We have no inventory of which AI tools already have access to our data.
Provena Scan
Find your AI access exposure
in 10 working days.
Map every AI tool, supplier, API, and agent in scope — identify evidence gaps, sensitive data exposure, and first access decisions in 10 working days.
AI Access Map — output
Atlas Tutor AI
Procurement Scout Agent
HR Copilot
CodeAssist Enterprise
Unknown RAG tool
You cannot govern what you cannot see.
Most organisations have no reliable inventory of which AI tools, vendors, or agents already access sensitive data. The Provena Scan closes that gap in two weeks — before your DPO, CISO, or board asks about it.
What triggers a Provena Scan
Most scans begin with one of these triggers.
Board or investor asked about AI risk
You need a defensible answer, not a vague reply.
DPO asked which AI systems process personal data
No clear inventory exists to answer them.
CISO concerned about model API egress paths
Unclear which tools create new data boundaries.
Procurement reviewing AI vendor list
Unknown which tools have evidence, which do not.
Shadow AI concern
Teams using AI tools without central visibility.
Regulatory inquiry approaching
Evidence must exist before the inquiry, not after.
The shift
AI estate visibility — before and after Provena Scan.
Before Provena Scan
- Unknown number of AI tools in use
- No mapping of which data each AI system processes
- No clarity on which tools have evidence
- No risk tier per system
- No review owners assigned
- No inventory of which AI systems process personal data
After Provena Scan
- Complete AI tool and supplier inventory
- Data sensitivity mapping per system
- Evidence gap report — what is missing per tool
- Risk-tiered AI Access Map
- Review owners assigned — DPO, CISO, Procurement
- First access decisions documented and defensible
Sprint structure
Two weeks. Clear output.
Week 1
Discovery
- Kickoff: define scope, stakeholders, data types
- AI tool and supplier enumeration
- Integration mapping (API calls, data feeds, embeddings)
- Initial data category classification
Week 2
Analysis & reporting
- Risk tier assignment per system
- Evidence gap analysis per tool
- First access decisions (approve / restrict / block)
- Delivery: AI Access Map + executive report
Deliverables
What you receive at end of week two.
After the scan
The scan becomes the foundation for Passports.
Evidence Passports
Every supplier discovered in the scan becomes the starting point for an Evidence Passport. You do not start from zero — you start from evidence.
Agent Passports
Every agent identified in the scan gets an Agent Passport with owner, tool boundary, and expiry. No agents continue without governance.
First access decisions
The scan delivers first access decisions — cleared, limited, or blocked — so your DPO and CISO have a starting point, not a blank slate.
Common questions
Provena Scan — addressed.
“We can do this ourselves with a spreadsheet.”
A spreadsheet captures names. A Provena Scan captures data sensitivity, evidence gaps, risk tier, review owners, and first access decisions — in a structured, exportable format your DPO and CISO can act on.
“We already have a software asset inventory.”
Software inventories track licenses. AI access inventories track data categories, model APIs, agent boundaries, and evidence gaps. These are different questions.
“We are not ready for a full governance programme.”
The Provena Scan is the starting point, not the programme. It tells you what you have, what is missing, and what to govern first — before committing to annual tooling.
Get started
Find your AI exposure
in 10 working days.
Fixed scope. Fixed price. Structured output. Know which AI tools access your data — and which evidence is missing — before the next audit.
AffectLog provides technical and operational evidence to support AI access decisions. Not legal advice, certification, or regulatory approval.