Internal
AI Tools
Audit
By the time a larger company writes its first AI policy, staff may already use dozens of model accounts, browser extensions and meeting tools. We establish what is in use, what data reaches it and who should own each decision.
78%
OF AI USERS BRING THEIR OWN TOOLS TO WORK
27.4%
OF DATA PUT INTO AI IS SENSITIVE
2 Aug 2026
MOST AI ACT RULES APPLY
Sources: Microsoft & LinkedIn Work Trend Index 2024; Cyberhaven AI Adoption and Risk Report 2024; Regulation (EU) 2024/1689.
Most businesses underestimate internal AI use
Microsoft and LinkedIn found 78% of AI users bring their own AI tools to work. Cyberhaven measured a 485% jump in corporate data flowing into AI tools from March 2023 to March 2024, with 73.8% of workplace ChatGPT use going through non-corporate accounts.
Meanwhile finance is paying for one ChatGPT seat, marketing has expensed a Claude subscription on a personal card, someone in ops has wired Zapier into a Notion AI workflow, and a junior dev has pasted client data into Cursor.
You can't govern what you can't name. The audit names it.
WHAT YOU THINK YOU HAVE
- "A few people using ChatGPT"
- An email saying "don't paste client data"
- Copilot "switched off in the tenant"
- A vendor list that ends at SaaS
- Nothing the board could sign off on
WHAT YOU'LL HAVE AFTER
- Named inventory of every tool, plugin and agent
- Acceptable-use policy your team will read
- Tenant settings reviewed, training opt-outs set
- Vendor due-diligence pack on every AI supplier
- Audit trail mapped to NIST AI RMF and ISO 42001
Where shadow AI creates risk
The sectors vary. The exposures repeat. So do the fixes.
Personal-account paste
Staff using ChatGPT Free or Plus on personal logins. OpenAI says consumer ChatGPT content may be used to improve its models unless the user opts out. Cyberhaven measured 73.8% of workplace ChatGPT use through non-corporate accounts.
Copilot oversharing
Microsoft 365 Copilot inherits the permissions you already have. Over-permissioned SharePoint sites that nobody noticed for years now surface in natural language to anyone who asks.
Browser extensions
Chrome extensions that "summarise this page" or "rewrite this email". The audit checks browser permissions, vendor terms, DPA status and who you would name in a breach notice.
SaaS AI switched on
Slack AI, Notion AI, Atlassian Intelligence, Zoom AI Companion, HubSpot Breeze. Each has its own admin controls, data terms and opt-out path. Someone has to read them before the feature becomes normal work.
Agents and custom GPTs
Someone built a custom GPT for sales. It reads from a Google Drive folder. Nobody documented which folder, who can use the GPT, or what it returns. Now it's part of the workflow.
What belongs in the AI register
The register covers chat apps, coding tools, browser extensions, SaaS features and API calls. Each entry has an owner, data class and risk tier.
Chat assistants
ChatGPT, Claude, Gemini, Copilot, Perplexity, Mistral. Per account: free or paid, personal or corporate, training opt-out status.
Coding tools
Cursor, GitHub Copilot, Claude Code, Windsurf, Replit, Lovable, Bolt.new. Which repos they touch, what code they've pushed, who's been pasting in secrets.
Browser extensions
Page summarisers, meeting note-takers, email rewriters, sales copilots. Per extension: vendor, permissions, data leaving the browser.
SaaS AI features
M365 Copilot, Google Workspace Gemini, Slack AI, Notion AI, Atlassian Intelligence, HubSpot Breeze, Zoom AI Companion. Status, scope, training defaults.
Custom GPTs & agents
Internal GPTs, n8n / Zapier / Make automations, Claude Projects, anything your team has wired together. Owner, data sources, who can run it.
Meeting recorders
Otter, Fireflies, Granola, Read.ai, Tactiq. What gets recorded, where it's stored, which clients have given consent.
Image, audio & video
Midjourney, Runway, ElevenLabs, Suno, Veo, Sora. Per tool: licence terms, commercial use rights, who's paying.
API calls in your own apps
OpenAI, Anthropic, OpenRouter, Bedrock and Vertex calls inside your products. We record spend, models, system prompts and logged inputs.
What the review gives you
The core review produces the register, ownership model, policy changes and immediate controls. Ongoing checks are optional and separately scoped.
We do the discovery, the interviews, the tenant review and the write-up. You get a document the board can sign and your IT lead can act on by Monday.
BOOK AN AUDIT CALLDiscover
SSO logs, expense reports, browser extensions, SaaS admin consoles, repo histories, the corporate card statement. Short interviews with the people using the tools. You see what's been bought, what's free, and what nobody's mentioned in a stand-up.
Classify and tier
Every tool gets a data class (public, internal, confidential, special category) and a risk tier modelled on the EU AI Act categories. We flag the prohibited, high-risk, limited-risk and minimal-risk cases, with the reasoning written down so it survives the next staff change.
Fix and document
Training opt-outs flipped, free-tier accounts moved to corporate plans where it matters, dangerous extensions removed, Copilot oversharing reviewed, vendor DPAs collected. You leave with an acceptable-use policy, an AI register, a vendor pack, and a one-page risk note for the board.
Keep it current (optional, quarterly)
Your team will adopt more tools and your SaaS vendors will keep adding AI features. We do a quarterly sweep, update the register, and refresh the policy. Optional retainer; cancel any quarter.
Frameworks the audit maps against
We don't write fresh principles. We map the work to recognised standards so the output can be reused in an ISO certification, a SOC 2 review, a buyer's security questionnaire, or an ICO conversation.
AI Management Systems
The first international standard for managing AI as a system. Published December 2023, certifiable. The register, policy and risk process we build map to Annex A controls.
Govern, Map, Measure, Manage
NIST's AI Risk Management Framework (January 2023) plus the Generative AI Profile (NIST AI 600-1, July 2024). The structure our audit report follows so the work is recognisable to security teams that already use NIST.
Regulation (EU) 2024/1689
AI literacy and prohibited-practice rules have applied since 2 February 2025, with general-purpose model rules following on 2 August 2025. Article 50 transparency duties apply from 2 August 2026. The European Commission's current timeline puts Annex III high-risk areas on 2 December 2027 and high-risk systems embedded in regulated products on 2 August 2028.
ICO Guidance on AI & data protection
The ICO's AI and data protection guidance, AI audit toolkit, and lawful-basis, transparency and DPIA expectations that already apply to anything touching personal data. We flag where you owe a DPIA and draft the first one.
Prompt injection, supply chain, leakage
The 2025 edition of the OWASP Top 10 for LLM Applications. We use it as the technical checklist for any tool that takes prompts or runs agents inside your business.
Adversarial threat models
MITRE ATLAS covers adversary tactics against AI systems, while Google's Secure AI Framework provides practical controls. We use them when the audit includes your own products as well as employee tools.
Published incidents involving internal AI tools
Four public incidents from the last three years. Different industries, same governance problem: a tool was live before anyone had decided what it was allowed to do.
Samsung's source code leak.
Within 20 days of allowing ChatGPT, Samsung Semiconductor engineers pasted proprietary source code and confidential meeting notes across three separate incidents. Samsung then restricted generative AI use on company devices and internal networks. Reported by Bloomberg.
Air Canada pays for its bot.
The BC Civil Resolution Tribunal held Air Canada liable in Moffatt v. Air Canada for misleading bereavement-fare advice its chatbot had given. The airline's argument that the bot was a "separate legal entity" failed. The advice still came from Air Canada's website.
DPD swears at the customer.
After a system update, DPD's customer-service chatbot called the company "the worst delivery firm in the world" and swore at a user. DPD told TIME the AI element was immediately disabled and updated.
NYC's bot tells you to break the law.
The Markup found New York City's official MyCity chatbot, built on Microsoft technology, telling small business owners they could take staff tips, fire whistleblowers and refuse Section 8 tenants. All illegal under NYC law. The mayor kept it online.
Sources: Bloomberg, BC Civil Resolution Tribunal, TIME, The Markup.
Our own AI use is governed as an operating system
Raq.com gives our work shared accounts, permissions, tools and records. The same practical questions sit behind an internal audit: who is using what, with which data, under whose authority and at what cost.
When this is worth discussing
We work best when there is a real operating problem, enough volume to measure and people from the affected teams who can make decisions.
Usually a good fit
- An established UK business, usually with annual revenue above £10m
- A repeated process with a known cost, delay, error rate or capacity problem
- A senior sponsor and a day-to-day owner who understand the work
- Access to the relevant staff, systems, sample records and security requirements
We may point you elsewhere
- A standard product already covers the process well
- The requirement is a one-off small build with no wider operating case
- There is no owner or access to the people and data needed to test the result
- The plan relies on AI making high-impact decisions with nobody responsible for review
Questions from IT, legal and compliance
We're not a regulated business. Do we really need this?
If you process anyone's personal data, UK GDPR is already on you. If you provide or deploy AI systems used in the EU, the AI Act may be on you too. If your customers are enterprises, their next security questionnaire is likely to ask. The audit gets you the answers before the questionnaire arrives.
Aren't you just going to ban everything?
No. The goal is a list of what's allowed, on what data, by whom. Most tools come through unchanged. A few get moved to corporate plans. A small number get switched off, with a sanctioned replacement.
How long does it take?
Days for the core audit: discovery, then classification, then fixes and the write-up. If your team is bigger than 150 people we extend discovery, everything else runs the same way.
What do you need from us?
Read access to your SSO logs, Microsoft 365 or Google Workspace admin, expense reports, your SaaS admin consoles and your endpoint management. Time with 6 to 10 people, an hour each. An honest answer when we ask "what are you using".
Will the team tell you?
Mostly, yes. We run interviews on a "nobody's in trouble" basis and cross-check against logs and expenses. The combination catches tools people forget to mention.
What about Microsoft Copilot? We've already paid for it.
Copilot inherits access from Microsoft 365, so existing SharePoint and OneDrive permissions are part of the review. We map what each role can retrieve, identify over-broad sharing and agree any permission changes with your Microsoft 365 owner.
Are you lawyers?
No. We're the engineering and operations team. We map the technical reality, fix the controls and draft the policy. Where you need a solicitor to sign off the wording, we work with yours, or introduce one. Cleaner and cheaper than going to a law firm cold.
How much does it cost?
Fixed-fee per phase for the core audit. The optional quarterly retainer is a fraction of that. We tell you the number on the first call, in writing, before anything is signed.
Book an internal AI tools audit
Tell us how many teams and systems are in scope, whether a policy exists and what prompted the review. We will explain the evidence needed for a useful register and action plan.