Owner: CoE Lead + IT + Procurement. Input: Standards defined. Sub-steps:
- List every SaaS application the company already uses (CRM, ERP, ticketing, email, docs, code copilots, recording, HR, marketing, etc.).
- For each, answer: Does it have an AI / GenAI feature? If yes:
- Which features are enabled today?
- What data does the feature touch?
- Is the feature opt-in or default-on?
- Risk classification using the same rubric as internal agents (Step A6).
- Add each AI feature into the registry as a separate entry with
Source = Vendor-embedded. - Flag any High-risk vendor feature that's currently turned on without an explicit approval — those need an approval decision (turn off, scope down, or document an approval). Output / gate criteria: Registry contains an entry for every AI feature in every existing SaaS tool. High-risk gaps flagged for follow-up. Decision branches:
- A vendor doesn't disclose what AI features it has → that's a procurement signal. Note it for the next renewal. Skip-this-step risk: The largest source of shadow AI in most companies. PII leaks via "AI Assist" features no one reviewed.