Decide which tools, which data, and which people — defensibly.
A playbook for the people who own the tool stack and the NPI boundary. Classify data, vet tools, document the verdict, and help business teams adopt approved AI without bypassing you.
Where IT / InfoSec can use AiBI immediately.
Render a tool verdict
Document the data classes, controls, and approval status for a candidate AI tool.
Run a data-classification check
Map a workflow to the data classes touched and surface NPI exposure points.
Draft a shadow-AI advisory
Brief the business on which tools to stop using and what is approved instead.
Build an access-review checklist
Document who can access an approved AI tool, with what data, under what review.
A verdict cycle the business will follow.
Intake
Capture the request: tool, vendor, data classes, use case, requesting team.
Verdict
Run the data-class + control + retention checks. Decide approved / restricted / blocked with reasons.
Publish
Add to the allowed-tools catalog with conditions. Brief the business via the standard advisory format.
Monitor
Re-review on a cadence. Look for shadow-AI use and adjust the verdict if vendor security posture changes.
Before AI output is used.
Be the team the business asks first — not the team they bypass.
Clear verdicts, publishable advisories, and a catalog that actually answers the question. That is the difference between InfoSec as gatekeeper and InfoSec as enabler.