20-question vendor checklist · Data classification matrix · Sample DPA clauses · NIST AI RMF mapping · EU AI Act crosswalk · Approve/Reject decision tree
Samsung engineers pasted proprietary semiconductor chip source code into consumer ChatGPT accounts — three separate incidents. 38TB of IP exposed. ChatGPT's default consumer terms included model training. Samsung banned the tool company-wide within weeks. The incident happened because there was no data classification policy for AI inputs and no vendor vetting process. This kit closes that gap.
17 pages covering every dimension of AI tool security — from the first vendor conversation to an employee-ready Acceptable Use Policy.
Data handling, training exclusion, retention, sub-processors, residency, encryption, audit rights, breach notification, MFA/SSO, output risk, IP ownership, confidentiality, and annual review cadence. Any "No" triggers a required risk exception.
Public / Internal / Confidential / Regulated — what data is Approved, Approved-with-Controls, or Not Permitted in each AI tool tier: consumer, Enterprise API, and Workspace.
8 ready-to-negotiate clauses (training exclusion, retention, sub-processor notification, breach notification, IP ownership, confidentiality, audit rights, HIPAA BAA) with vendor-by-vendor status for ChatGPT, Copilot, Claude, and Gemini.
Maps your vetting requirements to GOVERN, MAP, MEASURE, and MANAGE controls in the NIST AI Risk Management Framework 1.0 — with specific control IDs (GV-1.1 through MG-3.2).
10-row crosswalk table mapping each AI control to SOC 2 TSC and EU AI Act provisions. Plus: deployer obligations under EU AI Act Art. 26 — what organizations using AI tools must do by August 2026.
Score-based decision tree: 27–30 points = Approve, 18–26 = Approve-with-Controls (risk exception required), below 18 or critical fails = Reject. Clear pass/fail criteria for each tier.
Per-tool tables covering training data use, retention, DPA availability, HIPAA BAA status, encryption, SOC 2/ISO certifications, sub-processors, EU data residency, and the key risk for each platform.
8-point checklist for finding AI tools your team is using without IT approval: browser extensions, DNS logs, department surveys, expense records, code repositories, and app marketplace audits.
Ready-to-customize AUP covering: approved tools, data classification restrictions, employee obligations, prohibited uses, vendor approval process, and consequences. [BRACKET] placeholders throughout for easy customization.
From Page 4 of the kit — what data is allowed in which AI tool tier.
| Data Tier | ChatGPT / OpenAI | Microsoft Copilot | Claude (Anthropic) | Gemini (Google) |
|---|---|---|---|---|
| Public Marketing copy, press releases, public research |
✓ Approved | ✓ Approved | ✓ Approved | ✓ Approved |
| Internal Meeting notes, internal policies, non-sensitive projects |
⚠ Approved w/ Controls | ✓ Approved (Enterprise) | ⚠ Approved w/ Controls | ⚠ Approved w/ Controls |
| Confidential Trade secrets, M&A strategy, unreleased financials |
✗ Not Permitted (Consumer) ⚠ Enterprise only |
⚠ Approved w/ Controls | ⚠ Approved w/ Controls | ✗ Not Permitted (Consumer) ⚠ Workspace Enterprise only |
| Regulated PHI (HIPAA), PCI, ITAR, attorney-client privilege |
✗ Not Permitted (ITAR) BAA required for PHI only |
✗ Not Permitted (ITAR) BAA required for PHI |
✗ Not Permitted (ITAR) BAA required for PHI |
✗ Not Permitted (ITAR) BAA required for PHI |
The kit maps to all four NIST AI RMF 1.0 functions — your vetting program covers each one.
AI risk policy (GV-1.1), AI tool inventory (GV-1.2), role assignment (GV-2.1), third-party obligations (GV-3.1). The 20-question checklist and AUP template deliver all four.
Use-case risk classification (MP-1.1), data flow mapping via the Classification Matrix (MP-2.2), and threat modeling for prompt injection and supply chain risk (MP-3.1).
Output accuracy testing protocol (MS-1.1), bias and fairness assessment for high-risk AI (MS-2.1), vendor assessment scoring rubric (MS-2.5), anomaly monitoring (MS-3.3).
AI incident response plan extension (MG-1.1), unapproved tool response protocol (MG-2.2), and structured vendor offboarding with data deletion confirmation (MG-3.2).
The full checklist covers these domains. Any "No" or "Unknown" requires a documented risk exception or vendor remediation before approval.
17 pages. PDF. Download instantly. No credit card, no commitment.
The AI Vetting Kit is on its way. If you don't see it in 2 minutes, check your spam folder.
Download directly →
What is the AI Tool Security Vetting Kit?
A free 17-page PDF for IT, security, and compliance teams evaluating AI tool adoption. It covers every dimension of vendor risk: data handling, DPA negotiation, NIST AI RMF alignment, EU AI Act compliance, and shadow AI discovery — in a format you can hand to procurement or present to the board.
Why do I need to vet AI tools before deploying them?
85% of employees use at least one AI tool not approved by IT. Most consumer AI tiers have training opt-in by default — meaning your confidential data may be used to train models accessible to others. The Samsung incident (38TB of semiconductor IP exposed) happened because engineers had no guidance on what was safe to input. The kit closes that gap before the incident, not after.
Does this cover NIST AI RMF and EU AI Act?
Yes. Pages 7–8 map each requirement to NIST AI RMF 1.0 controls (GV-1.1 through MG-3.2). Pages 9–10 include a SOC 2 TSC + EU AI Act crosswalk and a summary of EU AI Act Art. 26 deployer obligations — fundamental rights impact assessment, human oversight, employee training, and AI-generated content transparency — which apply from August 2026 for high-risk systems.
Does this cover ChatGPT, Copilot, Claude, and Gemini specifically?
Yes. Pages 5–6 include vendor-by-vendor status for each DPA clause (training exclusion, retention, BAA availability, etc.) for all four platforms. Pages 12–13 have per-tool quick reference tables covering training data policy, data retention, DPA availability, HIPAA BAA status, encryption, certifications, sub-processors, EU residency, and the key risk to watch for each platform.
Can I use this for a SOC 2 Type II audit?
Yes. The crosswalk table (Page 9) maps each AI control to the relevant SOC 2 TSC control — CC6.1, CC6.2, CC7.3, CC9.2, C1.1, A1.2, and others. The 20-question checklist, signed DPA documentation, and annual review process together address the vendor risk requirements under CC9.2 that auditors most commonly flag in AI-adjacent environments.
Does the kit include an employee AI policy template?
Yes. Pages 15–16 include a complete, customizable Employee AI Acceptable Use Policy template covering: approved tools, data classification restrictions (tied to the matrix on Page 4), employee obligations, prohibited uses, vendor approval process, and consequences. All [BRACKET] placeholders are clearly labeled for easy customization. It meets NIST AI RMF GV-1.1 and EU AI Act Art. 26(6) training requirements.
A single 60-minute training session can change that. Book today — sessions from $150.
Book a Session →Personal · Executive · Business tiers · Satisfaction guaranteed