An AI audit checklist should check four things: your workflows, your tools, your data, and your team’s skills. If it only covers compliance and risk frameworks, it’s built for a legal team, not for you.

That matters, because 95% of companies investing in AI see zero measurable ROI. The problem usually isn’t the technology. It’s that nobody stopped to check whether the team is actually using the tools, using them well, and feeding them good data.

This is the audit checklist I run with founders and marketing teams. It’s not a compliance exercise. It’s a “where is the money going and what are we getting back” exercise.

SKILLS DATA TOOLS WORKFLOWS
Four domains. Most audits check one. Yours should check all four.

What an AI audit actually checks

A real AI audit reviews how your team uses AI across four domains, not just whether you’re following the rules.

Most AI audits focus on compliance: EU AI Act readiness, ISO 42001 certification, NIST AI Risk Management Framework alignment. Those matter if you’re deploying high-risk AI systems in a regulated industry. But if you’re a founder or a marketing lead at a 20-person company trying to figure out why your AI tools aren’t paying off, that’s not the audit you need.

The audit that moves the needle checks four domains:

  1. Workflows: is AI in the right places?
  2. Tools: are you using what you pay for?
  3. Data: is what you’re feeding AI actually good?
  4. Skills: can your team use the tools properly?

These four things determine whether AI produces real return or just sits there as a line item. The Deloitte State of AI 2026 report backs this up: companies that pair tool spending with real capability building (skills + workflows) are nearly 2x more likely to see strong returns. Everybody else is buying the gym membership and not going.

The HubSpot State of Marketing 2026 report puts it another way: 86.4% of marketing teams now use AI. The gap isn’t adoption anymore. It’s how well. Most teams have cleared the barriers to AI adoption, but they haven’t cleared the “actually getting value from it” part.

If you want to assess your AI readiness with a quick diagnostic score before running the full audit, start there. This post is the full procedure.

The checklist: workflows

Map every core workflow. For each one, ask: does AI touch this? Should it? And what’s it actually saving?

Start with a list of every core workflow in your marketing or growth function. Content creation. Research. Reporting. Email sequences. Campaign setup. Competitor analysis. Write them all down.

For each workflow, answer three questions:

  • Does AI touch this right now?
  • Should it?
  • If it does, how much time does it save compared to doing it manually?

You’re looking for what I call the “80% workflows.” Tasks where AI handles the repetitive part and a human handles the judgment. Using generative AI for content creation is the classic example: AI does the research and rough draft, you do the thinking and the voice. That’s the 80/20 split that actually works.

Common wins: content drafting, data analysis, reporting, research, email sequences. If you’re building an AI content strategy, the workflow audit tells you exactly where AI fits and where it doesn’t. And if you’re considering adding AI to your website, run the workflow audit first so you know which feature actually solves a real friction. These tasks are boring, repetitive, and AI handles them fast.

Common misses: brand strategy, customer conversations, anything that needs empathy or real taste. If you’ve tried letting AI run these, you already know it doesn’t feel right.

Score each workflow from 1 (no AI use) to 5 (AI handles the grunt work, human handles the judgment, and you can measure the time saved). Most teams I work with sit around a 2.

They’re using AI in a couple of places, but it’s patchy. Nobody mapped it. So nobody knows what to fix.

My take: The workflow audit is where most of the value hides. You don’t need more tools. You need the ones you have wired into the right places. An AI assistant set up for your business can cover half these workflows once it has your context.

The checklist: tools

Inventory every AI tool your team uses (or pays for). You’ll probably find overlap, underuse, and at least one tool nobody remembers buying.

This one is uncomfortable. Make a spreadsheet. List every AI tool your team uses, who uses it, how often, what for, and what it costs per month.

The numbers are wild. Torii’s 2026 SaaS Benchmark Report found that the average enterprise runs 14 AI tools, and IT only knows about 4 or 5 of them. The rest are “shadow AI,” tools people signed up for on their own. That’s not enterprise paranoia. A 15-person marketing team can easily have 6 AI subscriptions where 3 do the same thing.

Look for two things:

Overlap. Three teams paying for three different writing tools. Two people on separate image generators. A company-wide ChatGPT license and individual Claude subscriptions. Pick one, cancel the rest.

Underuse. An enterprise ChatGPT Team license where people only use it to reword emails. That’s paying for a sports car and only driving it to the grocery store. The tool isn’t the problem. The training is.

Which brings up a stat that surprised me. Gartner found that AI training budgets were cut 18% in the second half of 2025 while tool spending rose 23%. Companies are buying more tools and spending less on teaching people how to use them. That’s backwards, and it’s the single most common pattern I see in audits.

Score: 1 (tool chaos, unknown subscriptions, heavy overlap) to 5 (right tool per job, team trained on each, costs tracked). If you want a reference for which AI tools for marketing are worth keeping, that post breaks it down by job. For outreach-specific tools, here’s how to evaluate AI outreach tools by deliverability and personalization depth.

The checklist: data

AI is only as good as what you feed it. Most small teams have a data problem, not an AI problem.

What data feeds your AI tools? Customer data from your CRM. Analytics from GA4. Product data. Support tickets. Content performance. Make a list.

Then run three checks:

Quality check. Is the data clean, current, and structured? Or is your CRM full of contacts from 2022 who’ve since changed jobs twice? When was the last time someone cleaned the data? If the answer is “never” or “I don’t know,” you found the problem.

Integration check. Can your AI tools actually access the data they need? Or are you copy-pasting from one tab to another? If your AI SEO tools can’t see your analytics data, they’re guessing. A connected tool beats a smarter tool every time.

Privacy check. Are you feeding customer data into tools that train on their inputs? This isn’t a full compliance audit (that’s a different thing), but you should know which tools learn from your data and which don’t. Most enterprise-tier AI tools let you opt out of training. The free tiers usually don’t. Flag it and move on.

Score: 1 (data is siloed, messy, or nobody knows where it lives) to 5 (clean, integrated, and your AI tools can actually use it). Most teams land around a 2 here too. The fix is usually boring: clean the CRM, connect the integrations, set a monthly cleanup reminder. Not glamorous. Very effective.

My take: “Garbage in, garbage out” has been true since before AI existed. But AI makes it louder. A bad prompt with clean data still works. A great prompt with messy data gives you confident nonsense.

The checklist: skills

66.5% of marketing teams report an AI skills gap. Most teams cluster at “basic prompting” when the real leverage is one level up.

This is the domain most AI audits skip entirely, and it’s usually the biggest problem.

Marketing Week’s 2026 Career & Salary Survey (2,350 respondents) found that 66.5% of marketing teams report an AI skills gap. Not “we’d like to learn more.” An actual gap between what their team can do and what they need them to do.

For each team member, map where they sit on the skill spectrum:

  • Level 1: Prompt basics. They can chat with ChatGPT and get a decent answer. Most teams cluster here.
  • Level 2: Workflow automation. They can set up AI in a repeatable workflow: content pipeline, reporting, research. This is where the real leverage lives.
  • Level 3: Custom tool building. They can build internal tools, connect APIs, create systems. Rare, and not needed for most teams.

The gap is almost always between Level 1 and Level 2. People know how to use AI, sort of. They don’t know how to implement AI in their actual work in a way that saves real time every week.

And the training situation is getting worse, not better. Gartner reports that only 26% of organizations offer formal AI upskilling programs, down from 35% in 2025. IDC puts a number on it: $5.5 trillion at risk globally from AI skills gaps that nobody closes. Big number, but the direction is real. The problem is growing and most companies are spending less to fix it.

Score: 1 (no formal AI skills development) to 5 (team trained, workflows automated, someone can build custom tools when needed). This is the kind of skills audit I build into every engagement, because the tools are useless if nobody can use them properly.

How to run the audit: step by step

Five steps: scope it, inventory it, score it, find the gap, and build a 90-day fix plan.

You’ve got the four-domain checklist. Now here’s how to actually run it.

Step 1: Set the scope. Pick one team or one function. Not “the whole company.” If you’re a marketing lead, audit marketing. If you’re a founder with a small team, audit the growth function. Trying to audit everything at once means you audit nothing well.

Step 2: Inventory. List every tool and every workflow in that function. Use the four-domain framework above. Be honest. Include the tools you forgot you were paying for and the workflows where AI is “sort of” involved but not really.

Step 3: Score. Rate each domain 1 to 5 using the scoring criteria above. Don’t be generous with yourself. A 2 is a 2. Most teams are a 2 in most domains, and that’s fine. That’s why you’re doing this.

Step 4: Find the gap. Where are you losing hours or money? Where is AI underperforming? The scores point you there. A 2 in skills and a 4 in tools means you have the tools but nobody can use them. A 4 in workflows and a 1 in data means AI is in the right places but getting fed garbage. The pattern I see most often: high tool scores, low skill scores. Teams buy the tools. Nobody teaches the team how to use them past the basics.

Step 5: Build a 90-day fix plan. Prioritize: quick wins first (cancel redundant tools, train the team on what you already have), then deeper changes (workflow redesign, data cleanup, new integrations). If you need an AI adoption framework to structure the rollout, that’s the next read. If the audit points to marketing as the priority, you can build an AI marketing strategy directly from your audit findings. If the audit reveals your SEO is the bottleneck, here’s what a real AI SEO engagement looks like.

This is the exact process I run with teams in a two-week sprint. The audit itself takes about a week. The second week is building the 90-day plan. If you’re considering bringing in an AI consultant for your small business, the audit is usually the first step. The Deloitte report backs this up: companies where leadership actually runs audits and acts on them get more from their AI investment. Not a little more. A lot more.

What AI audit software can (and can’t) do

Enterprise audit software exists. For most teams under 50 people, a spreadsheet and an honest conversation gets you 90% of the way.

There are real software platforms built to audit AI at scale: IBM OpenPages, OneTrust, VerifyWise. They’re built for regulated industries running 50+ AI models in production, where you need an audit trail for compliance and a dashboard tracking how those models perform over time: accuracy, bias, whether they’ve drifted from their baseline.

If that’s you, those tools earn their price. They handle the things a spreadsheet can’t: continuous monitoring, automated risk scoring, and compliance documentation that holds up in a regulatory review.

If that’s not you, and for most small business marketing teams it isn’t, here’s what actually works: a spreadsheet with four tabs (one per domain), an honest 1-5 score for each item, and a conversation with your team about what’s working and what’s not.

The real audit tool is the framework, not the software. A good framework applied manually beats a bad audit automated.

When AI audit software makes sense:

  • You’re in a regulated industry (finance, healthcare, insurance)
  • You have many AI models in production
  • You need a formal audit trail for compliance
  • Your organization has 100+ employees

When it doesn’t:

  • You’re a marketing team trying to figure out if your AI tools are working
  • You have fewer than 10 AI tools
  • Your main question is “are we getting ROI?” not “are we compliant?”

The frameworks worth knowing

Three frameworks matter. For most SMBs, you don’t need the certification. You need the thinking they encode.

If you want to go deeper, or if your company is growing into regulated territory, these are the frameworks worth understanding:

ISO 42001 is the first international standard for AI management systems. It’s voluntary, but it’s becoming the benchmark. Think of it as a management checklist for how your organization governs AI: who’s responsible, how you assess risks, how you monitor performance. It doesn’t tell you which tools to use. It tells you how to think about managing them.

NIST AI Risk Management Framework is the US-focused framework. It’s practical and not legally required. It breaks AI risk into four functions: govern, map, measure, manage. The GenAI-specific profile (AI 600-1, published July 2024) added 12 risk categories specific to large language models. Useful for understanding what can go wrong, even if you never fill out the paperwork.

EU AI Act is the big one if you operate in Europe. It’s mandatory, and the major compliance deadline for high-risk AI systems is August 2, 2026. High-risk systems (things like AI used in hiring, credit scoring, or critical infrastructure) need risk management plans, data governance documentation, human oversight, and conformity assessments. If your AI use is limited to marketing and content, you’re almost certainly not in the high-risk category, but it’s worth knowing where the line is.

For most teams under 100 people: you don’t need formal certification. You need the thinking these frameworks encode, applied practically. That means asking the right questions (what are we using AI for, who’s responsible, what could go wrong, how do we check it’s working) without drowning in paperwork. If you’re curious about what an AI consultant does in practice, a lot of it is translating these frameworks into something a real team can act on.

How I can help

I run this audit with founders and marketing teams. Two weeks, four domains, a scored assessment, and a 90-day plan you’ll actually use.

You just read the full framework. If you want to run it yourself, you have everything you need. The spreadsheet, the scoring, the four domains. Go.

But if you want someone who’s done this before to run it with you, here’s what that looks like. A two-week audit sprint where I sit with your team and run the four-domain checklist together. We score every workflow, inventory every tool, check the data, and assess the skills gap. You walk away with a scored assessment and a 90-day fix plan that starts with the things that’ll save you the most time and money.

The point isn’t to sell you a bigger engagement. The point is to find the gaps so you can fix them, whether that’s with me or on your own. Start with a free 15-minute call where we figure out if this is the right next step. No pitch. Just a conversation about where your team stands.

FAQ

What is an AI audit?

A systematic review of how your team uses AI. It looks at four things: the workflows where AI is (or should be) involved, the tools you’re paying for, the data feeding those tools, and whether your team has the skills to use them well. The goal is to find what’s working, what’s wasted, and what to fix first.

How do you audit AI systems?

Start by setting a scope (one team or function, not the whole company). Then inventory every tool and workflow, score each of the four domains from 1 to 5, identify the biggest gaps, and build a 90-day plan that starts with quick wins. For small business teams using AI for marketing, this can be done in a week with a spreadsheet. Larger organizations may need dedicated AI audit software.

What should an AI audit checklist include?

Four domains. Workflows: is AI in the right places, and is it saving real time? Tools: are you using what you pay for, or do you have overlap and unused subscriptions? Data: is it clean, integrated, and accessible to your AI tools? Skills: can your team actually use the tools at a level that produces results? Most checklists skip the skills domain entirely.

Is AI auditing required by law?

For most small and mid-sized businesses, no. The EU AI Act (August 2, 2026 deadline) applies to high-risk AI systems, things like AI in hiring, credit scoring, and critical infrastructure. If you’re using AI for marketing and operations, you’re unlikely to fall under mandatory auditing requirements. A business-operations audit is about ROI, not compliance.

What are AI audit frameworks?

The three main ones are ISO 42001 (the first international AI management standard, voluntary), NIST AI Risk Management Framework (US-focused, practical), and the EU AI Act (mandatory for high-risk systems in Europe). Most SMBs don’t need formal certification under these frameworks. They need the practical thinking: who’s responsible for AI decisions, how do you check it’s working, what could go wrong.

How often should you run an AI audit?

A quarterly light check: review tool usage numbers, make sure new hires are trained, and flag anything that’s changed. A full audit annually, or after a major change like a new tool rollout, a team restructure, or a shift in AI strategy. The LSE Business Review recommends moving from “point-in-time” audits to continuous, living assessments. For most teams, that means a regular cadence rather than a one-time exercise.