Manual AI governance doesnβt scale. When your company uses 10 AI tools across 5 teams, tracking compliance in spreadsheets breaks down. Hereβs how to automate the boring parts.
What to automate
1. AI model inventory
Every AI model your company uses should be tracked. Automate discovery:
# Scan codebase for AI API usage
import ast
import glob
AI_PROVIDERS = {
"anthropic": "Claude",
"openai": "OpenAI/GPT",
"together": "Together AI",
"deepseek": "DeepSeek",
"openrouter": "OpenRouter",
"ollama": "Ollama (local)",
}
def scan_for_ai_usage(directory):
inventory = []
for f in glob.glob(f"{directory}/**/*.py", recursive=True):
with open(f) as fh:
content = fh.read()
for package, provider in AI_PROVIDERS.items():
if package in content:
# Extract model names
models = re.findall(r'model["\s]*[:=]\s*["\']([^"\']+)', content)
inventory.append({
"file": f,
"provider": provider,
"models": models,
})
return inventory
# Run weekly via CI/CD
inventory = scan_for_ai_usage("./src")This catches shadow AI usage β teams using models that arenβt in your approved tools list.
2. Data flow auditing
Track what data goes to which AI provider:
# Middleware that logs data classification per request
def ai_audit_middleware(request, provider, model):
# Classify data sensitivity
has_pii = detect_pii(request.prompt)
has_code = detect_code(request.prompt)
data_class = "restricted" if has_pii else "internal" if has_code else "public"
# Check against policy
if data_class == "restricted" and provider != "ollama":
logger.warning({
"event": "policy_violation",
"type": "restricted_data_to_external_api",
"provider": provider,
"data_class": data_class,
})
# Optionally block the request
raise PolicyViolation("Restricted data cannot be sent to external AI providers")
logger.info({
"event": "ai_data_flow",
"provider": provider,
"model": model,
"data_class": data_class,
"has_pii": has_pii,
})This enforces your data classification policy automatically.
3. Cost tracking and alerts
Automated cost governance:
# Daily cost report via Slack
def daily_cost_report():
costs = get_costs_by_team(today=True)
report = "π Daily AI Cost Report\n"
for team, cost in costs.items():
budget = get_team_budget(team)
pct = (cost / budget) * 100
emoji = "π’" if pct < 75 else "π‘" if pct < 90 else "π΄"
report += f"{emoji} {team}: ${cost:.2f} ({pct:.0f}% of budget)\n"
send_slack(report)See our FinOps guide for the full cost governance framework.
4. Policy enforcement in CI/CD
Block deployments that violate AI policy:
# GitHub Actions - AI policy check
- name: AI Policy Check
run: |
python scripts/check_ai_policy.py
# Checks:
# - No API keys in code
# - Only approved models used
# - Data classification annotations present
# - Eval tests pass for prompt changes# check_ai_policy.py
import sys
violations = []
# Check for hardcoded API keys
if grep_for_api_keys("src/"):
violations.append("Hardcoded API keys found")
# Check for unapproved models
models = scan_for_models("src/")
approved = load_approved_models()
for m in models:
if m not in approved:
violations.append(f"Unapproved model: {m}")
# Check for prompt changes without eval
if prompt_files_changed() and not eval_results_present():
violations.append("Prompt changed without eval results")
if violations:
print("β AI Policy Violations:")
for v in violations:
print(f" - {v}")
sys.exit(1)
else:
print("β
AI policy check passed")For a deeper guide on preventing API key leaks and managing rotation, see how to secure your AI API keys.
5. EU AI Act reporting
If youβre subject to the EU AI Act, automate the documentation:
# Generate compliance report
def generate_ai_act_report():
systems = load_ai_inventory()
report = {
"date": today(),
"systems": [],
}
for system in systems:
risk = assess_risk(system) # From your risk assessment template
report["systems"].append({
"name": system["name"],
"risk_level": risk["level"],
"provider": system["provider"],
"data_processed": system["data_types"],
"human_oversight": system["oversight_mechanism"],
"last_audit": system["last_audit_date"],
"controls": risk["controls_in_place"],
})
return reportSee our risk assessment template for the scoring methodology.
Tools for AI compliance automation
| Need | Tool |
|---|---|
| Model inventory | Custom scanner (above) or Fiddler AI |
| Data flow audit | Custom middleware or Securiti.ai |
| Cost tracking | Helicone or custom |
| Policy enforcement | CI/CD checks (above) |
| Compliance reporting | Custom scripts or OneTrust |
For most startups, the custom scripts above (200 lines of Python total) cover 80% of compliance needs. Enterprise tools are worth it when you have 50+ AI systems to track.
Implementation timeline
| Week | Action | Effort |
|---|---|---|
| 1 | AI model inventory scanner | 4 hours |
| 2 | Data flow audit middleware | 4 hours |
| 3 | Cost tracking + Slack reports | 2 hours |
| 4 | CI/CD policy checks | 4 hours |
| Ongoing | Monthly compliance report | 1 hour/month |
Total: 2 days of engineering work for automated AI governance. Compare that to the manual alternative: hours of spreadsheet updates every month.
Related: AI Governance for Startups Β· AI Policy Template Β· EU AI Act for Developers Β· AI Risk Assessment Template Β· FinOps for AI Β· AI Security Checklist