Secure AI Atlas SECURITY & GOVERNANCE
EN / ES

Control

Approved AI Tool Register

A maintained record of approved AI tools, allowed use cases, owners, data limits, account requirements, and review status.

inventory governance shadow AI

What it constrains

An Approved AI Tool Register reduces Shadow AI by making authorized capability visible. It gives employees a named path for acceptable use and gives security teams a record to review.

Implementation

  • Record tool name, owner, vendor or internal service, and decision status.
  • Define approved use cases and prohibited use cases.
  • Map allowed and prohibited data classes.
  • Specify account requirements such as SSO, MFA, admin roles, logging, and retention settings.
  • Add review date, exception status, and retirement criteria.

Owner

The owner should sit where procurement, security, privacy, and the business process meet. A register without an accountable owner becomes an inventory-shaped archive.

Evidence

  • Current register entry for each approved tool.
  • Review date and decision history.
  • Documented data-class limits.
  • Identity and logging settings for enterprise platforms.
  • Exception records for temporary or limited use.

Common errors

  • Listing tools without allowed data classes.
  • Approving a vendor but not the specific use case.
  • Failing to update entries after product features change.
  • Treating the register as a policy document instead of an operational control.
  • Shadow AI
  • Sensitive Data Disclosure
  • Excessive Agency