How Do You Audit Your AI Stack? A Practical Review for Mid-Sized Companies
An AI stack audit is a systematic review of all artificial intelligence tools, subscriptions, and integrations your company uses to identify what’s working, what’s wasted, and what’s missing from your technology investments. Most mid-sized companies have accumulated AI tools over the past two years without a clear inventory. Microsoft estimates that 78% of employees bring their own AI tools to work, often without IT knowledge or approval. AI Smart Ventures helps organizations cut through tool sprawl by auditing current AI usage and building practical roadmaps that maximize existing investments rather than adding more subscriptions.
Here’s the uncomfortable truth: you’re probably paying for AI tools nobody uses. That marketing automation with “AI-powered” features? Half-implemented. The ChatGPT Team subscription? Three people actually use it. The CRM’s AI capabilities? Never configured.
This isn’t a technology problem. It’s a visibility problem. And mid-sized companies, the ones without dedicated IT departments tracking every subscription, are the most likely to be leaking money while simultaneously missing opportunities.
What Is an AI Stack Audit?
An AI stack audit examines every AI-enabled tool, subscription, and integration across your organization to answer four questions: What do we have? Who uses it? Does it deliver value? What are we missing?
Unlike formal compliance audits focused on governance and risk, the kind IBM and PwC write about, a practical AI stack audit focuses on operational reality. It’s less about whether your AI tools meet regulatory requirements and more about whether they actually work for your business.
The typical mid-sized company today uses between 8-15 different tools with AI capabilities. Some were purchased intentionally. Others came bundled with existing software. A few showed up when employees signed up for free trials that auto-converted to paid plans.
Gartner research indicates that organizations waste approximately 25% of their software spending on underutilized licenses. For AI tools specifically, that waste rate climbs higher because AI features often require configuration, training, and workflow integration that never happens.
Why Do Mid-Sized Companies Need AI Stack Audits?
Mid-sized companies face a unique challenge: enough complexity to accumulate tool sprawl, but not enough dedicated resources to track it.
The subscription accumulation problem. Most AI tool adoption happened reactively. Someone attended a webinar, signed up for a trial, and put it on the company card. Marketing bought one tool. Sales bought another. Finance bought a third. Nobody compared features or checked for overlap.
The shadow AI problem. Microsoft’s Work Trend Index found that 78% of employees use AI tools at work, and 52% are reluctant to admit using it for important tasks. At companies under 200 employees, that shadow AI rate climbs to 80%. Your team is using AI. You just don’t know which tools, for what purposes, or with what data.
The “AI-enabled” inflation problem. Software vendors have aggressively added AI branding to existing features. Your CRM’s “AI-powered insights” might be basic analytics renamed. Your email platform’s “AI writing assistant” might be the same autocomplete feature from 2019. Distinguishing genuine AI capabilities from marketing language requires systematic evaluation.
The integration gap problem. Tools that don’t connect to your existing workflows create more work, not less. Deloitte research shows that integration challenges are the primary barrier to AI value. Teams spend more time moving data between systems than the AI saves. For guidance on integrating AI into existing operations, see how to integrate AI into existing workflows.
| Challenge | Enterprise Solution | Mid-Market Reality |
| Tool tracking | Dedicated IT asset management | Spreadsheets (maybe) |
| License management | Procurement software | Credit card statements |
| Shadow AI detection | Security monitoring tools | Employee confession |
| ROI measurement | BI dashboards | Gut feeling |
| Vendor consolidation | Strategic sourcing team | Whoever has time |
What Should an AI Stack Audit Include?
A comprehensive AI stack audit examines five categories of tools and three dimensions of value.
The Five Categories
1. Dedicated AI tools. These are standalone AI products you purchased specifically for AI capabilities: ChatGPT, Claude, Jasper, Midjourney, or similar. They’re usually the easiest to identify because they appear as line items on credit card statements.
2. AI features in existing software. Microsoft Copilot in your Microsoft 365 subscription. Gemini in Google Workspace. Einstein in Salesforce. HubSpot’s AI tools. These features are bundled into software you already own but may not be activated, configured, or used.
3. Embedded AI in point solutions. Your scheduling software’s “smart suggestions.” Your email marketing platform’s “predictive send times.” Your accounting software’s “anomaly detection.” These are AI features that vendors added without changing the product name.
4. Employee-purchased tools. The tools your team signed up for individually, often with personal credit cards or free tiers. Grammarly. Otter.ai. Notion AI. Canva AI. These create security and compliance risks when used with company data.
5. API and automation integrations. Zapier connections. Make (Integromat) workflows. Custom GPT integrations. These often fly under the radar because they’re built by individuals rather than purchased through procurement.
The Three Value Dimensions
Utilization: Is the tool actually being used? How many licenses are active vs. purchased? What percentage of features get touched?
Impact: Does usage translate to measurable outcomes? Time saved? Revenue influenced? Errors reduced? Or does the tool just create activity without results?
Integration: Does the tool fit into existing workflows? Or does it create friction, requiring manual data entry, context switching, or workarounds?
How Do You Conduct an AI Stack Audit?
The audit process follows five phases, typically taking 2-4 weeks depending on company size and tool complexity.
Phase 1: Discovery (Week 1)
Start with finance. Pull 12 months of credit card statements, expense reports, and software invoices. Search for common AI vendors: OpenAI, Anthropic, Microsoft (Copilot specifically), Google (Gemini/Vertex), Jasper, Copy.ai, Midjourney, Synthesia, and similar.
Audit existing subscriptions. Log into your major platforms (Microsoft 365, Google Workspace, Salesforce, HubSpot) and document which AI features are enabled vs. available. Many companies pay for AI capabilities they’ve never turned on.
Survey the team. Ask every employee three questions: What AI tools do you use for work? What tools do you wish you had? What AI tasks do you do manually because no tool works? Be explicit that this is about optimization, not punishment for shadow AI use.
Phase 2: Inventory (Week 1-2)
Create a complete inventory capturing:
| Field | Example |
| Tool name | ChatGPT Team |
| Vendor | OpenAI |
| Category | Dedicated AI tool |
| Monthly cost | $25/user |
| Number of licenses | 8 |
| Active users (last 30 days) | 3 |
| Primary use case | Content drafting |
| Data sensitivity | Medium (uses customer info) |
| Integration status | None |
| Owner/admin | Marketing Manager |
Phase 3: Analysis (Week 2-3)
Calculate utilization rates. Divide active users by total licenses. Anything below 60% is underutilized. Below 30% is likely waste.
Identify overlap. Multiple tools doing the same job? Three different AI writing assistants? Two image generators? Consolidation opportunities exist.
Assess security exposure. Which tools have access to sensitive data? Customer information? Financial records? Employee data? Are those tools compliant with your industry requirements?
Evaluate integration status. Which tools connect to your core systems? Which require manual data movement? Which create workflow friction?
Phase 4: Recommendations (Week 3)
Based on analysis, develop specific recommendations:
Keep: Tools with high utilization, clear value, and good integration.
Expand: Underutilized tools that could deliver more value with proper training or configuration.
Consolidate: Multiple tools doing similar jobs where one could suffice.
Eliminate: Low utilization, no clear value, or security concerns outweigh benefits.
Add: Gaps identified where AI could deliver value but no current tool exists. For guidance on selecting new tools, explore AI Smart Ventures’ curated AI tools and resources.
Phase 5: Implementation (Week 4+)
Quick wins first. Cancel unused subscriptions immediately. That’s instant ROI.
Training before expansion. Don’t expand licenses for underutilized tools until you’ve addressed the adoption problem.
Security before capability. Close shadow AI security gaps before adding new tools.
Integration before features. A well-integrated basic tool beats a powerful tool that doesn’t connect to anything.
What Are the Most Common Audit Findings?
After conducting AI stack assessments across organizations, patterns emerge consistently.
The Copilot gap. Companies pay for Microsoft Copilot but haven’t configured it, trained users, or integrated it into workflows. The most expensive AI tool in most stacks sits idle.
The ChatGPT sprawl. Multiple employees have individual ChatGPT subscriptions (personal and team accounts) with no standardization, no prompt libraries, and no data governance.
The feature blindness. Existing platforms (CRM, marketing automation, accounting) have AI capabilities that teams don’t know exist or don’t know how to use.
The integration desert. Tools were purchased as islands. Nothing connects. Data lives in silos. The “AI transformation” is actually just a collection of disconnected point solutions.
The shadow AI exposure. Employees use free AI tools with company data, creating security and compliance risks nobody tracks.
How Do You Measure AI Tool ROI?
ROI measurement requires baseline documentation before the audit and tracking after changes. For a comprehensive approach, see our AI ROI measurement framework.
Time-based metrics: Hours saved per week per user. Document current state during the audit through time studies or estimates.
Quality metrics: Error rates. Revision cycles. Customer satisfaction. Capture before and after.
Productivity metrics: Output volume. Tasks completed. Response times.
Cost metrics: Direct subscription costs. Time costs (hourly rate × hours spent). Integration and maintenance costs.
The formula: (Value generated – Total cost) / Total cost = ROI
But here’s the nuance: some AI tools deliver indirect value that’s hard to quantify. An AI writing assistant might not save measurable time, but it might improve confidence for employees who struggle with written communication. Include qualitative assessment alongside quantitative metrics.
What Security Questions Should the Audit Address?
Security assessment is critical, especially for shadow AI tools.
Data handling: Where does data go when employees use the tool? Is it stored? Used for training? Shared with third parties? OpenAI and Anthropic have business tiers that don’t use data for training, but personal accounts do.
Access controls: Who can access the tool? Are there individual logins or shared accounts? Can you revoke access when employees leave?
Compliance alignment: Does the tool meet industry requirements? HIPAA for healthcare. SOC 2 for B2B. GDPR if you have European customers or employees.
Audit trails: Can you track what data was input? What outputs were generated? Who made what queries? Most consumer AI tools offer no audit capability.
Integration security: How does the tool connect to other systems? What permissions does it have? Can it be compromised to access other parts of your infrastructure?
How Often Should You Audit Your AI Stack?
For mid-sized companies, annual comprehensive audits with quarterly check-ins provide the right balance.
Quarterly check-ins (30 minutes): Review new tool additions. Check utilization trends. Confirm no new shadow AI concerns.
Annual comprehensive audit (2-4 weeks): Full inventory refresh. ROI assessment. Strategic alignment review. Consolidation evaluation.
Trigger-based reviews: New major platform adoption. Security incident. Significant organizational change. Budget planning cycle.
The AI tool landscape changes rapidly. What was cutting-edge six months ago may be obsolete today. Regular audits ensure you’re investing in the right tools, not just the ones you happened to buy when someone sent a compelling email.
What Should You Do with the Audit Results?
Audit insights should inform three types of decisions.
Immediate actions (within 30 days):
- Cancel unused subscriptions
- Close security gaps in shadow AI usage
- Enable unused features in existing platforms
- Consolidate redundant tools
Short-term initiatives (1-3 months):
- Training programs for underutilized tools
- Integration projects for disconnected tools
- Pilot programs for identified gaps
- Policy development for approved tool usage
Strategic planning (3-12 months):
- Platform consolidation strategies
- Vendor relationship optimization
- Budget reallocation based on actual usage
- Capability roadmap development
How Does an Audit Connect to AI Strategy?
An AI stack audit is operational. It tells you what you have. AI strategy is directional. It tells you where you’re going.
The audit should feed the strategy by identifying:
- Current capabilities (what can you actually do with AI today?)
- Gaps (where do you need AI that you don’t have?)
- Constraints (what limits your ability to adopt new AI?)
- Quick wins (where can you extract more value from existing investments?)
Organizations that start AI strategy without auditing current state often propose buying tools they already own or building capabilities they already have hidden in existing subscriptions.
AI Smart Ventures helps companies connect audit findings to strategic planning, ensuring AI investments build on existing capabilities rather than creating new silos.
Frequently Asked Questions
How much does an AI stack audit cost?
Internal audits require 40-80 hours of staff time across finance, IT, and operations functions, representing $3,000-$10,000 in labor cost depending on team compensation. External consultants typically charge $5,000-$25,000 for comprehensive audits depending on company size and complexity. The audit often pays for itself immediately through identified subscription waste. Most companies find 15-30% of their AI spending delivers no measurable value.
Can we do an AI stack audit without an IT department?
Yes, though the process differs. Mid-sized companies without dedicated IT typically use finance as the audit starting point since they control expense tracking. The survey phase becomes more important because tool visibility depends on employee disclosure. Consider designating an operations or finance team member as the audit coordinator rather than trying to distribute the work.
What’s the difference between an AI audit and an AI stack audit?
Formal AI audits (the kind IBM, PwC, and Deloitte discuss) focus on governance, compliance, bias, and risk management for AI systems an organization builds or deploys at scale. AI stack audits focus on operational efficiency: what tools you have, whether they’re used, and whether they deliver value. Most mid-sized companies need stack audits first. Formal AI governance audits become relevant as AI usage matures.
How do we handle shadow AI discovered during the audit?
Treat discovery as an opportunity, not a punishment. Employees using unauthorized AI tools are showing you where they need capability. The goal is to provide approved alternatives that meet the same needs with appropriate security. Punishing shadow AI use drives it underground. Understanding and channeling it improves both adoption and security.
Should we audit AI tools and traditional software together?
Separate AI-focused audits work better for most organizations. Traditional software audits focus on licensing compliance and feature utilization. AI audits require additional dimensions: data security, output quality, integration depth, and adoption barriers that don’t apply to conventional software.
What if we find we’re barely using the AI tools we own?
This is the most common audit finding and actually good news. It means you have untapped capability. The next step is determining why utilization is low: awareness (people don’t know features exist), training (they don’t know how to use them), integration (the tools don’t fit workflows), or value (the tools genuinely don’t help). Each cause requires different intervention. For help improving adoption, see how to prepare your workforce for AI.
How do we get employees to honestly report shadow AI use?
Frame the survey around improvement, not compliance. Ask what tools help them do their jobs better rather than what unauthorized tools they’re using. Offer amnesty for tools discovered during the audit. Share the business case for approved alternatives. Most importantly, follow through by actually providing better options. Employees use shadow AI because official tools don’t meet their needs.
What AI features should we check in Microsoft 365 and Google Workspace?
Microsoft 365 AI features to audit: Copilot (if licensed), Designer in PowerPoint, Editor in Word, Ideas in Excel, Transcription and summary in Teams, Loop AI suggestions, and Viva Insights. Google Workspace AI features: Gemini (if enabled), Smart Compose, Smart Reply, Explore in Sheets, Grammar suggestions in Docs, and meeting summaries in Meet. Most organizations use less than 20% of these bundled capabilities.
How do we prioritize which tools to keep versus eliminate?
Use a simple 2×2 matrix: utilization (high/low) and value (high/low). High utilization and high value: keep and potentially expand. High utilization and low value: investigate why heavy use doesn’t translate to outcomes. Low utilization and high value: training and adoption problem. Low utilization and low value: eliminate. When in doubt, pilot elimination for 30 days before permanent removal.
What happens after the audit is complete?
The audit produces three outputs: an inventory (what you have), an assessment (what it’s worth), and recommendations (what to change). Implementation follows three tracks: immediate cost reduction (cancel waste), capability improvement (train and configure existing tools), and strategic planning (inform future AI investments). Schedule quarterly check-ins to maintain visibility and annual re-audits to capture changes.
Should we hire an outside consultant for the audit?
Consider external help if you lack internal bandwidth, need objective perspective, want expertise in AI tool evaluation, or plan to use audit findings for strategic planning. AI Smart Ventures works with mid-sized companies to conduct audits that connect tool assessment to transformation strategy, ensuring you’re not just cutting costs but building capability.
What’s the biggest mistake companies make in AI stack audits?
Focusing only on cost reduction. Yes, eliminating waste matters. But audits that only cut spending miss the larger opportunity: finding capability gaps, identifying adoption barriers, and discovering integration opportunities that could transform operations. The best audits balance efficiency (spend less) with effectiveness (get more from what you spend).
Conclusion
Your AI stack is either an asset or a liability. Most mid-sized companies don’t know which because they’ve never looked.
The tools accumulated over the past two years weren’t part of a strategy. They were reactions: a webinar here, a free trial there, a vendor pitch that sounded compelling. Nobody tracked what got purchased, who actually uses it, or whether any of it delivers value.
That’s not a criticism. It’s how technology adoption works when AI tools explode onto the market faster than organizations can evaluate them. But what made sense as experimentation doesn’t make sense as ongoing investment.
An AI stack audit gives you clarity. You’ll know exactly what you’re paying for, who’s using it, and whether it’s worth keeping. You’ll find the shadow AI your team uses without telling anyone. You’ll discover features in existing platforms that nobody knew existed. And you’ll identify the gaps where AI could actually help but no tool currently fills.
Most companies find 15-30% of their AI spending delivers no measurable value. That’s money you can redirect toward tools that actually work, training that drives adoption, or integration that connects your systems.
Start with finance. Pull three months of credit card statements and software invoices. Search for AI-related spending. The number you find will likely surprise you, and that’s before counting the shadow AI your team uses without approval.
If the audit reveals significant waste, capability gaps, or security exposure you can’t address internally, schedule a consultation with AI Smart Ventures. We’ve helped close to 1,000 organizations cut through tool sprawl and build AI stacks that actually support their business. Our focus is maximizing what you already have, not selling you more platforms. The goal isn’t more AI. It’s AI that works.
This content is for informational purposes only and does not constitute professional business or technology advice. Results vary based on industry, existing systems, and implementation commitment.
About the Author
Nicole A. Donnelly is the Founder of AI Smart Ventures and an AI Adoption Specialist with 20 years of experience as a founder and CEO and over a decade leading AI adoption initiatives. She helps businesses integrate artificial intelligence with clarity and confidence, driving innovation and sustainable growth. Nicole has trained over 20,217 professionals in Applied AI, delivered 624 workshops, and worked with close to 1,000 organizations across diverse industries.
Expertise: AI Transformation, AI Strategy, AI Implementation, AI Adoption, Applied AI, Marketing, Business Operations
