By Stefan Efros, CEO & Founder, EFROS

Updated · June 4, 2026

Tool · AI Inventory Mapper

A current inventory of every AI tool in your org.

NIST AI RMF GOVERN-1.4 names the AI inventory as the base control. Colorado's amended AI law (SB 26-189 — transparency/disclosure, 2027) and other state laws stack on top of it. HIPAA BAA matrix, SR 11-7 model risk, CMMC coverage. Every framework starts with the same question: which AI systems do you actually have? This is the answer sheet. Browser-resident, CSV-exportable, auto-tier classified, no signup.

Free · saves locally · no signup|Auto-tier per NIST AI RMF + Colorado SB 26-189|CSV export · audit-ready

Tools tracked

High risk

% with PHI/PII

Add an AI tool

Risk tier auto-calculates from PHI/PII handling + use-case impact. High-impact use cases include: clinical decision, financial decision, hiring, lending, employee evaluation, customer eligibility.

Vendor NameTool NameUse CaseDepartmentPHI/PII Handled

Approved ByDate Added

Auto-calculated tier:Low

Your AI inventory

0 rows · saved locally

No tools tracked yet. Add a row above, or load sample data to see the format.

Your inventory saves locally in your browser. For team-shared inventory, role-based access, nightly auto-discovery of new AI tools across your tenant, and per-tool BAA + framework mapping reports, talk to EFROS.

Get the AI Inventory template + framework mapping PDF.

The PDF includes a printable AI inventory schema, NIST AI RMF GOVERN-1.4 / MAP-1 mapping, Colorado SB 26-189 (amended AI law — transparency/disclosure, effective 2027) and other state AI laws, HIPAA / SR 11-7 / CMMC overlays, and an audit-ready vendor diligence checklist.

We'll email you the report + occasional briefings. Unsubscribe in one click. See our privacy policy.

How the auto-tier works

Two inputs. Three risk tiers.

The tier matrix is deliberately simple. It mirrors how NIST AI RMF GOVERN-1.4 and state AI laws (incl. Colorado SB 26-189) stack. PHI/PII tells you the privacy overlay; use-case impact tells you the consequential-decision overlay. The intersection drives obligations.

High Risk

PHI/PII handled AND high-impact use case

Example: ChatGPT Enterprise used by claims adjusters to draft customer eligibility decisions (touches PHI + customer eligibility = high-impact)

Medium Risk

PHI/PII handled (low-impact use) OR high-impact use case (no PHI/PII)

Example: Microsoft 365 Copilot drafting internal HR documents (touches PII, low-impact use) OR ChatGPT for code review on non-CUI repos (no PII, but code-review is low-impact regardless)

Low Risk

No PHI/PII AND low-impact use

Example: Notion AI for internal wiki summarization on a public knowledge base, or GitHub Copilot autocomplete on open-source projects

High-impact use cases (auto-detected by keyword)

Clinical decision support
Financial decision (credit, fraud scoring)
Hiring (resume screening, candidate ranking)
Lending decisions
Employee evaluation / performance
Customer eligibility (insurance, benefits)

Use cases not matching these keywords default to low-impact. If your use case warrants high-impact classification but doesn't match a listed keyword, type a variant — substring match is case-insensitive (e.g. "clinical decision support", "automated hiring screen", "customer eligibility determination" all classify as high-impact).

Why inventory comes first

Every framework starts with the inventory.

NIST AI RMF GOVERN-1.4 + MAP-1

NIST AI Risk Management Framework 1.0 names a documented AI inventory as the starting GOVERN function. Without it, downstream controls (impact assessment, vendor diligence, human oversight) lack a defensible scope. Auditors start here.

State AI laws + consequential-decision scoping

Colorado's amended AI law (SB 26-189 — transparency/disclosure, effective 2027) and NYC LL144, CA AB 2013, IL HB 3773 each turn on which AI systems sit behind consequential decisions. You can't show which systems are in scope without an inventory tagging use case + impact — the same scoping NIST AI RMF expects.

HIPAA + SR 11-7 + CMMC overlays

For HIPAA-covered entities, every AI tool touching PHI needs a BAA; for SR 11-7 banks, every AI used in credit/lending/fraud is a 'model' under MRM; for CMMC, AI tools processing CUI need control coverage. The inventory is the master list that feeds every overlay.

Shadow AI surfacing

Most organizations underestimate their AI footprint by 3-5x. Embedded SaaS AI (Notion AI, Salesforce Einstein, Zoom AI Companion, GitHub Copilot, Microsoft 365 Copilot) often bypasses procurement. A current inventory is the only practical defense.

Who runs this

Roles that need a defensible AI inventory.

CISO / Compliance Officer

Show auditors a current AI inventory with risk-tier classification on day one. Re-export quarterly for board reporting. The CSV is import-ready for any GRC tool (Vanta, Drata, Hyperproof, OneTrust).

General Counsel

See which deployed AI systems sit behind consequential decisions, trigger NYC LL144 bias-audit obligations, Colorado SB 26-189 disclosure duties, or HIPAA BAA requirements. Use the inventory as the triage list before approving the next quarter's AI procurement.

Privacy Officer / DPO

Map every AI tool against PHI/PII exposure for HIPAA, CMIA, MHMDA, NY SHIELD, TX MRPA. The auto-tier helps identify the rows that need a privacy impact assessment versus baseline acceptable-use policy coverage.

CFO / CIO

AI procurement spend has historically run through IT and individual department budgets without consolidation. The inventory shows overlapping subscriptions, low-utilization tools, and vendor concentration risk for the next budget cycle.

FAQ

Questions about the inventory.

Does my data leave my browser?

No. The inventory is stored in your browser's localStorage. Nothing transmits to EFROS servers, third parties, or analytics. The CSV export is generated client-side. The only optional network call is the email gate at the bottom, which only fires if you submit the PDF template request.

How is risk tier calculated?

Two inputs: PHI/PII handled (Yes/No) and use-case impact (auto-detected from keywords like 'clinical decision,' 'hiring,' 'lending,' 'customer eligibility'). The matrix: PHI/PII + high-impact = High; PHI/PII + low-impact = Medium; no PHI/PII + high-impact = Medium; no PHI/PII + low-impact = Low. This mirrors how NIST AI RMF GOVERN-1.4 + state AI laws (incl. Colorado SB 26-189) stack.

Will my inventory persist between visits?

Yes, on the same browser + device. Browser-cleared cookies, private/incognito mode, or different devices will start fresh. For team-shared inventory and cross-device sync, you need a hosted GRC tool or the EFROS managed AI Governance program.

Can I import an existing inventory?

Not directly in this tool — manual entry only. If you have an existing CSV inventory (from Vanta, Drata, OneTrust, or an Excel sheet), keep it and use this tool as a sanity-check. The free PDF template includes the same column schema so any inventory you maintain elsewhere maps 1-to-1.

Does this replace a formal AI governance program?

No. This is the inventory layer — one of seven NIST AI RMF GOVERN function controls. A full AI governance program adds Acceptable Use Policy, vendor diligence with BAA verification, training-data lineage, model risk management, human oversight controls, logging/monitoring, and incident response. EFROS delivers the full operating program as a 10-day fixed-fee audit + ongoing managed service.

What does the framework mapping PDF include?

The PDF executive brief includes: the AI inventory schema with all eight column definitions; NIST AI RMF 1.0 GOVERN-1.4 + MAP-1 mapping; Colorado SB 26-189 (amended AI law) transparency/disclosure checklist; HIPAA BAA matrix for top AI vendors; SR 11-7 model risk classification for AI-in-credit; CMMC 2.0 control coverage for AI tools processing CUI; and an audit-ready vendor diligence template.

Need this running for the whole org?

EFROS AI Governance: nightly auto-discovery of new AI tools across your M365 tenant, team-shared inventory with RBAC, vendor BAA verification, NIST AI RMF + ISO/IEC 42001 + Colorado SB 26-189 mapping, quarterly board-ready compliance reports. $5k 10-day audit, then ongoing managed service.

See AI Governance Program →Take the AI Risk Score quiz Book a 20-Minute Call