What AI tools need to go through a formal approval process?

Any AI tool that will be used for work purposes should go through some level of approval. At a minimum, any tool that will process company data — even non-sensitive internal data — should be approved by IT Security. Tools that will process personal data, customer data, financial data, or regulated information require full committee-level review. Tools used only with publicly available, non-company data (e.g. a public AI search tool used for general research) may be handled via a lighter-touch delegated approval process.

What is a data processing agreement (DPA) and why is it required for AI tools?

A data processing agreement (DPA) is a contractual arrangement between your organisation (as data controller) and an AI vendor (as data processor) that governs how the vendor processes personal data on your behalf. Under GDPR Article 28, a DPA is legally required whenever a third party processes personal data for you. For AI tools, the DPA should specifically address: whether the vendor uses your input data to train their models; how long they retain your data; what happens to your data if you terminate the contract; and whether your data is used for purposes other than providing the contracted service.

How long should the AI tool approval process take?

Standard AI tool approval requests should be processed within 10 business days of a complete submission. Requests requiring CISO approval (for restricted or personal data) typically take 15 business days. Complex requests requiring full vendor due diligence, legal review, or a data processing agreement negotiation may take 30 business days or more. Communicating clear timelines to requestors and providing a request tracking mechanism reduces shadow AI adoption — employees adopt unapproved tools when they don't know when or if their request will be processed.

What happens if an employee uses an AI tool that hasn't been approved?

Using unapproved AI tools for work purposes (shadow AI) is a policy violation that should be addressed through your disciplinary process. The severity depends on what data was entered into the unapproved tool: if only non-sensitive internal data was involved, a formal warning and re-training is typically appropriate; if personal, confidential, or restricted data was entered, the incident should be treated as a potential data breach and investigated under your data breach response procedure, which may require regulatory notification under GDPR Article 33.

Get your Free 90 Days Gen AI Risk Discovery Trial -90 Days Gen AI Risk Trial -Start Now

Book a demo

Free TemplateIT Governance

AI Tool Approval Request Form

A structured form for employees to request new AI tools. Covers business justification, data classification, security assessment, and multi-level approval workflow.

Updated March 2026 · 5 sections · 4-level approval workflow · GDPR, ISO 27001 aligned

Download Template Book Demo

5 sections

complete request coverage

4 levels

risk-tiered approval workflow

10 days

target approval SLA

Free

to use and customise

Why a Formal AI Tool Approval Process Is Essential

Shadow AI is the fastest-growing source of enterprise data risk. Employees are adopting AI tools without IT review, entering confidential and personal data into unapproved services, and creating invisible regulatory exposure. A structured approval process is the first control in a serious AI governance programme.

65%

AI tools in enterprise are unapproved

The majority of AI tool adoption is happening outside IT visibility, exposing organisations to data loss, IP theft, and regulatory liability.

GDPR

Requires a DPA before processing personal data

Employees sending customer or employee data to AI tools without a GDPR Article 28 DPA creates a regulatory violation — regardless of whether a breach occurs.

ISO 27001

A.5.8 requires supplier risk management

AI tools are software suppliers. ISO 27001 Annex A.5.8 requires organisations to manage information security risk in supplier relationships.

→ Model

Trained on your proprietary data

Without a no-training clause in the vendor contract, AI models may be trained on your confidential data, making it effectively irretrievable.

The Request Form

Click each section to expand. Customise the thresholds and approval levels for your organisation.

Requestor Details

Full Name

________________________________

Job Title

________________________________

Department / Team

________________________________

Email Address

________________________________

Direct Manager

________________________________

Date of Request

________________________________

Tool Information

Tool / Product Name

________________________________

Vendor / Provider

________________________________

Tool Website / URL

________________________________

Pricing Model & Estimated Annual Cost

________________________________

Requested Deployment Type

Cloud SaaS / On-premises / API / Browser extension

Number of Users Requesting Access

________________________________

Business Justification

Describe the specific business use case for this AI tool

What task or workflow will this tool be used for? What problem does it solve?

What measurable business benefit do you expect?

Time saved, cost reduction, quality improvement, risk reduction — provide estimates where possible.

Is there an approved alternative already in the organisation's AI tool register?

If yes, explain why the existing approved tool does not meet your needs.

Download Full Form as PDF

How the AI Tool Approval Process Works

Follow these five steps to process AI tool approval requests consistently and maintain an auditable record of every approval decision.

Employee completes and submits the request form

The requestor fills in all four substantive sections: business justification, data classification, security questions, and integration requirements. Incomplete forms are returned. IT Security sets a target 10-business-day SLA from receipt of a complete submission.

Line manager reviews and approves the business case

The manager confirms the tool is needed for a legitimate business purpose, that no approved alternative exists, and that the employee's data classification answers appear accurate. Manager approval gates entry into the IT Security queue.

IT Security assesses data risk and vendor security

IT Security verifies the data classification, checks the vendor's security certifications, reviews audit logging capabilities, and determines whether the tool requires a DPA. They may send the vendor a supplementary security questionnaire for new vendors.

CISO and/or DPO review for high-risk requests

Requests involving personal data, restricted information, or customer-facing AI deployments are escalated to the CISO and DPO. The DPO determines whether a DPIA is required. The CISO may impose conditions (e.g. mandatory DPA, RBAC configuration) before approving.

Provision access and update the approved tools register

Once all required approvals are obtained, IT provisions access according to the approved user list, configures SSO and audit logging, adds the tool to the AI tool register, and notifies the requestor. The approval record is retained for audit purposes.

Frequently Asked Questions

Streamline AI Tool Governance with Aona

Aona replaces paper-based AI tool approval forms with automated workflows. Track every request, enforce approval routing, detect shadow AI in real time, and maintain a complete audit trail of every tool approved or rejected — all in one platform.

Book a Demo

Related Resources

Aona AI Platform AI Governance Framework All Templates

AI Tool Approval Request Form

Why a Formal AI Tool Approval Process Is Essential

The Request Form

How the AI Tool Approval Process Works

Frequently Asked Questions

Streamline AI Tool Governance with Aona

Product

Solutions

Resources

Compare

Compliance

Company

Contact