A practical checklist for founders, small teams, and growing businesses using AI tools without formal guardrails. Use it to review tool usage, data exposure, vendor risk, acceptable use, and basic oversight.

This checklist is built for small business owners, solopreneurs, SaaS founders, consultants, and teams using AI tools before formal governance is in place. It is not meant to slow you down. It is meant to help you catch the obvious risks before they become customer, security, compliance, or trust problems.

Best for: small business owners, solopreneurs, SaaS founders, consultants, and teams using AI tools before formal policies are in place.

Download Free Checklist (PDF)

How to Use This Checklist

Download the checklist. Mark each item as Done, In Progress, or Not Started. Start with anything involving customer data, API keys, AI agents, or production code.

AI Tool Inventory

List all AI tools in use across your business — ChatGPT, Microsoft Copilot, Gemini, Grammarly, Jasper, and others.
Identify which AI features are embedded in your SaaS tools — CRM, HR, accounting, email.
Confirm who has access to each AI tool and what permissions they have.

Data Exposure

Identify what customer or business data AI tools can access or process.
Check whether AI tools store, train on, or share your data with third parties.
Review privacy and data retention settings in each tool.

Vendor & SaaS Risk

Review the AI policies for your top five SaaS vendors.
Check whether vendor AI features can be disabled or opted out of.
Confirm whether any vendor AI use requires a separate data processing agreement.

Acceptable Use

Establish a basic written policy for AI tool use by staff and contractors.
Define what data types should never be entered into AI tools — customer PII, financial records, health data, legal documents.
Communicate the policy to anyone on your team using AI tools.

AI-Assisted Development (if your team builds software)

Identify which AI coding tools your developers are using — Copilot, Cursor, Replit, Claude Code, and similar tools.
Review AI-generated code before it reaches production — check authentication, authorization, and admin access logic.
Confirm API keys, tokens, secrets, and credentials are not exposed in prompts, code, repositories, logs, or AI tool history.
Review whether AI agents or automations can access files, databases, customer records, or business systems.
Document what human review is required before AI-generated features go live.

Before You Ship

Confirm the product does not expose customer data through AI features.
Confirm AI outputs are reviewed or constrained when they affect users, payments, accounts, or business decisions.
Confirm logging does not capture sensitive prompts, credentials, or customer records.
Confirm AI vendors and APIs have been reviewed for data retention and privacy terms.
Confirm you can explain your AI use clearly to a customer, investor, insurer, or enterprise buyer.

Oversight & Accountability

Assign ownership of AI governance decisions — even if it is just you for now.
Create a simple process for reviewing new AI tools before adoption.
Schedule a quarterly review of your AI tool inventory.

Documentation

Document your AI tools, usage policies, and risk controls in writing.
Keep vendor terms and data processing agreements on file.
If you are pursuing SOC 2 readiness or cyber insurance, confirm what your insurer requires around AI tool use.

Quick Score

0–5 Not Started items: Basic AI governance is forming. Focus on documentation and review cycles.

6–12 Not Started items: Moderate unmanaged AI risk. Start with tool inventory, data exposure, acceptable use, and vendor review.

13+ Not Started items: High unmanaged AI risk. Do not scale AI use or ship AI-assisted workflows until ownership, data handling, and review controls are clear.

Framework alignment: This checklist is informed by practical AI governance concepts from NIST AI RMF, ISO/IEC 42001, and OWASP LLM application security guidance.