive files), and which users have authorised it.

For Microsoft 365: navigate to Azure Active Directory → Enterprise Applications → All Applications, then filter by consent type. This shows every app that users have authorised via their Microsoft credentials.

Export this list and cross-reference it against your IT asset inventory. Everything in the OAuth list that is not in your inventory is a candidate for investigation. Flag anything with high-privilege scopes (mail read, calendar read, files read) for immediate review.

See our dedicated guides for Google Workspace OAuth audit and Microsoft 365 app permissions audit.

Source 3: Employee survey

Some tools will not appear in your OAuth list — browser extensions, tools used via personal accounts, and tools accessed without an account at all (some AI tools accept prompts without sign-in). An anonymous survey catches these.

Keep the survey short: five questions, takes under three minutes. Ask employees to list the AI tools they use at work (personal and work accounts), how often, what for, and whether they share work-related data. Make it anonymous — you want honest answers, not self-censored ones. A simple Google Form or Microsoft Form works fine.

Be clear in the covering note that this is not a disciplinary exercise — you are trying to understand what tools are useful so you can support employees in using them safely. The tone matters: fear-based surveys produce incomplete data.

Classifying what you find

Once you have combined all three sources, classify each tool on two dimensions: risk level and usage frequency.

  • High risk, high frequency: Immediate priority. Review data handling terms, assess what data has been shared, decide approve/block, update policy.
  • High risk, low frequency: Investigate. Understand the use case — if legitimate, find a safer alternative. If not, revoke access.
  • Low risk, high frequency: Candidates for sanctioning. If employees find it valuable and it does not pose significant data risk, add it to the approved list.
  • Low risk, low frequency: Note and monitor. No immediate action required.

What to do with the results

The output of your audit should be three things: an updated approved tools list for your acceptable use policy, a list of OAuth grants to revoke, and a set of remediation actions for any high-risk shadow tools you found. Publish the updated approved list to employees and communicate any tool restrictions clearly — with the reason, and ideally an alternative you are providing.

How Governably automates this

Governably connects to your Google Workspace or Microsoft 365 environment and automatically pulls every OAuth grant, cross-references it against a database of known AI tools and their risk profiles, and surfaces the results as a prioritised list. You see at a glance which AI tools have company data access, what scopes they hold, and which ones need action — without spending hours in admin consoles and spreadsheets.

Frequently asked questions

What is an AI tools audit?

An AI tools audit is a structured process to identify every AI tool in use across your business — including ones IT does not know about. It combines three sources: your IT asset inventory, OAuth app grants in your Google or Microsoft environment, and a direct employee survey.

How do I find AI tools my employees are using without telling IT?

The most reliable method is auditing OAuth grants in your Google Workspace or Microsoft 365 admin console. When employees sign into an AI tool using their work account, they grant that tool access to company data — and that grant is recorded centrally.

How often should I run an AI tools audit?

Run a full audit at least annually, but set up ongoing monitoring via your OAuth admin console so you catch new grants in near-real-time. In fast-moving businesses, new AI tools appear monthly — a once-a-year audit will always be behind.

What should I do with unsanctioned AI tools I find?

Classify them by risk first. Tools with access to sensitive data scopes need immediate review. For each unsanctioned tool, decide: approve and add to policy, block and provide an alternative, or revoke access and investigate whether data was shared.