The problem
The typical story goes like this: a department head signs up for an AI writing tool, a developer starts using a code assistant, and someone in finance connects a workflow automation platform to your CRM. None of it goes through IT. By the time you hear about it, the tools are embedded in daily work and the contracts are signed.
When you do try to get your arms around it — maybe after a vendor audit question or an internal policy push — the review process looks something like this: someone Googles the vendor, skims a SOC 2 summary PDF, and calls it done. That approach isn’t a risk assessment. It’s a paper trail that gives the appearance of due diligence without actually producing any.
The real problem isn’t that teams skip risk assessments because they’re lazy. It’s that nobody has given them a repeatable method that’s proportionate to the actual risk and actually completable without a full GRC team. Enterprise frameworks like NIST AI RMF and ISO 42001 are the right conceptual anchors, but they weren’t written for an IT manager at a 150-person company who owns AI governance on top of three other jobs.
The gap between “we reviewed it” and “we can prove we reviewed it consistently” is exactly where AI governance programs break down. If you want to understand why that happens more broadly, why AI governance programs fail before they start covers the structural reasons in detail.
What good enough looks like
“Good enough” is not a low bar. It means your review process is documented, repeatable, and defensible — meaning if a client, auditor, or regulator asked you to walk them through how you evaluated a specific AI tool, you could do it in plain language and show your work.
For a mid-market IT team, good enough has four practical properties.
First, it covers the right scope. You can’t assess tools you don’t know exist. Good enough starts with an accurate inventory of AI tools in use across the organization — including the ones employees adopted without asking. That’s harder than it sounds, and how to build an AI tool inventory without enterprise software walks through a realistic approach.
Second, it asks consistent questions. Every tool goes through the same evaluation criteria, applied the same way. Not a checklist that changes depending on who’s doing the review. What to ask before you sign covers the specific questions that actually matter at the contract and vendor level.
Third, it produces a record. A conversation or a Slack message doesn’t count. The assessment needs to exist somewhere that can be retrieved, versioned, and exported. This doesn’t require expensive software, but it does require a defined place and format.
Fourth, it maps to your data exposure. A tool that only touches internal schedules is a different risk tier than a tool that processes customer PII or proprietary financial data. Your assessment process should reflect that difference explicitly, not treat every tool the same.
If you have those four properties in place, you’re ahead of most organizations your size. Everything beyond that is maturity, not minimum viability.
A practical method
The following six steps are a starting framework, not a comprehensive methodology. Each step links to deeper Insights posts where the full detail lives. The goal here is orientation — a clear sequence you can hand to a team member or use to scope out a first-pass assessment program.
1. Build your tool inventory before you assess anything.
You cannot risk-assess tools you don’t know about. Start by pulling a list of every AI-enabled tool the organization currently pays for, every tool employees are using on personal accounts for work purposes, and every AI feature embedded in platforms you already own (CRM, HR, productivity suites). The shadow AI problem is real at companies of every size — employees are often using tools no one in IT has seen. Get the inventory right first.
2. Tier your tools by data sensitivity.
Not every tool warrants the same depth of review. A quick tiering exercise — high, medium, low — based on what data the tool touches and how it’s used will let you prioritize your effort. Tools that process customer data, employee records, or regulated information go in the high tier and get a full assessment. Tools that operate on internal non-sensitive workflows can be reviewed more lightly.
3. Define your assessment criteria before you start reviewing vendors.
Decide what questions you’re asking before you open the first vendor security page. The criteria should cover data handling and residency, subprocessor disclosures, model training practices (does the vendor train on your data by default?), incident notification commitments, and contractual data deletion rights. What to ask before you sign has the full question set.
4. Run a structured review for each high-tier tool.
For tools in your high tier, request vendor documentation, review it against your criteria, and record the outcome. “Reviewed and accepted” is not a complete finding. Document what you reviewed, what gaps you identified, what compensating controls (if any) you applied, and who approved the decision. How to run a defensible AI vendor risk assessment covers the full review process, including how to handle vendors who won’t provide adequate documentation.
5. Check your use policy against what you find.
A risk assessment without a corresponding use policy is incomplete. As you review tools, you’ll surface gaps between what the policy says and how tools are actually being used. Five things your AI use policy is missing identifies the clauses most organizations forget — particularly around personal account use, data classification, and employee accountability.
6. Log outcomes and set a review cadence.
An assessment you run once and never revisit isn’t a governance program. Capture your findings somewhere structured, flag tools for periodic re-review (especially when contracts renew or the vendor makes significant product changes), and establish who owns the process going forward. This is the point where informal reviews break down into inconsistency — somebody leaves, the Confluence page gets stale, and six months later nobody’s sure what was reviewed and what wasn’t.
If you want to make that last step stick without building a custom system from scratch, InfoDefenders’ AI Risk Assessor is purpose-built for exactly this workflow — structured assessments, documented findings, and evidence you can export when someone asks for it.
Where to go from here
This page is the starting point. The Insights posts linked throughout this page are the step-by-step guides. If you’re not sure where to begin, start with your tool inventory — it’s the prerequisite for everything else, and most teams discover the list is longer than they expected.
If you want to run your first structured assessment this week, start with how to run a defensible AI vendor risk assessment and pick the one high-risk tool on your list that’s been sitting in the “we should look at that” pile the longest. One documented, completed assessment is more valuable than a governance plan that never gets started.
