// self-check · print or forward
The 20-minute AI-tool self-check
For firms handling confidential data. Twenty minutes, done with your team, not to them — the goal is an honest picture. Print this, or forward it to a colleague.
- 01
Inventory what’s actually installed
Every AI tool on the team’s machines — desktop apps, browser extensions, plug-ins in Office or the CRM. Ask directly, without blame. What was licensed is not what’s running. You can’t govern what you haven’t named.
- 02
Check the account behind each tool
Personal login or firm/business account? Is a data processing agreement (Auftragsverarbeitungsvertrag) in place? Is “use my data to improve the model” off? A personal account with no agreement is the first thing to fix.
- 03
Audit the connectors
What can each tool reach — mail, files, calendar, CRM? Check the app’s settings and your OS privacy panel. Revoke everything not consciously, currently needed. An unused connector is risk with no benefit.
- 04
Find history & retention settings
Learn how to view and delete conversation history. Check whether chats are cached locally. Ask the lost-laptop question out loud: if this machine walked out tonight, what client data would walk with it?
- 05
Set the interim rule today
Until a tool is sanctioned — contract and controls behind it — nothing with a name in it. No client names, no case details, no patient data into an ungoverned tool. Anonymize, or wait.
- 06
Write one paragraph of policy
Which tools are allowed, which accounts, and the no-names rule. One written paragraph beats zero pages of good intentions — a clear line for the team, something for you to point to. It needn’t be long to be real.
The one rule to adopt before anything else
Nothing with a name in it goes into an ungoverned AI tool. Anonymize, or wait for a sanctioned path.