How to inventory the AI tools your firm is actually using

Why an AI inventory is the first move in every governance program

You cannot supervise what you cannot see. Every other piece of an AI governance program, the policy, the training, the audit, depends on knowing which tools your lawyers are actually using on which matters. Skip the inventory and the rest of the program is a guess.

The other reason to start here is that the inventory itself produces the first uncomfortable conversation. Once partners see the gap between the approved list and the real usage, the case for a written policy makes itself.

The two-pass approach: survey plus passive scan

Ask every practice group lead which AI tools their team uses and why. You will get a clean, plausible list of five to ten tools. It will also be incomplete. People forget the trial they signed up for last quarter, the personal ChatGPT they use for drafting, and the Copilot tab that has been running in the background for six months.

Layer a passive scan on top. A browser extension across the firm and a lightweight desktop agent on managed devices, both running for two weeks, will surface every tool that is actually open and in use. Run them in read-only mode for the first pass so nobody feels surveilled before the policy conversation has happened.

What a passive scan actually picks up

The extension sees which AI websites and chat apps people visit and how long they spend in each. The agent sees which AI-related processes and windows are active on the desktop. Together they cover both the browser-based tools that dominate today and the native apps that are becoming more common.

• Public chatbots used on personal accounts during firm hours
• Enterprise tools that were procured but never officially approved
• Trials and free tiers spun up by a single team and never reviewed
• Plugins and extensions that route firm data through third-party AI
• AI features inside tools the firm already uses, like document review and email

Reconciling the lists and triaging by data sensitivity

Cross-reference the survey list against the scan. Anything in the scan but not the survey is shadow AI. Do not panic the first time you see the gap. It is normal for the scan to surface two to three times what the survey did, and the right response is triage, not enforcement.

Sort each finding by data sensitivity. A shadow Notion AI used for to-do lists is a different conversation than a shadow ChatGPT used on a privileged matter. Approve the low-risk tools, deprecate the duplicates, and route the rest into the policy and training workflow before any enforcement action lands.

Getting partner sign-off on the approved list

Once you have a clean approved list, get the managing partner or executive committee to sign it. That single signature is what moves the inventory from IT housekeeping to firm policy, and it is what makes the rest of governance possible.

Keep the signed version dated and stored alongside the rest of the firm's policy artifacts. The next refresh of the list becomes a diff against this baseline, which is much easier to review than a fresh list every quarter.

Keeping the inventory current after the first pass

AI tooling changes monthly. A static inventory ages out in a quarter. The firms that get this right run the passive scan continuously, surface diffs to the AI governance lead on a weekly cadence, and make adding a new tool to the approved list a five-minute process instead of a committee item.

The goal is for the inventory to be boring and current, not impressive and stale. An inventory that is six months old is, from a regulator's perspective, the same as having no inventory at all.

Common mistakes to avoid

• Treating the survey as the inventory and skipping the scan
• Surfacing shadow AI to partners before the triage conversation has been planned
• Approving a tool without checking whether its data terms allow firm use
• Letting the approved list go untouched between quarterly reviews
• Running the scan in enforcement mode on day one and burning trust with associates

Run an always-on inventory with CounselGuard

CounselGuard provides the desktop agent and Chrome extension that capture AI tool usage continuously, reconciles them against the firm's approved list, and surfaces shadow AI as a weekly diff to the governance lead. The inventory stays current as a byproduct of normal work, not as a quarterly fire drill.