AI Tool Security: What to Check Before Approval

Approving a new AI tool takes five minutes if you're just clicking 'OK'. Doing it properly takes closer to 30, but it avoids the kind of discovery that shows up in an audit or a breach. Here's what to check before you say yes.

1. Training and data use

Does the tool train on your inputs? Check the terms of service or privacy policy for the specific tier you're evaluating, not the default consumer terms. Most enterprise and business tiers exclude your data from training; most consumer tiers don't (or do so only if you opt out, which most users never do).

2. Data retention

How long does the vendor keep your conversations or uploaded data? Standard retention periods range from 0 to 90 days on business tiers. Longer retention means more exposure if the vendor is breached.

3. Compliance certifications

SOC 2 Type II is the baseline for B2B SaaS. ISO 27001 is stronger. For EU data, look for a Data Processing Agreement (DPA) and check whether the vendor is on the EU's Standard Contractual Clauses (SCCs) pathway. For health data, a BAA is required before any PHI touches the tool.

4. Access controls

Does the business tier support SSO, role-based permissions and admin controls? If individuals can create accounts outside the business workspace, shadow AI is still a risk even after you 'approved' the tool at the org level.

5. Incident response

What is the vendor's breach notification obligation and timeline? Under GDPR you have 72 hours. A vendor that can't tell you their own notification SLA is a red flag. Greenlightly's tool directory has pre-checked these points for the most common AI tools so you don't have to research each one from scratch.