content.layout.tocMobileLabel
Three Things Every Good Mapping Must Include
1
Every AI system — not just the obvious ones
2
Actual usage — not just licenses
3
The type of data entering each system
1. Every AI System — Not Just the Obvious Ones
ChatGPT, Claude, and Copilot are the starting point, not the finish line. The inventory must also include GitHub Copilot, Notion AI, the recommendation engine in your CRM, a fraud detection model, a customer service chatbot, the Grammarly extension, meeting summarization tools, and AI-generated marketing images. Many SaaS platforms your organization already uses added AI features in 2024-2025 — these must appear in the register.
2. Actual Usage — Not Just Licenses
A Microsoft 365 licence includes Copilot — but that does not mean everyone uses it. You need to map actual usage by department and by task. "HR uses Copilot to screen CVs in three hiring processes per month" is a sentence that carries meaning. "We have a Copilot licence" does not.
3. The Type of Data Entering Each System
This is the most important dimension for risk scoring. A system that receives only marketing copy carries low risk. The same system receiving source code, financial data, or employee records is an entirely different risk profile.
Guiding Questions for Each Department
A set of 10-15 questions ensures solid coverage. The core list:
- Which AI tools do you use on a daily basis?
- Which AI tools do you use occasionally (at least once a month)?
- What types of data do you enter into AI tools? (customer data, employee data, financial information, source code, internal documents, contracts)
- Does the tool make decisions that affect people? (hiring, credit, scoring, routing)
- Is there human oversight of the tool's outputs? For every decision, only partially, or almost none?
- Which automations connect different systems in your workflow?
- Which external AI vendors do you use, and do you have DPAs in place with them?
- Have any AI-related incidents occurred this year? (incorrect output, data exposure, customer complaint)
- Are you aware of an organizational AI use policy?
- Which AI tools would you like to adopt but have not, due to regulatory uncertainty?
How to Score Risk — A Simple Matrix
Risk = Impact × Likelihood. A system whose incorrect output affects a person (high impact) and operates fully automatically without human review (high likelihood) — that is your primary risk.
Impact
- Low: an error causes inconvenience (unsent content, imprecise summary)
- Medium: an error causes a business cost or a degraded customer experience
- High: an error influences a decision that affects a person
- Critical: an error causes regulatory exposure, significant harm, or material damage
Likelihood
- Low: human oversight applies to every decision
- Medium: partial oversight or sampling
- High: no human oversight; automation runs end-to-end
What to Do with the Output
- 1
Address Critical Gaps
High-risk systems without a DPA or human oversight — target 0-30 days.
- 2
Build an AI Policy
A document defining what is permitted, what is prohibited, and who to notify — approximately 30 days.
- 3
Update Vendor Contracts
Your top 3-5 AI vendors — 30-60 days.
- 4
Establish an Oversight Process
Incident reporting and monitoring for high-risk systems — 60 days.
- 5
Training
Core modules for staff — 60-90 days.
- 6
Recurring Review
Every 6-12 months. New AI tools enter the environment continuously.
The Alice GRC portal questionnaire is designed precisely for organizations that need to move fast. Instead of hours of manual work, questions branch based on previous answers. The output: an AI systems register, a vendor register, an automations register, automatic gap findings against ISO 42001 and the EU AI Act, and a 30/60/90-day roadmap — all in 15-30 minutes.
content.layout.faqHeading
content.layout.faqCountWhat is the difference between an AI inventory and an AI risk assessment?
An AI inventory is a list — which AI systems exist in the organization, their vendors, and who uses them. An AI risk assessment goes one step further: it takes that list and scores each item by risk, impact, and likelihood. You cannot run an assessment without an inventory, and an inventory without risk scoring delivers no management value.
What is Shadow AI and why is it the biggest risk?
Shadow AI is the use of AI tools the organization does not know about — an employee using their personal ChatGPT account to draft contracts, a marketing team uploading a customer list to Canva AI, a developer pasting source code into Claude. The risk is high because there is no DPA, no oversight, and the data may become training material for the vendor. Surveys consistently show that 60-70% of organizations have at least twice as much AI usage as management is aware of.
How long does a serious assessment take?
It depends on the methodology. An internal review using an Excel questionnaire takes 4-8 weeks and typically yields low resolution. Interviewing each department head takes 2-3 weeks with good resolution but high cost. A structured questionnaire in a dedicated portal like Alice GRC takes 15-30 minutes for a mid-sized organization, with automatic gap detection and risk scoring built in.
What does the assessment output look like?
(1) An AI asset register with a risk rating for each item. (2) A vendor list with DPA status for each. (3) Gap findings against ISO 42001, EU AI Act, and relevant privacy laws. (4) A risk score by department. (5) A 30/60/90-day action roadmap.
content.layout.ctaBadge
content.layout.ctaDefaultTitle
content.layout.ctaDefaultSubtitle
content.layout.contactTitle
content.layout.contactBadgecontent.layout.contactBody
content.topicsMap.eyebrow
content.topicsMap.headingTemplate
content.topicsMap.legendHint
content.layout.clusterLabel תפעול