ChecklistUpdated 2026-02-15For: CISOs, CIOs, data protection officers, HR/legal teams designing AI acceptable-use policy

AI Tool Usage Risk Assessment Checklist

Most enterprises adopt GenAI without a structured risk assessment, then discover the consequences in audit. This checklist walks through every dimension of GenAI risk — identity, data, code, runtime, monitoring, governance — and the controls that map to each.

Talk to an expert All resources

The Checklist

1. Inventory of AI tools in use

Sanctioned tools (enterprise tenants of Claude, ChatGPT, Copilot, Gemini, Cursor)
Shadow AI (unsanctioned tools employees use — discover via CASB / SSE / DNS / EDR)
AI features embedded in existing SaaS (Notion AI, Slack AI, Linear AI, Atlassian Intelligence)
Internal AI deployments (self-hosted LLMs, RAG systems, AI agents)
Vendor AI features in your tools (CRM, ERP, ITSM — most enable AI by default)

2. Identity & access

SSO enforced on all enterprise AI tenants
SCIM provisioning + deprovisioning
MFA required for AI tool access
Personal-account access blocked at network egress (CASB / SSE)
API key management for AI APIs (no shared service-accounts, no long-lived keys)

3. Data protection

Enterprise tier (data not used to train) on every sanctioned AI tool
AI-aware DLP (Cyberhaven, Microsoft Purview AI labels, Netskope, Zscaler)
Sensitivity labels mapped to AI tool controls
Default 'block paste' for restricted-labeled content into AI tools
Audit of conversation history retention + customer data exposure
Browser extension or endpoint agent monitoring AI tool usage

4. Code copilots (Claude Code, Cursor, GitHub Copilot)

Suggest-only mode (no auto-write for high-impact files)
Code DLP — block AI suggestions when sensitive code is in context
MCP scope review — what tools / files / systems can the AI agent access?
PR review process must catch AI-suggested code (no auto-merge from AI)
License compliance — AI-generated code is reviewed for license signals
SAST/SCA still required in pipelines (don't assume AI checks security)
Git audit log captures AI-author attribution

5. Runtime & integration

AI gateway in front of public LLM APIs for logging + policy enforcement
Prompt-injection defence (input sanitisation, output validation)
Rate-limit + token budget per user / team
Tool-calling guardrails (whitelist of MCP tools, scope of file system access)
Output validation — never display AI output that could be code without sanitisation

6. Policy & governance

AI Acceptable Use Policy (AUP) signed by employees
Risk-tier classification of AI use cases (low / medium / high / prohibited)
Data classification mapped to AI tool authorisation (e.g., restricted data not allowed in any AI tool)
Pre-approval workflow for new AI tools
Incident reporting process for AI-related incidents
Vendor risk review for any AI tool processing customer data
Customer transparency — AI usage disclosed in privacy notice / terms

7. Detection & monitoring

SIEM events for AI tool usage (sign-in, prompt count, DLP events)
User behaviour analytics for AI tool usage anomalies
Shadow AI detection alerts (new SaaS detected, AI-feature enabled in existing SaaS)
Quarterly review of AI tool inventory + access reports
Incident response playbook for AI-related events

Frequently asked questions

Is enterprise-tier AI (ChatGPT Enterprise, Claude Enterprise) safe enough?

Enterprise tiers solve data-retention and training-on-customer-data — that's a real value. They DON'T solve identity sprawl, prompt injection, code-copilot governance or shadow AI. You still need a security wrapper around them.

Where do most enterprises lose data to GenAI?

Browser-based usage of personal accounts. Employees go to chatgpt.com (not the enterprise tenant), paste customer data, get the answer. Endpoint DLP on enterprise app data doesn't see the browser. Block personal accounts at the network egress + use AI-aware DLP.

What's the right control mix?

Identity (SSO+SCIM) + access (CASB blocks personal accounts) + data (AI-aware DLP with sensitivity labels) + runtime (AI gateway + prompt-injection defence) + detection (SIEM hooks + UEBA). Layered — no single control is enough.

How often should we re-run this assessment?

Quarterly during early adoption (lots of change). Annual once mature. Plus event-driven: any new AI tool > $10k spend, any AI tool processing restricted data, any AI-related incident.

Can we just ban GenAI?

Technically yes, practically no. Employees use it on personal devices and accounts. Banning it just moves the data leakage out of your visibility. Better: enable sanctioned tools + tight DLP + clear policy.

Related services

More resources

Need help executing this?

Talk to Digital Defense — India's CERT-In Empanelled cybersecurity team.

Book a consultation

Digital Defense

Online | Typically replies instantly

Hi there! 👋 Welcome to Digital Defense. I'm here to help you with your cybersecurity needs. How can I assist you today?