How to Run an AI Risk Assessment for Your Business

An AI risk assessment doesn't need to be a big project. For most small and mid-sized teams it boils down to four questions: what AI tools do we use, what data do they touch, what are the contractual data protections, and what could go wrong if those protections fail?

Step 1: Inventory your AI tools

You can't assess what you don't know exists. Start by asking every team what AI tools they use: the ones IT bought, the ones individuals pay for themselves, and the ones built into other software (AI features in your CRM, AI writing in Notion, AI summaries in your video-conferencing tool). Shadow AI is often most of the list.

Step 2: Classify by data sensitivity

For each tool, note what data actually flows into it: public information (low risk), internal plans and IP (medium risk), personal data / PII (high risk under GDPR), protected health information (critical under HIPAA), financial or legal data (often regulated). Higher-sensitivity data demands more scrutiny of the tool's terms.

Step 3: Evaluate the tool's safeguards

For each tool handling sensitive data, check: does it train on your inputs? What are its data-retention periods? Does it offer a DPA or BAA? Is SOC 2 or ISO 27001 in scope? Business tiers usually pass these checks; consumer tiers often don't.

Step 4: Document and act

Record what you found in a tool register (approved / conditionally approved / not approved) and update your AI usage policy to reflect the decisions. Then check staff have read the updated policy. Greenlightly's tool directory and policy generator handle steps 3 and 4 without a spreadsheet.