CBIZ
  • Article
October 28, 2024

Why and How Not-For-Profits Should Inventory Their Organization’s AI Usage

Table of Contents

There’s no denying it — AI has seamlessly integrated into the countless tools and applications we rely on every day, often without us even noticing. Understanding and inventorying AI usage within the organization is more important than ever for not-for-profits, especially as regulations tighten and the risks associated with AI increase.

Here’s why keeping track of your AI usage is a must and how you can do it effectively.

Why AI Inventory Matters

The use of AI across all sectors has exploded, including in tools and software you may already use in your organization. If your not-for-profit relies on SaaS (Software as a Service) applications — tools like Microsoft 365, Grammarly or project management platforms like Wrike — it’s almost guaranteed you’re already using AI without fully realizing it. Many of these tools have AI woven in to improve functionality, from personalized recommendations to advanced automation.

However, this widespread use of AI introduces certain risks. For example, some employees might unknowingly upload sensitive data into AI tools that use that data to train their models. If that happens, proprietary information could inadvertently become part of a public AI model, leading to intellectual property exposure.

Also, legal implications are beginning to take shape around the use of AI. Laws like the Colorado AI Act or New York City’s AI Bias Law hold organizations accountable for the AI they use, even from a third party. For example, if an AI tool in your human resources department showcases bias while screening resumes or benchmarking performance, your organization could face legal repercussions. As AI becomes more prevalent in everyday tools, these risks will only grow, making it essential to maintain an inventory of all AI-driven technologies your organization relies on.

The Path to Creating an AI Inventory for Not-For-Profits

How do you start tracking AI in your organization? One of the easiest ways is to begin by working with your finance department to identify the SaaS applications you’re already paying for. Review expense reports or corporate credit card statements to get a clear list of software subscriptions. For a more thorough understanding, technical solutions can provide deeper insight into AI usage. If your not-for-profit uses a common technology infrastructure, you can analyze logs from tools like Cloud Access Security Broker (CASB) or web proxies. These logs will show where users connect to online, identifying SaaS tools in use. Once SaaS use is identified, you can determine which are leveraging AI and whether the risk posed by each application warrants risk management activities (e.g., limiting use, third-party due diligence, etc.)

Another potentially effective tool is Microsoft Defender for Cloud. It can help identify AI usage across your organization. There are a number of emerging tools like Microsoft AI-SPM and Tenable AI Aware that detect AI software, libraries and browser plug-ins, giving you a real-time view of how AI is being used. By setting alerts, you can stay on top of new AI tools as they surface, receiving daily reports that make it easy to track changes.

If you don’t have access to these tools, manually tracking AI usage can be challenging, but it is doable. Start by focusing on the 20% of AI apps (Pareto to the rescue!) that are most significant to your operations or pose the highest risk. This targeted approach can make the process more manageable.

Addressing Vendor AI Usage

One often overlooked aspect of AI inventorying is third-party vendors. Many SaaS providers incorporate AI without explicitly advertising it. For instance, Netflix uses AI for personalized recommendations, and Grammarly relies on AI to suggest grammar improvements. As AI becomes more common, it will soon be the exception, not the rule, for a SaaS application not to use AI in some capacity.

For this reason, it would be a good idea to reach out to your vendors and ask direct questions about their AI usage. Sending a due diligence questionnaire can help you understand how AI is used in their software and whether it poses any risks to your organization. You can even ask specific questions about how the vendor handles data and whether any AI-related privacy or bias concerns are being addressed.

Managing the Risks of AI

Inventorying AI usage isn’t just about knowing what’s being used — it’s also about understanding and managing the associated risks appropriately. Organizations can also use private versions of AI tools to mitigate data risks. Microsoft, for instance, offers internal versions of AI tools like ChatGPT, which can run inside your organization’s infrastructure, ensuring that no data leaves the company. Similarly, you can develop AI models tailored to your organization’s needs, allowing you to control your data while leveraging AI’s benefits.

The Bottom Line

As AI becomes more ingrained in daily operations, not-for-profits must take a proactive approach to inventorying their AI usage. This effort helps mitigate risks and ensures compliance with emerging laws and regulations. Whether relying on manual tracking or advanced technical tools like AI Aware, the key is simply getting started. With an inventory in place, you can create informed policies around AI use, keep your data safe and help your organization continue to operate responsibly in our new AI-driven world.

For more information about inventorying AI usage for your organization, connect with our professionals.

© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.