01Name which employees, contractors, departments, workflows, records, vendors, public AI tools, and AI agents are covered.
02Track which employee AI uses are approved, unofficial, under review, vendor-owned, risky, repeated, or ready for a governed workflow.
03List approved AI tools, vendor owners, data handling rules, procurement status, support path, and when a new tool needs review.
04Define where employees may summarize, draft, classify, extract, research, analyze, translate, or prepare work with AI.
05Escalate AI uses that affect customers, employees, eligibility, pricing, advice, compliance claims, or permanent records.
06Block or restrict customer data, employee data, health data, financial records, legal files, credentials, pricing, and proprietary content.
07Require review before AI-assisted work is sent to customers, posted publicly, used for legal or compliance claims, or recorded permanently.
08Block final decisions, deceptive content, credential handling, permission changes, unsupported tools, confidential uploads, and policy bypasses.
09Give employees a way to disclose unofficial AI tools, request approval, migrate risky usage, and report accidental exposure.
10Keep evidence for tool approvals, reviewer decisions, blocked use, data exposure, incidents, exceptions, and policy updates.
11Escalate repeated AI use into a governed workflow when it touches production systems, customers, money, compliance, or records.