AI Egress Audit Checklist
A practical checklist for finding where sensitive company data leaves your control through ChatGPT, Claude, Gemini, Copilot, and other AI tools.
An AI egress audit identifies where employees send sensitive data into AI tools outside the company’s control. It is not a legal conclusion. It is the operational map security, IT, and leadership need before they can choose a policy or replacement stack.
Use this checklist before buying another AI tool.
1. Inventory the AI tools
Start with the obvious tools:
- ChatGPT / OpenAI API
- Claude / Anthropic
- Gemini / Vertex AI
- GitHub Copilot
- Microsoft Copilot 365
- Notion AI
- Grammarly
- Midjourney / image tools
- Browser extensions
- Custom external APIs
Then ask the uncomfortable question: which tools are employees using with personal accounts?
2. Classify the data going in
Do not audit “AI usage” as one bucket. Classify the data.
| Data type | Risk signal |
|---|---|
| Customer data | Names, emails, accounts, tickets, support history |
| Legal material | Contracts, privileged documents, matter notes |
| Source code | Private repos, logs, stack traces, architecture |
| Financial data | Statements, forecasts, pricing, investor materials |
| Health data | PHI, clinical notes, patient context |
| HR data | Employee records, performance notes, compensation |
| Sales data | Pipeline, prospects, competitive intel |
| Strategy docs | Roadmaps, board decks, internal memos |
3. Identify account control
The account layer matters.
- Company-managed account
- Personal account
- Mixed usage
- Unknown
Company-managed does not automatically mean safe. But personal or unknown means you probably have no reliable audit trail.
4. Map vendors to policies
For each tool, record:
- Vendor
- Admin owner
- Contract owner
- Data retention policy
- Training/data-use terms
- Region/data residency
- Export/logging capability
- Offboarding process
If nobody owns the answer, the answer is “unknown.”
5. Separate workflows by sensitivity
Not every AI workflow needs local AI.
| Workflow | Likely treatment |
|---|---|
| Public marketing copy | Approved cloud AI may be fine |
| Internal policy Q&A | Private RAG or approved tenant |
| Legal document review | Local/private model or controlled partner deployment |
| Source-code assistance | Approved coding assistant or local coding model |
| Patient/customer records | Strict local/private controls |
| Board/investor materials | Local/private workflow |
6. Pick replacement patterns
Common replacement patterns:
- ChatGPT-style interface -> Open WebUI or LM Studio
- Personal AI usage -> Jan or LM Studio for local workflows
- External document Q&A -> AnythingLLM or Haystack
- Developer runtime -> Ollama, llama.cpp, or vLLM
- Model discovery -> Hugging Face
- Routing/gateway -> LiteLLM or internal proxy
7. Create the policy
A useful policy says:
- Which tools are approved
- Which data types are banned from cloud tools
- Which workflows have a local/private path
- Who approves new models
- How logs are handled
- What employees do when the local model is not good enough
Policy without a usable replacement is theater. Employees will route around it.
8. Route serious fixes to operators
If the audit shows sensitive data in unmanaged tools, the next step is not another meeting. It is a scoped migration:
- pick one workflow
- pick one department
- choose one local/private replacement path
- deploy it
- train users
- verify usage
That is where a deployment partner can matter.
Run the two-minute version
This checklist is the manual version. The fast version is the free AI egress audit.
It asks the same core questions: tools, data categories, account control, company size, and industry.