How to Audit Your Company's AI Data Exposure in 90 Minutes

Your employees are feeding proprietary data into ChatGPT, Claude, and Gemini right now. Not because they're careless—because they need to get work done, and nobody told them what not to paste.

The average enterprise leaks sensitive data through AI tools 3.4 times per employee per week. Here's how to find out if yours is one of them.

What You'll Discover

By the end of this audit, you'll have:

• A 30-day remediation plan

What You Need

• 90 minutes of uninterrupted time

Step 1: Inventory AI Tool Access (20 minutes)

Pull a list of all SaaS applications your employees have authenticated with in the last 90 days. Look for these flags:

Direct AI tools: ChatGPT, Claude, Gemini, Perplexity, Copilot

AI-powered SaaS: Notion AI, Slack AI, Grammarly, Canva AI

Developer tools: GitHub Copilot, Cursor, Replit, Vercel v0

Most identity providers export this as a CSV. Sort by user count.

Red flag: Any tool with >10 users that IT didn't approve.

Common mistake: Don't just look at enterprise plans. Free-tier signups with work emails count too. Someone on your marketing team used their @company.com email to create a ChatGPT free account? That's in scope.

Step 2: Check DNS Logs for Data Uploads (25 minutes)

Query your firewall or DNS logs for outbound traffic to these domains in the last 30 days:

• copilot.microsoft.com (Microsoft Copilot)

Count unique source IPs. Each IP represents a potential leak point.

What you're looking for: Large POST requests to these endpoints during business hours. That's someone uploading a document.

Step 3: Scan File Repositories (25 minutes)

Check your cloud storage (Google Drive, SharePoint, Dropbox) for files with these names:

• Documents copied to personal drives with AI tool names in the title

Also check your email gateway for outbound attachments to AI tool domains.

The number that matters: What percentage of your confidential docs have been copied or exported? If it's >5%, you have a training data exposure problem.

Step 4: Interview Department Heads (15 minutes)

Ask each department head:

• "Do you know if that data trains future models?"

Most will answer #1 confidently, hesitate on #2, and get #3 wrong.

Step 5: Score and Prioritize (5 minutes)

Rate each tool:

| Risk Level | Criteria |

|------------|----------|

| Critical | Customer data uploaded, no enterprise contract, trains on data |

| High | Internal docs uploaded, some compliance controls |

| Medium | Prompts only, enterprise plan with data protection |

| Low | Approved tool, zero data retention, on-prem deployment |

Calculate exposure score: Count Critical findings × 10 + High × 5 + Medium × 2. A score above 50 means you need executive escalation this week. Above 100 means you should consider pausing AI tool usage until controls are in place.

Document everything. The audit report is evidence of due diligence. If a breach happens later and you can show you identified the risk, your legal exposure drops significantly. If you knew about the exposure and did nothing, liability increases.

The Catch

This audit only covers known tools. Shadow AI is exactly that—shadow. Employees use personal accounts, mobile apps, and browser extensions you can't see in DNS logs.

It also doesn't catch prompt-level leaks. Someone typing "Here's our Q2 revenue: $12M..." into ChatGPT doesn't upload a file. The data still trains the model.

The 90-minute version is a starting point, not a security program. If you find critical exposure, you need a full data governance review. But 90 minutes beats never looking.

What to Do Next

• Review contracts with approved AI vendors. Confirm zero data retention and no training on your data.

Related reads:

• What Is AI Alignment? Explained for Non-Technical Leaders

The Bottom Line

You can't protect what you can't see. This audit won't make you Fort Knox, but it'll show you where the doors are unlocked. Run it this week before your next board meeting asks why customer data is in someone else's training set.