AEGIS · Module 3 · Signal
Artifact 3.1
AI Inventory Dashboard
Single source of truth for every AI tool the enterprise uses, is evaluating, or has prohibited — with ownership, cost, data scope, and review cadence.
- Client
- [CLIENT NAME]
- Engagement
- [ENGAGEMENT ID]
- Version
- v1.0
- Issued
- 2026-05-18
Delivered by TechFides under the AEGIS Governance Operating Services engagement. This document is proprietary to the client named above. Redistribution beyond the engagement steering committee requires written consent.
Purpose
Intent — Without an inventory, governance is theoretical. The Inventory Dashboard is the operating record — what is in use, by whom, against which data — that every other AEGIS artifact references.
What this artifact is
The AI Inventory is a live register of every AI tool in the enterprise. Every record has a named owner, a status, a data-class scope, and a next-review date. Nothing runs in production that is not on this register.
How it connects to the other modules
- Policy Core (1.1): the Acceptable Use Policy defines what a user may do — the Inventory says which tools enable those uses.
- Shield (2.1, 2.2): every Approved record must link to a completed Data Classification scope and Vendor Risk Assessment.
- Deploy (4.x): workflows, prompts, and SOPs reference the Tool ID directly — renaming, retiring, or reclassifying a tool cascades into those artifacts.
- Brief (6.x): the Executive Dashboard and Board Pack read aggregate metrics straight off this inventory.
Status Taxonomy
Intent — Five statuses, five meanings. No tool sits in a sixth category.
| Status | Meaning | Data Allowed | Review Cadence |
|---|---|---|---|
| Approved | Cleared for production use by the listed roles against the listed data classifications. | Per tool — see 'Data Classes' column on the inventory row. | Annual, plus on any material change by the vendor. |
| Conditional | Permitted only under named conditions: specific users, specific data classes, or specific workflows. Outside those bounds the tool is prohibited. | Only as named in the 'Conditions' column. | Semiannual. Conditions are re-validated at each review. |
| Under Review | In active diligence (Artifact 2.2). Not yet permitted for production work. Pilot access may be granted in a sandbox. | Synthetic / non-production only. | Diligence completes within 30 days or the tool is retired. |
| Prohibited | Explicitly disallowed. Discovery of prohibited-tool use is an incident (Artifact 2.3). | None. | Re-evaluated only if the vendor or the risk materially changes. |
| Retired | Formerly in use. Access has been revoked, data exported or deleted, contract terminated. | None. | Retained in the register for audit lineage for two years. |
Record Schema
Intent — Every row in the inventory carries these fields. The required fields are non-negotiable — a row missing any one of them is invalid and must be either completed or removed.
| Field | Description | Required |
|---|---|---|
| Tool ID | Stable internal identifier (e.g., T-0041). | ● |
| Tool Name | Commercial name as it appears to users. | ● |
| Vendor | Legal vendor entity on the order form. | ● |
| Category | Chat assistant · Code assistant · Meeting notetaker · Image/video · Embeddings/search · Agent platform · Model API · Other. | ● |
| Status | Approved · Conditional · Under Review · Prohibited · Retired. | ● |
| Data Classes | P0/P1/P2/P3 allowed (references Artifact 2.1). | ● |
| Approved Uses | Narrative of sanctioned workflows. Anything unlisted is not approved. | ● |
| Owner | Named accountable individual — not a team or mailing list. | ● |
| Users / Seats | Count of active seats in the last 30 days. | ● |
| Annualized Cost | Fully loaded: license + usage + integration labor. | ● |
| Vendor Assessment | Link to the completed 2.2 Vendor Risk Assessment. | ● |
| Contract Term | Start / end / auto-renew flag. Drives the renewal dashboard. | ● |
| Last Reviewed | Date of the most recent governance review. | ● |
| Next Review Due | Computed from review cadence by status. | ● |
| Data Residency | Processing and storage regions. | ○ |
| Notes | Material constraints, open risks, or dependencies. | ○ |
Operating Dashboard
Intent — The eight metrics a governance owner watches at every review.
Approved tools
12
+2 QoQ
Conditional tools
5
+1 QoQ
Under review
3
2 past 30-day SLA
Prohibited tools
6
1 new this quarter
Active seats
548
+73 QoQ
Annualized AI spend
$612,400
+18% QoQ
Renewals next 90 days
4
$294,000
Reviews overdue
2
remediate by quarter-end
Current Inventory
Intent — The live register. Rows here are examples that the Diagnostic will replace with the client's real environment.
| ID | Tool | Vendor | Category | Status | Data Classes | Owner | Seats | Annualized Cost | Next Review |
|---|---|---|---|---|---|---|---|---|---|
| T-0001 | ChatGPT Enterprise | OpenAI | Chat assistant | Approved | P1, P2, P3 | Head of IT | 240 | $172,800 | 2026-11-01 |
| T-0002 | Claude for Work | Anthropic | Chat assistant | Approved | P1, P2, P3 | Head of IT | 210 | $126,000 | 2026-11-01 |
| T-0003 | GitHub Copilot Business | GitHub | Code assistant | Approved | P2, P3 (no P1 unless repo is private & flagged) | VP Engineering | 48 | $22,800 | 2026-09-15 |
| T-0004 | Otter.ai Business | Otter | Meeting notetaker | Conditional | P2, P3 only — never customer calls, never privileged. | Chief of Staff | 18 | $6,480 | 2026-06-30 |
| T-0005 | Perplexity Enterprise | Perplexity | Embeddings/search | Conditional | P2, P3 — prompt content only, no document upload. | Head of Research | 35 | $16,800 | 2026-07-15 |
| T-0006 | Midjourney Pro | Midjourney | Image/video | Under Review | Synthetic only — pilot sandbox. | Head of Marketing | 4 | $1,440 | 2026-05-10 |
| T-0007 | DeepSeek Chat (public) | DeepSeek | Chat assistant | Prohibited | None. | CISO | 0 | $0 | — |
| T-0008 | Glean | Glean | Embeddings/search | Under Review | Pilot — P2 only, scoped to Engineering docs. | VP Engineering | 25 | $60,000 (pending) | 2026-05-01 |
| T-0009 | Grammarly (free) | Grammarly | Other | Retired | None. | — | 0 | $0 | — |
| T-0010 | [NEW TOOL] | [VENDOR] · fill remaining fields during intake | |||||||
Intake, Change, and Retirement Workflows
Intent — Three lightweight workflows that keep the inventory honest — anything else lets drift creep in.
Intake: new tool request
- Requester files an intake form naming the business use, data classes, and preferred tool.
- AI Governance Lead creates the record with status Under Review.
- Vendor Risk Assessment (2.2) and Data Map update (2.1) are initiated.
- Decision within 30 days: Approved, Conditional, or Prohibited. No decision in 30 days → default Prohibited.
- Policy update (1.1) and RACI entry (1.2) published alongside the approval.
Change: reclassification, expansion, ownership transfer
- Change owner submits a change note to the Governance Lead.
- Impact assessed against affected workflows (4.1), prompts (4.2), and SOPs (4.3).
- Record updated; affected artifacts are regenerated or flagged for review.
- Change logged with effective date and reviewer.
Retirement: planned and unplanned
- Announce retirement date; freeze new seats.
- Export data, revoke access, confirm vendor deletion under contract terms.
- Record flipped to Retired; retained in the register for two years for audit.
- Unplanned retirement (vendor failure, incident) follows Artifact 2.3 incident runbook.
Governance Metrics
Intent — What the steering committee reviews — inventory is an operating asset, not a document.
Monthly
- New records added · status changes · retirements.
- Reviews overdue — count and named owners.
- Shadow AI findings (Artifact 3.2) folded into intake queue.
Quarterly
- Total annualized AI spend vs. budget.
- Seats utilization — approved tools with sub-30% active seat rate are candidates for retirement.
- Renewal pipeline for the next 90 days with commercial and security posture.
- Concentration risk — vendors representing >30% of AI spend or data.
Annually
- Full re-attestation: every owner confirms every record they hold.
- Taxonomy review — statuses and categories still fit the tool landscape.
- Data-residency and sovereignty posture vs. regulatory footprint.
Regulatory Mapping
Intent — A current, owned AI inventory is the evidentiary foundation auditors, customers, and regulators are increasingly asking for.