AI in The Workplace: How to Conduct an AI Risk Assessment

Artificial intelligence is reshaping how we work and it’s doing so at an incredible pace. In fact, 72% of businesses use AI for at least one business function. From writing tools to data analysis, AI is woven into daily tasks without a second thought.

For many organizations the rapid adoption of AI presents both an advantage and a challenge, especially for IT and security teams. It’s no longer a question of whether AI tools are used, but how employees are using them–and more importantly, how you assess and manage the risks that come with it.

We’ve put together a comprehensive guide to help you conduct an AI risk assessment for your organization by simply following 4 foundational steps and knowing what to consider when adopting AI applications.

It Might Not Steal Your Job, But It’s Here to Stay

Take a typical day at the office: A marketing team might use an AI-driven tool to draft social media posts, a sales rep might rely on AI to prioritize leads, and a product team might run data analysis through machine learning. 

These tools are empowering teams, but as employees freely choose and start using AI applications to streamline their work, they may inadvertently introduce risks by sidestepping IT. And with new AI tools springing up nearly every day, it’s a steep climb for IT and security teams to control which applications are in use, let alone which ones are secure.

When asked about the speed of AI, fear dominates. According to survey data from JumpCloud’s Q3 SME IT Trends, 61% of organizations agreed that AI is outpacing their organization’s ability to protect against threats.

How to Assess The Risk of AI Tools Employees Use

1. Identification: What AI Tools Are Being Used in Your Company?

The first step in conducting an AI risk assessment is understanding what AI tools are in use across your organization. This requires a comprehensive inventory of all AI-related accounts and applications employees might be using–whether they are IT-approved or not.

Without this visibility, businesses risk unapproved SaaS applications slipping into daily workflows, leading to security and compliance gaps. There are a few ways for IT teams to approach SaaS discovery and find AI tools. These include:

• Manual inventory: Some companies begin by cataloging known AI tools in use, assigning owners to update the list as new tools emerge. While straightforward, this method can quickly fall out of date as employees adopt new AI tools without any official authorization.

• Network monitoring: This method tracks web traffic to detect commonly used AI applications. By identifying frequently accessed sites or services, IT can establish a baseline for AI usage. However, it may still cause blindspots when it comes to niche or newly launched tools as it often relies on databases of known or frequently accessed applications.

• App integration review: By analyzing connections to core business applications, IT teams can identify AI tools directly integrated with critical systems. This narrow focus helps address risks to high-value assets, but it may overlook AI tools used outside core applications.

• SaaS management solutions: These solutions offer automated SaaS discovery and monitoring capabilities, allowing IT teams to detect both sanctioned and unsanctioned AI applications quickly. SaaS management tools simplify tracking and reporting on SaaS usage, making it easier to maintain an up-to-date inventory and address shadow IT risks effectively.

2. Evaluation: How Do AI Vendors’ Approach Security & Privacy?

After identifying which AI tools are in use across your organization, the next step is to evaluate each vendor’s approach to security and privacy. AI applications often handle sensitive data, making it critical to understand the practices of each vendor to prevent potential breaches and data misuse.

When evaluating AI vendors and SaaS applications that use third-party GenAI for their services, IT and security leaders should consider the following key factors:

• Does the vendor adhere to recognized security standards like SOC 2, ISO 27001, or GDPR compliance?
• Are data transfers between your organization and the vendor encrypted?
• Does the vendor anonymize sensitive data and avoid using customer data for training AI models?
• Has the vendor experienced recent data breaches, and how were they handled?
• Does the vendor notify clients promptly following a security incident?
• What are the vendor’s data retention policies? Is data permanently deleted upon request?

These core questions give you a structured way to evaluate the security and privacy practices of each vendor, helping you ensure that only trustworthy tools are adopted within your organization.

3. Tracing: What AI Tools Connect to Core Business Applications?

According to Splunk’s latest security report, 91% of security teams are utilizing generative AI, yet 65% admit they lack a full understanding of the implications.

After identifying and evaluating the AI tools in use, the next step is mapping out which tools interact with your organization’s core business applications. This helps reveal any data-sharing pathways and security implications involved in these integrations. 

Key areas to consider include:

• How are AI tools connecting to core business applications–through APIs, OAuth grants, or other methods?
• Are secure protocols like OAuth 2.0 in place to manage access permissions?
• Do these connections specify minimal data access (e.g., read-only access) to limit risk?
• What specific data is shared between AI tools and business applications?
• Are highly sensitive data types (e.g. PII, financial records) being shared? If so, are they encrypted and anonymized?

Mapping these connections can uncover vulnerabilities, such as overly broad access scopes or unencrypted data exchange, and helps you ensure that only vetted, secure pathways are used for AI integrations.

4. Communication: How Are Employees Using AI Tools?

The final step into assessing AI risks in your organization is to look at how employees interact with AI tools daily. Clear communication and education are vital to making sure they understand the acceptable use of these tools, including which AI applications are approved and how to use them safely.

Without a clear communication, employees may unknowingly bypass IT guidelines or engage in risky AI usage, potentially exposing your organization to security risks.

To improve communication around AI use, consider the following factors:

• Establish a clear acceptable use policy
  • Outline which AI tools are approved and provide guidance on how to request new tools. 
  • Make sure this policy addresses data handling best practices to avoid the entry of sensitive or confidential information into any AI tool.
  • Distribute the policy organization-wide, making it accessible and easy to reference whenever employees have questions.

• Educate and train employees
• Establish a streamlined process for submitting requests for new AI tools
• Set up a clear reporting system for employees to raise concerns or report unintended security issues when using AI tools

How JumpCloud Simplifies Finding & Managing AI Tools

JumpCloud’s SaaS Management solution simplifies tracking and managing SaaS applications across your organization, including AI tools employees are using–whether authorized or not–ensuring security and compliance.

• Automatically detect and track AI and other SaaS applications through native integrations with Google Workspace, Microsoft Entra ID, and more.
• Identify unauthorized AI tools via browser-based discovery.
• Automatically warn users when they attempt to access unapproved AI tools.
• Block access to those tools, showing a clear message in the browser to prevent usage.

You can also add niche or newly launched AI tools to your inventory manually even before they are detected, ensuring full coverage. Then, IT administrators can easily manage access and report on usage.

Ready to see how JumpCloud SaaS Management simplifies IT? Try it for free to see it for yourself.