The four steps

Hour 0. Send the survey email. 8-hour deadline.
Hour 1. Pull the SSO and SaaS lists.
Hour 2. Install Northbeams on a representative subset.
Hour 24. Triage with the three-bucket method.

Why 24 hours is the right deadline

Two reasons. First, an inventory that takes a week is an inventory that ages a week before anyone reads it. Shadow AI moves quickly: a new desktop app, a new CLI agent, or a new "AI feature" inside an existing SaaS appears every few days. The point of the inventory is to start a conversation, not to be perfect.

Second, 24 hours is the window your stakeholder gives you. Auditors, board members, customers asking on a security questionnaire, and CFOs reading an IBM headline all have the same patience: about a day. If you can answer "we have 27 tools, here are the categories, here is what we are doing about it" by tomorrow, you control the narrative. If you say "give me a quarter," someone else writes the policy.

Step 01 · Hour 0

Send the survey email.

Time to send: 5 minutes. Deadline for responses: 8 hours.

The survey is the easiest signal to collect and the most-skipped step. Most IT leads assume employees will not respond. Most employees, in 2026, are happy to. AI tools are a status signal at work; people like to list theirs.

Send this in your company-wide channel (Slack, Teams, or email). Resist the urge to add caveats:

Subject: 5-minute help: which AI tools do you use at work? Hi all, We're putting together an internal inventory of every AI tool people on the team use. The point is to make sure useful tools are sanctioned and paid for, not to police anyone. Please reply (or DM me) with: 1) Every AI tool you've used for work in the last 30 days, including personal-account ones (e.g. ChatGPT, Claude, Cursor, Granola, Notion AI). 2) Roughly how often (daily, weekly, occasionally). 3) Which ones you'd be sad to lose. This is blameless. Personal-account tools are explicitly fine to list. The faster I have a list, the faster I can get sanctioned accounts (and not bill anyone for AI out of their own pocket). Deadline: end of day today. Thanks.

Two things this email gets right: it is short, and it explicitly says "blameless" and "personal accounts are fine to list." Both signals matter. In Northbeams customer surveys, response rates jump from 30% to 70%+ when employees believe the survey is not a setup.

Expect the response set to surface 60% to 70% of your real AI tool list. The remaining 30% to 40% (the long tail, including the ones nobody wants to admit to) gets caught by the install step.

Step 02 · Hour 1

Pull the SSO and SaaS lists.

Time: 30 to 45 minutes.

Two exports cover most of the sanctioned-but-undocumented surface:

Pull A: SSO app list

From your SSO provider (Okta, Google Workspace, Microsoft Entra), export the list of all assigned applications. Filter for anything matching "AI", "GPT", "Claude", "Gemini", "Copilot", "Notion", "Granola", "Cursor", "Otter", "Fireflies", "Perplexity", or your favorite AI vendor. The result is the set of AI tools your company has formally sanctioned at the auth layer.

Most SMBs are surprised by what is on this list. SSO apps assigned years ago and never reviewed, or AI features inside parent apps that quietly ship in an updated SAML scope.

Pull B: SaaS billing list

From Vendr, Spendesk, Ramp, or your finance system, export the list of all paid SaaS subscriptions. Same filter as above. The result is the set of AI tools your company is paying for, sanctioned or not.

The intersection of "on SSO" and "on the bill" is your sanctioned set. The "on the bill but not on SSO" set is usually where the cost-control conversation lives. The "on SSO but not on the bill" set is the "we forgot we had this" set.

Note both pulls miss everything that runs on personal accounts, free tiers, or expense reports. Step 3 catches those.

Step 03 · Hour 2

Install Northbeams to fill in the gaps.

Time: 30 minutes setup, 12 hours of measurement.

The survey catches what employees admit to. The SSO and SaaS pulls catch what the company pays for. Northbeams catches what is actually running on the laptop.

For a 24-hour discovery, you do not need full-fleet rollout. Pick a representative subset and install both surfaces:

Pick the cohort. Aim for 25% to 30% of headcount, weighted toward the noisiest functions. Engineering, sales, marketing, customer success, executive. Skip teams where the answer is obviously zero (warehouse, frontline ops without laptops).
Install the browser extension. Send the cohort the Chrome Web Store link from /download with a one-line install instruction. Most employees install it in under 60 seconds.
Install the desktop app on Mac and PC. Run the signed .pkg on Mac and the signed .msi on PC. If you have MDM (Intune, Jamf, Kandji), push it that way; if you do not, send the cohort the download link with a one-paragraph note.
Pair with the workspace. Each install pairs to your Northbeams workspace through the same sign-in, so one workspace key per employee covers both surfaces.
Wait 12 hours. Long enough to catch one full work cycle: morning standup AI use, midday writing AI use, afternoon coding-agent use.

After the 12-hour window, the Northbeams dashboard shows every AI tool that ran on the cohort's laptops, every recognized desktop AI app, every CLI coding agent, and every prompt-level sensitive finding from the browser extension. If you are using the free 14-day trial, you have full access during the window.

Privacy note for the email to the cohort. Northbeams classifies prompts on the device and never sees prompt content. The desktop apps watch outbound connection metadata and process names, not screen contents or keystrokes. Link /privacy in your install email; people are reasonably curious and the answer is reassuring.

Step 04 · Hour 24

Triage with the three-bucket method.

Time: 90 minutes for a 50-person company.

At hour 24 you have a list. Maybe 27 tools. Maybe 40. Now sort them. The three-bucket method is the fastest defensible triage:

Bucket	Definition	Action
Sanctioned	Tool is paid for by the company, has a DPA, and is on SSO. Auditor accepts it.	Document. Add to your AI inventory page. Continue.
Allowed-but-watch	Tool is fine to use but should be on the company plan, not personal accounts, and should not receive certain data categories.	Send the user-policy email. Provision sanctioned accounts. Add a one-line "do-not-paste" rule. Re-check in 30 days.
Blocked	Tool is genuinely out-of-policy: regulated-data exposure, free-tier with training-on-data, or a redundant version of a sanctioned tool.	Notify users. Redirect to a sanctioned alternative. Set a Northbeams Block policy on the tool.

Most tools land in Allowed-but-watch. The Sanctioned bucket is small, because most SMBs have not done formal AI procurement. The Blocked bucket is also small; usually one or two tools, often consumer ChatGPT or a free Claude account where a paid version exists.

For each Allowed-but-watch tool, send the user a one-line policy. The brand-voice rule applies: short, specific, no hedge words. "Use the company-paid Claude account, not your personal one. The dashboard at /why explains why."

What you have by hour 24

A short list of artifacts you can hand to the auditor, the CFO, the board, or the customer who asked:

An inventory of every AI tool in use (sanctioned, allowed, or blocked).
A per-tool decision (which bucket and why).
A Northbeams dashboard showing live coverage so the inventory does not go stale next week.
A one-page user policy ("here is what we sanctioned and here is what we ask you not to do") that you can paste into your AI policy doc.
A baseline number you can quote: "We have N AI tools, M sanctioned, K blocked, and we will refresh this monthly."

That is the artifact that buys you a quarter of breathing room. By the end of the quarter, you can replace the cohort install with a full-fleet rollout, integrate SSO at the Lighthouse or Sentinel tier, and start producing the audit-ready exports at /audit-prep.

FAQ

What if my company is bigger than 50 people?

The same playbook works up to about 250. Above that, scale the cohort to 10% to 15% of headcount and weight it toward functions where AI is highest (engineering, customer success, marketing). Above 1,000, the playbook still works for the survey and SSO/SaaS steps; the install step needs MDM rollout planning.

What if employees do not respond to the survey?

You still have the SSO pull, the SaaS pull, and the Northbeams install. The survey is a nice-to-have. If response rates are low, the install step recovers most of what the survey would have caught.

Do I need to install Northbeams on personal devices?

No. Cover company-managed devices and document the gap. Most auditors accept "we cover company-managed devices" as a defensible posture in 2026.

Can I do this entirely without Northbeams?

You can do steps 1, 2, and 4 without Northbeams. Step 3 is the one that catches the long tail, including desktop apps and CLI agents that never touch SSO and never appear on the SaaS bill. Without it, you will miss roughly 30% of the real list.

Does this work for the EU AI Act Article 4 inventory requirement?

Yes. The Northbeams export at the end of step 3 includes the artifact format auditors look for: tool name, business purpose, sensitive-data categories caught, and policy decision per tool. The deeper EU AI Act guide is at /eu-ai-act-readiness.

How often should I rerun this playbook?

Quarterly for the survey and the bucket review. Continuously for the dashboard (Northbeams stays on after install). Most customers re-run the whole playbook annually as part of their security review cycle.

Start the 24-hour clock now.

Free 14-day Sentinel trial. No card. Install the browser extension and the desktop app, send the survey, and you are halfway done already.

Install Northbeams Get the EU AI Act guide