What Is an AI Tool Register?
An AI tool register is a maintained list of every AI-powered tool your organization uses — including tools that come with AI features built in — with details about ownership, data handling, approval status, and review dates.
Think of it as the master inventory that makes all your other AI governance work possible. You cannot write a meaningful policy, run an audit, or assess vendor risk for tools you do not know exist.
Why Small Teams Need One
Most small teams discover they have more AI tools in use than they realized. A developer using GitHub Copilot, a marketer using ChatGPT, a support rep using a helpdesk with AI suggestions built in, an ops lead who signed up for a summarization tool last quarter and forgot to tell anyone — this is the normal starting point.
An AI tool register:
- Surfaces shadow AI before it creates a data or compliance incident
- Makes vendor risk reviews tractable (you need a list before you can score it)
- Gives you the inventory required for a quarterly governance audit
- Supports contract reviews — you cannot check DPA status for a vendor you do not know you have
The Template
Copy this table into your preferred tool (Notion, Airtable, Google Sheets — any works). One row per tool.
| Field | What to fill in |
|---|---|
| Tool name | e.g. ChatGPT, GitHub Copilot, Notion AI |
| Vendor | Company name |
| Version / plan | Free, Team, Enterprise — matters for data handling |
| Business owner | One named person responsible for this tool |
| Department(s) using it | e.g. Marketing, Engineering |
| Status | Approved / Shadow / Under review / Retired |
| Data classification | What data can be entered: Public / Internal / Confidential / Restricted |
| Do-not-enter data types | e.g. PII, customer data, credentials, source code |
| Data processing region | US / EU / Unknown — check vendor privacy policy |
| DPA / contract status | Signed / Needed / N/A (free tier) |
| Training opt-out | Yes opted out / No / Unavailable / Unknown |
| SSO / centrally managed | Yes / No |
| Annual cost (approx.) | For budget awareness |
| Date added | When the team started using it |
| Last reviewed | Date of last risk or policy review |
| Notes | Anything relevant |
Starter List: Tools to Check First
When building your register from scratch, start with these categories — they are where most unapproved AI use hides:
- Writing assistants — ChatGPT, Claude, Gemini, Grammarly (has AI features)
- Code assistants — GitHub Copilot, Cursor, Codeium, Tabnine
- Meeting tools — Otter.ai, Fireflies, Fathom, Zoom AI Companion
- Productivity tools with AI features — Notion AI, Microsoft 365 Copilot, Google Workspace AI
- Customer-facing tools — AI chatbots, helpdesk AI (Intercom, Zendesk AI)
- Specialist tools — AI for design (Figma AI, Adobe Firefly), AI for finance, HR AI features
- Developer tools — Any model API access (OpenAI, Anthropic, Mistral)
How to Build the Register: 4 Steps
-
Survey the team. Send a short 3-question form: "What AI tools do you use at work? What data do you put into them? Do you pay for them personally or on a company card?" Anonymize if needed to get honest answers.
-
Check your payment records. Look for AI vendor charges in corporate card statements and expense reports. This catches tools that were signed up for quietly.
-
Review SaaS and browser extensions. Ask IT (or do it yourself) to check installed browser extensions and OAuth connections to company Google/Microsoft accounts. Many AI tools are accessed this way.
-
Score each entry. For every tool found, fill in the register fields above. Flag anything with Confidential or Restricted data access for immediate review.
Maintenance Cadence
| Frequency | What to do |
|---|---|
| Monthly | Scan for new tools (ask in team standup or Slack); update any changes to ownership or status |
| Quarterly | Full re-audit; confirm DPA status for any new vendors; retire unused tools |
| On hire | Add new employees' existing tool habits to the register (catches personal-plan AI use) |
| Before any new AI tool purchase | Add to register before approval, not after |
What to Do With What You Find
- Shadow tools with no sensitive data access — add to the register, have the owner document the use case, decide whether to approve or replace with an approved alternative
- Shadow tools with PII or confidential data — treat as an AI incident; assess exposure, remediate, and decide on tool status
- Tools with no DPA — contact the vendor or move to a plan that includes a DPA before allowing sensitive data use
- Unused tools — retire them; reduce your attack surface and your bill
Link This to Your Other Governance Work
The register is an input, not an end in itself. Use it to:
- Feed your AI governance checklist quarterly review
- Prioritize which vendors to run through AI vendor due diligence
- Define scope for your AI usage audit
- Update your AI acceptable use policy as the tool list changes
A register that is updated and actually used is more valuable than a perfect one that nobody maintains. Start with a simple spreadsheet, keep it short, and build the habit of updating it monthly.