saloid. ~/self-check

// self-check · print or forward

The 20-minute AI-tool self-check

For firms handling confidential data. Twenty minutes, done with your team, not to them — the goal is an honest picture. Print this, or forward it to a colleague.

  1. 01

    Inventory what’s actually installed

    Every AI tool on the team’s machines — desktop apps, browser extensions, plug-ins in Office or the CRM. Ask directly, without blame. What was licensed is not what’s running. You can’t govern what you haven’t named.

  2. 02

    Check the account behind each tool

    Personal login or firm/business account? Is a data processing agreement (Auftragsverarbeitungsvertrag) in place? Is “use my data to improve the model” off? A personal account with no agreement is the first thing to fix.

  3. 03

    Audit the connectors

    What can each tool reach — mail, files, calendar, CRM? Check the app’s settings and your OS privacy panel. Revoke everything not consciously, currently needed. An unused connector is risk with no benefit.

  4. 04

    Find history & retention settings

    Learn how to view and delete conversation history. Check whether chats are cached locally. Ask the lost-laptop question out loud: if this machine walked out tonight, what client data would walk with it?

  5. 05

    Set the interim rule today

    Until a tool is sanctioned — contract and controls behind it — nothing with a name in it. No client names, no case details, no patient data into an ungoverned tool. Anonymize, or wait.

  6. 06

    Write one paragraph of policy

    Which tools are allowed, which accounts, and the no-names rule. One written paragraph beats zero pages of good intentions — a clear line for the team, something for you to point to. It needn’t be long to be real.

The one rule to adopt before anything else

Nothing with a name in it goes into an ungoverned AI tool. Anonymize, or wait for a sanctioned path.