Start Free Trial

AI Governance Checklist for IT and Security Teams

May 19, 2026 By ShadowLock Team AI governancechecklistcompliance

The AI governance checklist below covers the eighteen items that auditors increasingly examine in SOC 2, HIPAA, and GDPR audits. Each item is paired with the specific action that closes the gap. Skim-ready, action-oriented, and grounded in what we see actually evaluated in real audits, not theoretical best practice.

Use this checklist two ways: as a gap analysis before your next audit cycle, and as a roadmap for building an AI governance program from scratch. Items are grouped by the six components of the broader AI governance framework.

Policy (5 items)

  • Written AI acceptable use policy exists. Action: publish a one-to-two-page AUP. Use our free template as a starting point.
  • Policy lists approved AI tools by name. Action: populate the Approved AI Tools table in the AUP. Update quarterly.
  • Policy defines prohibited data categories. Action: explicitly enumerate PII, PHI, payment card data, credentials, confidential source code, MNPI, privileged communications. Map to your existing data classification.
  • Policy addresses personal accounts. Action: explicit prohibition of personal AI accounts for work activity. Document in writing.
  • Policy reviewed within last 12 months. Action: establish an annual review cycle with named owner. Document each review.

Vendor Inventory (3 items)

  • AI vendors appear in the formal vendor inventory. Action: add OpenAI, Anthropic, Google, Microsoft, and any other AI vendors you formally use.
  • DPAs are on file for each approved AI vendor. Action: collect signed DPAs or evidence the vendor’s standard terms include adequate data protection.
  • Vendor security questionnaires or SOC 2 reports collected. Action: request the vendor’s most recent SOC 2 Type II report. Document the review.

Technical Controls (5 items)

  • Detection of AI tool usage on managed endpoints. Action: deploy an AI governance platform with endpoint and browser visibility.
  • Content classification on paste into AI tools. Action: enable classifiers for PII, credentials, source code, PHI, financial data.
  • Blocking of high-risk data categories. Action: at minimum, enable blocking for credentials and customer PII. Expand as confidence grows.
  • Coverage extends to desktop AI applications. Action: ensure your platform detects ChatGPT Desktop, Claude Desktop, GitHub Copilot in IDEs, and similar desktop AI apps.
  • Coverage extends to personal accounts. Action: use endpoint or browser-layer detection (not network-only) so personal account use is captured.

Audit Logging (2 items)

  • Per-event audit logs containing user, timestamp, tool, classifier matches, outcome. Action: confirm your AI governance platform produces this record format.
  • Logs retained for at least 90 days (longer if required by your compliance program). Action: align retention with your SOC 2 observation window or HIPAA retention requirements.

Employee Training (2 items)

  • AI policy training delivered to all employees and contractors. Action: roll into your annual security training cycle. 10-minute module is sufficient.
  • Acknowledgement records collected and retained. Action: collect AUP acknowledgements through your HRIS. Retain alongside training records.

Review Cycle (1 item)

  • Documented quarterly review of policy, vendor inventory, and audit log trends. Action: schedule recurring reviews. Document the outputs.

How to Use the Checklist

The checklist is most useful when paired with a target audit date. Working backwards:

  • 90 days before audit: Complete Policy, Vendor Inventory, and Employee Training items. Begin Technical Controls deployment in monitor-only mode.
  • 60 days before audit: Enable blocking on highest-risk classifiers. Confirm Audit Logging configuration.
  • 30 days before audit: Run a complete dry-run of the evidence package. Pull a sample of audit logs, confirm they map to the framework controls, fix any gaps.
  • Audit: Hand over the evidence package. Walk the auditor through the framework.

Organizations that complete the checklist before the audit window opens generally pass cleanly. Organizations that try to retrofit after findings appear pay significantly more in time and consulting fees.

What Auditors Actually Examine

Anecdotally, the items most frequently audited in 2025-2026 SOC 2 Type II reviews:

  1. Is there a written AI policy? (Audited universally)
  2. Are AI vendors in the vendor inventory? (Audited universally)
  3. Can you produce audit logs showing the technical control is operating? (Audited in 60-70% of recent reviews, increasing)
  4. Were employees trained on the policy and did they acknowledge it? (Audited in 50-60%)
  5. Has the policy been reviewed in the last 12 months? (Audited in 40-50%)

The first three are now table stakes. The fourth and fifth are emerging expectations.

Common Gaps We See

Across customer environments and audit prep engagements, the same gaps appear repeatedly:

The “policy without enforcement” gap. A written AUP with no technical control behind it. The most common single gap. Closing it requires deploying an AI governance platform that produces audit evidence.

The “approved list without DPAs” gap. An approved AI tools list in the policy that does not match what is actually documented in the vendor inventory. The fix is to align the two, every tool on the approved list needs a DPA on file.

The “monitor-only forever” gap. A platform deployed in monitor-only mode that never moves to blocking. Auditors will note this. Move to blocking on at least the highest-risk classifiers (credentials, PHI, customer PII) before your audit window.

The “personal accounts not addressed” gap. Policies that talk about company AI accounts but never mention personal accounts. Employees rationalize personal account use; auditors notice the gap. Close it in writing.

The “no review cycle” gap. A policy written in 2024 that has not been reviewed since. The fix is a stated annual review with documentation that the review happened.

When ShadowLock Closes These Gaps

ShadowLock directly closes the technical control, audit logging, and detection coverage items in this checklist, typically the most labor-intensive pieces. The policy, vendor inventory, training, and review cycle remain organizational work, but ShadowLock customers move from “policy without enforcement” to “policy with evidence” in under an hour of deployment.

If you are working backwards from a specific audit date, start with ShadowLock detection, pair it with the free policy template, and complete the vendor inventory in parallel. Most organizations close every item in this checklist within a single quarter.

Frequently Asked Questions

How long does it take to complete this AI governance checklist?

For a mid-market organization, three to four months from cold start. Most of the time is spent on policy review, vendor inventory population, and the two-week monitor-only deployment of the technical platform. Once those are done, the remaining items take days, not weeks.

Is this checklist for SOC 2 specifically?

No, the checklist works for SOC 2, HIPAA, and GDPR. The underlying controls are the same; only the framework-specific mappings change. For SOC 2 mappings see our AI governance framework guide. For HIPAA-specific mappings see our HIPAA AI compliance guide.

Can I complete the checklist without an AI governance platform?

Some items, yes. The policy, vendor inventory, training, and review cycle items are organizational and can be completed without any technical tooling. The technical controls and audit logging items require a platform. There is no practical way to manually produce audit logs of AI tool usage across thousands of paste events.

What is the single most important item on the checklist?

The technical control item, detection of AI tool usage on managed endpoints. Without it, none of the audit log or content classification items can be completed. With it, the rest of the program has a foundation to build on.

Is there a version of this checklist for MSPs?

The checklist is the same for MSPs at the partner level. The difference is that MSPs need to complete it once at the partner level and then have it apply cleanly across all client organizations, which is why multi-tenant architecture matters. See our MSP AI governance guide for the MSP-specific pattern.

What happens if my audit happens before I complete the checklist?

You will likely have findings. The severity depends on which items are missing. Missing the written policy is typically a higher-severity finding than missing the review cycle. The remediation path is the same regardless: complete the missing items and present the evidence at the next audit cycle.

How do I prioritize if I only have 30 days?

Top four in order: (1) publish the AUP, (2) deploy the technical control even in monitor-only mode, (3) add the AI vendors to the inventory, (4) confirm audit logging is producing records. The training, review cycle, and remaining items can be completed in the next cycle. Better to enter the audit with the foundation in place than to skip the foundation chasing completeness.

A complete AI governance program is a finite set of well-defined items. The checklist above covers what auditors actually examine. Work through it once and you have a program that holds up under audit pressure, and the foundation for whatever the AI governance landscape looks like in 2027.

Stop shadow AI before it becomes a liability

ShadowLock detects and blocks unauthorized AI tool usage across every endpoint. Free 14-day trial.

Start Free Trial →