The Small Business AI Audit You Should Run

Your paralegal has been using ChatGPT for three months. They figured out they could draft routine correspondence in a quarter of the time, so they just started doing it. Nobody told them to. Nobody told them not to. They’re pasting client names, case details, and billing information into a free public AI account because it helps them get through the day.

You didn’t know. You still wouldn’t know — except you’re reading this. And this scenario isn’t unusual. It’s the baseline for most small businesses right now. Your team is resourceful. They found tools that make their work faster and they used them. The problem isn’t that they did it. The problem is that nobody mapped it, nobody vetted it, and nobody made a decision about it. That’s the gap an AI audit closes.

You Manage What You Can See

Until a few years ago, “what tools does my team use” had a clear answer. Your stack was whatever you paid for — QuickBooks, your CRM, Google Workspace, maybe a project management app. You bought it, you controlled it. AI changed that overnight. Every employee now has access to powerful AI tools for free, on personal accounts, in their browser, without a single charge appearing on your credit card statement. The result is a split-screen business: the tools you think you’re running, and the tools actually running your operations.

Here’s what that typically looks like in practice. These are the tools that show up most often when small businesses run their first audit:

The good news: this is completely fixable. You don’t need a consultant, a compliance officer, or a new software platform. You need about a week and three honest conversations with your team.

Step One: The Two-Question Survey

The fastest way to map your AI use is to ask — directly and anonymously. Anonymity matters here. When employees aren’t worried about getting in trouble, you get truthful answers instead of sanitized ones. Two questions are all you need:

1. What AI tools do you use for work? (ChatGPT, Copilot, Claude, Grammarly, Otter.ai, Midjourney, AI built into another app — list anything that counts)
2. What do you use them for? (drafting documents, summarizing, research, client communication, internal notes, transcriptions — describe the actual tasks)

Build this in Google Forms. It takes five minutes. Send it on a Monday morning with a short note: “I’m doing a quick inventory of AI tools the team uses — no judgment, I just want to understand what’s actually working. Takes two minutes.” You’ll have results by lunch, and they will almost certainly surprise you.

Step Two: The Subscriptions Check

The survey tells you what’s in people’s heads. The subscriptions check tells you what’s on your cards — and theirs. Pull 90 days of business card transactions and search for anything you don’t immediately recognize. Common surprises: ChatGPT Plus at $20/month (often on personal cards employees are quietly expensing), Otter.ai at $17/month, Jasper at $49/month, Perplexity Pro at $20/month. Then ask your team to do a quick scan of their own accounts — not to expose personal spending, just to flag any AI tools they use for work and pay for themselves.

This exercise does two things. First, it tells you whether people are paying out of pocket for tools that are genuinely valuable — a strong signal those tools are worth centralizing on a business account with proper data protections. Second, it tells you whether you’re double-paying for capabilities already sitting inside software you own. Microsoft 365 customers are often separately paying for ChatGPT Plus, not realizing that Microsoft Copilot is already included in their plan and covers most of the same tasks.

What We See When Businesses Run This AI Audit

A few patterns show up with remarkable consistency. There’s almost always at least one employee using ChatGPT daily on a free account — usually someone in an admin, writing, or client-facing role who figured out it made their job faster. There’s usually a transcription tool (Otter.ai is the most common) capturing meeting audio to a third-party server nobody vetted. And there’s almost always an AI assistant buried inside a tool the team already uses — an email client, a browser extension, a CRM add-on — that nobody knowingly enabled.

None of this reflects badly on the employees. They’re doing their jobs. The gap is that the business never set a policy, so the team made their own calls. What the audit does is surface all of it — quickly and without drama — so you can make the decisions that were always yours to make. Once you know what’s there, the fix is usually straightforward: move the tools worth keeping to business-grade plans, drop the ones that aren’t, and write the one-page policy that makes the ground rules clear. Total cost to get there: under $100/month for most small teams.

What to Do This Week

You don’t need to solve everything at once. Here’s the right order:

1. Send the two-question survey today. Set up a Google Form with the two questions above and send it to your team this morning. Eight minutes of setup. No cost. You’ll know more about your AI exposure by end of day than most business owners ever find out.
2. Run the subscriptions check. Pull 90 days of business card transactions and look for AI tools. Then compare against what your current software stack already includes — chances are good you’re paying for something twice, or your team is paying out of pocket for something worth centralizing.
3. Have a 30-minute team conversation. Share what you found (anonymized). Set one ground rule right now: no client data or confidential business information into free AI accounts until you’ve made a shared decision about what’s approved. That single rule addresses the majority of your exposure while you work out the rest.

That policy conversation doesn’t have to be a formal document. A clear team decision about which tools are approved, and a shared understanding that client data stays in vetted platforms, is enough to get started. You can build from there.