Expertise Disputes and Investigations
April 24, 2025

You Have to Know What AI You Have

The first step in creating a strong AI governance strategy is having a clear understanding of where and how AI is being used in your organization.

We all now know what good AI governance looks like. If you're not sure on that point, read my last article before moving on.

Good AI governance supports achieving tangible business objectives through the following four pillars:

  • AI System Inventory
  • AI Use Case Inventory
  • AI Regulatory Crosswalk
  • AI Governance Roadmap

In this article I want to discuss AI governance strategies around the first pillar, AI System Inventory.

Understand Your AI Inventory

The starting point for AI governance is getting a handle on what AI your organization is currently using and plans to use in the next 12 to 18 months. This may sound simple, but getting a full, accurate list of IT systems is a challenge at most organizations. When organizations try to do so for something as new as AI — which frequently comes as part of non-AI tools — the challenge can seem insurmountable.

One way to overcome this challenge and gain visibility into your organization’s use of AI tools is to get a better handle on all the IT systems in use, AI or not. A fruitful place to start is to pull all the invoices paid to IT vendors in the last 24 months: This becomes your base list of potential IT systems in use. In conjunction with an outside-in approach, you should meet with your business continuity/disaster recovery (BC/DR) team. They typically know which are the core IT systems that need to be recovered in the event of an outage. Beyond this, if your organization has a privacy team, work with them to get a list of systems from their asset inventory for key insights into systems that manage personally identifiable information (PII).

These three sources won’t get you 100% of the systems in use, but will make a solid start for your efforts.

You should then evaluate each system on this list to determine whether it would constitute AI — not only generative AI (GenAI) but also more tenured AI capabilities such as machine learning (ML). For some systems, it will be obvious (e.g., the name ends in “.ai”). For others, you’ll need to research them to determine whether 1) they leverage AI and 2) your organization is using their AI capabilities.

Don’t Reinvent the Wheel 

This is a fairly straightforward exercise, one that IT departments have been using for two decades to build IT asset inventories. But the devil is in the details. A system inventory to support AI governance needs more information than is typically found in an IT asset inventory.

What AI-specific information is needed will depend on the laws and regulations your organization is subject to, which will depend in large part on how you are using (e.g., for employee productivity versus hiring or underwriting). You’ll document these in the next pillar, AI Use Case Inventory. At this stage, your privacy team will be invaluable partners in helping you augment the more IT-focused system information found in an IT asset inventory with information related to sensitive data risk. Between these two sources, you should get roughly 80% of the way to a fully documented AI system inventory, which you will complete once you identify how your organization is using AI and the specific laws and regulations it’s obligated to. 

Building Your AI Inventory

While an AI inventory is conceptually straightforward, executing it is extremely difficult. Many organizations have outdated IT asset inventories or struggle to get a report of all vendors they’ve paid in the last two years. Not all organizations have a privacy team or, if they do, don’t have an asset inventory.

In these cases, you need to think less about getting the AI system inventory perfect on the first go-round and focus instead on making incremental progress. If you can’t get all systems, focus on your tier one core systems for running the business or look at typically high-risk back office areas like HR and payroll or high-risk front office areas like underwriting, claims, sales or marketing. If you don’t have a complete IT asset inventory or privacy asset inventory, start with the systems in it today to start documentation and build from there.

All things considered, your best bet is to start the journey around AI system inventory, no matter how halting or imperfect.

This article was first published on Reworked.

Thought Leadership
Segregation of Duties: A Simple Idea to Prevent Fraud
April 29, 2025
Senior Director Luis Felipe Braga explores how segregation of duties can prevent fraud, enhance internal controls and protect against reputational and regulatory risk. Learn how companies can identify risk-prone roles, configure system access and maintain SoD across complex environments.
Thought Leadership
The Growing Role of Data and Privacy Due Diligence in Transactions
April 29, 2025
Senior Director Samita Patel outlines how privacy risks, regulatory scrutiny and compliance gaps can materially impact deal value, and how smarter due diligence can uncover both red flags and unrealized potential.
Thought Leadership
DOJ Clarifying Guidance on Bulk Sensitive Data DSP: Operational Considerations
April 16, 2025
In a recent A&M article, the Disputes and Investigations team discusses key clarifications from DOJ’s latest guidance on the Data Security Program, including the critical 90-day nonenforcement window, heightened security expectations, and the need for companies to act swiftly to build robust compliance frameworks ahead of the July 8, 2025 deadline.
Thought Leadership
The Role Of The Expert Witness In International Litigation And Arbitration Proceedings
April 1, 2025
This report was first published in Mealey’s Litigation Report: Artificial Intelligence.
Authors
CONTACT US TODAY
SUBSCRIBE TO OUR BULLETIN
Download PDF version
FOLLOW & CONNECT WITH A&M