I'm tasked with providing a complete audit of all AI tools being used across our organization. I know which tools we pay for and manage, but I'm looking for the bigger picture. This includes scenarios like staff using Claude on personal devices with mobile data to summarize client documents, browser extensions that connect to AI services, and personal ChatGPT accounts used on work devices after hours. Corporate network monitoring captures some of this but it's not comprehensive. Before I present my findings to leadership, I'm wondering if there's a viable solution for achieving full visibility on AI usage or if I should honestly inform them that this level of oversight isn't feasible right now and policies will need to bridge the gap.
5 Answers
One critical question to address is how any client documents ended up on personal devices in the first place. Figuring that out will answer a lot of underlying security concerns and will help clarify why complete visibility is challenging.
Instead of aiming for full visibility, it might be more effective to focus on data protection risks. Understanding how sensitive data could be exposed is key, rather than trying to catalog every single AI interaction.
Have you thought about sending out a survey to see which tools people are actually using? It might give you some useful insights to complement whatever you can monitor.
Honestly, if someone wants to use personal devices over mobile data, there's not much IT can do about it. You could implement certain restrictions like blocking USBs or whitelisting sites, but at the end of the day, it comes down to user behavior. Policies need to address this issue more than tech solutions.
In situations like yours, I’d suggest going back with a structured response. You could break it down into tiers: 1) Tools we actively manage and monitor, 2) Tools we can detect with varying degrees of accuracy, 3) Tools that aren’t currently monitorable but could be with additional investment, and 4) Tools that simply can't be monitored. That fourth tier is crucial because it highlights the limitations of tech and underscores the need for clear policies.
This tiered approach really simplifies things! It helps set clear expectations with leadership about what's realistically achievable.