By Stefan Efros, CEO & Founder, EFROSReviewed by Stefan Efros, CEO & Founder, EFROS

Reviewed · May 25, 2026

Tool · AI Inventory Mapper

A living inventory of every AI tool in your org.

NIST AI RMF GOVERN-1.4 calls the AI inventory the foundational control. Colorado AI Act SB 24-205 deployer obligations stack on top of it. HIPAA BAA matrix, SR 11-7 model risk, CMMC coverage — every framework starts with the same question: which AI systems do you actually have? This is the answer sheet. Browser-resident, CSV-exportable, auto-tier classified, no signup.

Free · saves locally · no signup|Auto-tier per NIST AI RMF + Colorado AI Act|CSV export · audit-ready

Tools tracked

High risk

% with PHI/PII

Add an AI tool

Risk tier auto-calculates from PHI/PII handling + use-case impact. High-impact use cases include: clinical decision, financial decision, hiring, lending, employee evaluation, customer eligibility.

Vendor NameTool NameUse CaseDepartmentPHI/PII Handled

Approved ByDate Added

Auto-calculated tier:Low

Your AI inventory

0 rows · saved locally

No tools tracked yet. Add a row above, or load sample data to see the format.

Your inventory saves locally in your browser. For team-shared inventory, role-based access, nightly auto-discovery of new AI tools across your tenant, and per-tool BAA + framework mapping reports, talk to EFROS.

Get the AI Inventory template + framework mapping PDF.

The PDF includes a printable AI inventory schema, NIST AI RMF GOVERN-1.4 / MAP-1 mapping, Colorado AI Act high-risk deployer obligations, HIPAA / SR 11-7 / CMMC overlays, and an audit-ready vendor diligence checklist.

We'll email you the report + occasional briefings. Unsubscribe in one click. See our privacy policy.

How the auto-tier works

Two inputs. Three risk tiers.

The tier matrix is intentionally simple — it mirrors how NIST AI RMF GOVERN-1.4 + Colorado AI Act SB 24-205 deployer obligations stack. PHI/PII tells you the privacy overlay; use-case impact tells you the consequential-decision overlay. The intersection drives obligations.

High Risk

PHI/PII handled AND high-impact use case

Example: ChatGPT Enterprise used by claims adjusters to draft customer eligibility decisions (touches PHI + customer eligibility = high-impact)

Medium Risk

PHI/PII handled (low-impact use) OR high-impact use case (no PHI/PII)

Example: Microsoft 365 Copilot drafting internal HR documents (touches PII, low-impact use) OR ChatGPT for code review on non-CUI repos (no PII, but code-review is low-impact regardless)

Low Risk

No PHI/PII AND low-impact use

Example: Notion AI for internal wiki summarization on a public knowledge base, or GitHub Copilot autocomplete on open-source projects

High-impact use cases (auto-detected by keyword)

Clinical decision support
Financial decision (credit, fraud scoring)
Hiring (resume screening, candidate ranking)
Lending decisions
Employee evaluation / performance
Customer eligibility (insurance, benefits)

Use cases not matching these keywords default to low-impact. If your use case warrants high-impact classification but doesn't match a listed keyword, type a variant — substring match is case-insensitive (e.g. "clinical decision support", "automated hiring screen", "customer eligibility determination" all classify as high-impact).

Why inventory comes first

Every framework starts here.

NIST AI RMF GOVERN-1.4 + MAP-1

NIST AI Risk Management Framework 1.0 calls a documented AI inventory the foundational GOVERN function. Without it, every downstream control (impact assessment, vendor diligence, human oversight) lacks a defensible scope. Auditors start here.

Colorado AI Act SB 24-205 deployer obligations

Colorado's AI Act (effective Feb 2026) defines deployer obligations against specific 'high-risk AI systems.' You cannot evidence which systems are in scope without an inventory tagging use case + impact. Same logic applies to NYC LL144, CA AB 2013, IL HB 3773.

HIPAA + SR 11-7 + CMMC overlays

For HIPAA-covered entities, every AI tool touching PHI needs a BAA; for SR 11-7 banks, every AI used in credit/lending/fraud is a 'model' under MRM; for CMMC, AI tools processing CUI need control coverage. The inventory is the master list that feeds every overlay.

Shadow AI surfacing

Most organizations underestimate their AI footprint by 3-5x. Embedded SaaS AI (Notion AI, Salesforce Einstein, Zoom AI Companion, GitHub Copilot, Microsoft 365 Copilot) frequently bypasses procurement. A living inventory is the only practical defense.

Who runs this

Roles that need a defensible AI inventory.

CISO / Compliance Officer

Show auditors a current AI inventory with risk-tier classification on day one. Re-export quarterly for board reporting. The CSV is import-ready for any GRC tool (Vanta, Drata, Hyperproof, OneTrust).

General Counsel

Surface which deployed AI systems trigger Colorado AI Act high-risk treatment, NYC LL144 bias-audit obligations, or HIPAA BAA requirements. Use the inventory as the triage list before approving the next quarter's AI procurement.

Privacy Officer / DPO

Map every AI tool against PHI/PII exposure for HIPAA, CMIA, MHMDA, NY SHIELD, TX MRPA. The auto-tier helps identify the rows that need a privacy impact assessment versus baseline acceptable-use policy coverage.

CFO / CIO

AI procurement spend has historically run through IT and individual department budgets without consolidation. The inventory surfaces overlapping subscriptions, low-utilization tools, and vendor concentration risk for the next budget cycle.

FAQ

Questions about the inventory.

Does my data leave my browser?

No. The inventory is stored in your browser's localStorage. Nothing transmits to EFROS servers, third parties, or analytics. The CSV export is generated client-side. The only optional network call is the email gate at the bottom, which only fires if you submit the PDF template request.

How is risk tier calculated?

Two inputs: PHI/PII handled (Yes/No) and use-case impact (auto-detected from keywords like 'clinical decision,' 'hiring,' 'lending,' 'customer eligibility'). The matrix: PHI/PII + high-impact = High; PHI/PII + low-impact = Medium; no PHI/PII + high-impact = Medium; no PHI/PII + low-impact = Low. This mirrors how NIST AI RMF GOVERN-1.4 + Colorado AI Act SB 24-205 deployer obligations stack.

Will my inventory persist between visits?

Yes, on the same browser + device. Browser-cleared cookies, private/incognito mode, or different devices will start fresh. For team-shared inventory and cross-device sync, you need a hosted GRC tool or the EFROS managed AI Governance program.

Can I import an existing inventory?

Not directly in this tool — manual entry only. If you have an existing CSV inventory (from Vanta, Drata, OneTrust, or an Excel sheet), keep it and use this tool as a sanity-check. The free PDF template includes the same column schema so any inventory you maintain elsewhere maps 1-to-1.

Does this replace a formal AI governance program?

No. This is the inventory layer — one of seven NIST AI RMF GOVERN function controls. A full AI governance program adds Acceptable Use Policy, vendor diligence with BAA verification, training-data lineage, model risk management, human oversight controls, logging/monitoring, and incident response. EFROS delivers the full operating program as a 10-day fixed-fee audit + ongoing managed service.

What does the framework mapping PDF include?

The PDF executive brief includes: the AI inventory schema with all eight column definitions; NIST AI RMF 1.0 GOVERN-1.4 + MAP-1 mapping; Colorado AI Act SB 24-205 high-risk deployer trigger checklist; HIPAA BAA matrix for top AI vendors; SR 11-7 model risk classification for AI-in-credit; CMMC 2.0 control coverage for AI tools processing CUI; and an audit-ready vendor diligence template.

Need this running for the whole org?

EFROS AI Governance: nightly auto-discovery of new AI tools across your M365 tenant, team-shared inventory with RBAC, vendor BAA verification, NIST AI RMF + Colorado AI Act + ISO/IEC 42001 mapping, quarterly board-ready compliance reports. $5k 10-day audit, then ongoing managed.

See AI Governance Program →Take the AI Risk Score quiz Book a 20-Minute Call