AI Tool Inventory Tracker
This template defines the columns for an AI tool inventory spreadsheet. Maintain one row per tool instance. "Tool instance" means one product from one vendor under one contract; if the same vendor's product is used under two separate contracts (e.g. a team license and an enterprise license), create two rows. The inventory should be reviewed quarterly and updated immediately when a tool is added, retired, or changes risk status.Format: CSV or spreadsheet (Excel / Google Sheets / Airtable) Owner: [IT / Security / Procurement] Last audited: [Date] Next scheduled audit: [Date]
Column Definitions
Identity
| Column | Data type | Required | Notes |
|--------|-----------|----------|-------|
| tool_id | Text (auto or manual, e.g. AI-001) | Yes | Unique identifier. Never reuse a retired ID. |
| tool_name | Text | Yes | Commercial product name as the vendor uses it. |
| vendor_name | Text | Yes | Legal entity name of the vendor. |
| vendor_website | URL | Yes | Vendor's primary domain. |
| product_url | URL | No | Direct link to the product or service page. |
| category | Enum | Yes | See category list below. |
| description | Text | Yes | One or two sentences on what the tool does and who uses it at [Company]. |
Category values: Text generation, Code generation, Image generation, Audio/transcription, Video, Search/research, Agent/automation, Data analysis, Custom/internal, Other.Business ownership
| Column | Data type | Required | Notes |
|--------|-----------|----------|-------|
| business_owner | Text | Yes | Name of the person accountable for the tool's use. Usually a department head. |
| business_owner_email | Email | Yes | — |
| department | Text | Yes | Primary department using the tool. |
| approx_users | Integer | Yes | Approximate number of active users. Review quarterly. |
| use_case | Text | Yes | Primary business use case(s). Enough detail that a reviewer understands what data flows through it. |
Contract and procurement
| Column | Data type | Required | Notes |
|--------|-----------|----------|-------|
| contract_status | Enum | Yes | Active, Pending renewal, Expired, Trial, Free tier, Cancelled. |
| contract_start | Date | Yes | — |
| contract_end | Date | Yes | — |
| renewal_notice_days | Integer | No | Days of advance notice required for renewal or cancellation. Set a calendar reminder. |
| annual_cost_usd | Integer | No | Approximate annual cost. Used for spend visibility, not accounting. |
| procurement_contact | Text | No | Name of the vendor account manager or procurement contact. |
Data and security
| Column | Data type | Required | Notes |
|--------|-----------|----------|-------|
| data_classification_max | Enum | Yes | Highest classification of data permitted to flow into this tool: Public, Internal, Confidential, Restricted. Determined by the vendor evaluation. |
| data_types | Text | Yes | Specific types of data processed (e.g. "customer emails, internal documentation, source code"). |
| training_opt_out | Enum | Yes | Yes (data is not used for training), No (data may be used for training), Unknown. |
| zero_data_retention | Boolean | Yes | Whether vendor confirms no server-side logging of inputs/outputs. |
| data_residency | Text | No | Region(s) where [Company] data is processed and stored. |
| dpa_signed | Boolean | Yes | Whether a Data Processing Agreement is in place. |
| dpa_date | Date | No | Date the current DPA was signed. |
Compliance and certifications
| Column | Data type | Required | Notes |
|--------|-----------|----------|-------|
| soc2_type2 | Boolean | Yes | Whether vendor holds a current SOC 2 Type II report. |
| soc2_report_date | Date | No | Date of the most recent SOC 2 Type II report. |
| iso27001 | Boolean | No | Whether vendor holds a current ISO 27001 certificate. |
| other_certifications | Text | No | Any other relevant certifications (PCI DSS, HIPAA BAA, FedRAMP, etc.). |
Evaluation and review history
| Column | Data type | Required | Notes |
|--------|-----------|----------|-------|
| evaluation_status | Enum | Yes | Approved, Conditional, Pending evaluation, Rejected, Grandfathered. |
| evaluation_date | Date | Yes | Date of the most recent vendor evaluation. |
| evaluator | Text | Yes | Name of the security reviewer who completed the evaluation. |
| next_review_date | Date | Yes | Scheduled date for next review. Maximum 12 months from last evaluation. |
| risk_notes | Text | No | Any conditions, exceptions, or risk flags attached to the approval. |
Status
| Column | Data type | Required | Notes |
|--------|-----------|----------|-------|
| status | Enum | Yes | Active, Retired, Suspended. |
| retired_date | Date | No | Date the tool was retired or suspended. |
| retirement_notes | Text | No | Reason for retirement and confirmation of data deletion (include vendor confirmation reference). |
Starter Row (Example)
```
tool_id: AI-001
tool_name: [Product Name]
vendor_name: [Vendor Legal Name]
vendor_website: https://[vendor].com
category: Text generation
description: Used by the marketing team to draft first-pass copy for web and email campaigns.
business_owner: [Name]
department: Marketing
approx_users: 12
use_case: Marketing copy drafts — internal data only, no customer PII
contract_status: Active
contract_end: [Date]
data_classification_max: Internal
training_opt_out: Yes
zero_data_retention: No
dpa_signed: Yes
soc2_type2: Yes
evaluation_status: Approved
evaluation_date: [Date]
next_review_date: [Date +12 months]
status: Active
```
Governance Notes
- Any tool with status "Grandfathered" must complete a full evaluation by [Date] or be retired.
- Tools where `training_opt_out` is "No" or "Unknown" may not process data classified above "Public" without explicit approval from [Security].
- `approx_users` above [N] triggers an enterprise contract review regardless of contract status.
- The inventory is the authoritative source for the AI Tool count reported to the board each quarter.