How to Build an Approved AI Tools List for Your Business

Start With an Audit

Building the list starts with a simple audit. Ask your employees what AI tools they're currently using for work. You may be surprised by the answer. Many small businesses discover that employees are using five to ten AI tools that the business has never evaluated, including tools that handle customer data, generate client-facing content, or process financial information. This audit is the foundation of your approved list.

The purpose of an approved list isn't to restrict employees or slow down their work. It's to ensure that the AI tools your business uses have been evaluated against a consistent set of criteria — data handling, privacy policy, security certifications, and regulatory compliance — before they're deployed.

The Four Evaluation Criteria

Once you know what's being used, evaluate each tool against four criteria. First, data handling: does the tool retain user inputs? Is user data used to train models? Is there an opt-out? What happens to data when you cancel your account? Second, privacy policy: is the policy clear and specific? Does it address business use cases? Is there a data processing agreement available for business accounts?

Third, security: does the vendor have SOC 2 certification or equivalent? Have they had documented security incidents? Fourth, regulatory fit: does the tool's data handling comply with the regulations that apply to your business — HIPAA, CCPA, GDPR, or industry-specific requirements?

Not every tool needs to pass every test. The right standard depends on how the tool will be used. A tool used only for internal brainstorming, with no customer data involved, needs to meet a lower bar than a tool used to process customer support tickets. Your approved list should reflect these distinctions — perhaps with categories like 'approved for internal use only' and 'approved for customer-facing use.'

Keeping the List Current

The list should be a living document, not a one-time exercise. AI tools change their privacy policies, get acquired by new companies, and update their data handling practices. Build a review cycle into your process — at minimum annually, and whenever a tool on your list makes a significant policy change.

Our AI Workplace Policy Kit includes an approved tools list template pre-populated with evaluation criteria and a sample list of 20 common AI tools, with notes on each. The Employee AI Safety Course covers how to use and maintain the approved list in Module 3.