Know Your AI (KYA) process

The Know Your AI (KYA) process is a structured method organizations use to identify, assess, and document the artificial intelligence systems operating across their departments. It creates visibility into how AI is used, what data it touches, what risks it poses, and whether it complies with internal and external regulations.

KYA matters because most organizations do not have full oversight over their AI systems. Shadow AI, undocumented models, and unclear ownership introduce legal, ethical, and operational risks. Governance teams need KYA to build accountability and reduce surprises during audits or incidents.

“42% of organizations using AI reported having no central inventory of their AI models.”(Source: Deloitte State of AI in the Enterprise, 2023)

What Know Your AI aims to solve

Many teams deploy AI tools without documenting them. This creates invisible systems that may affect customers, decisions, and compliance risk without anyone knowing how they work or where they are. KYA solves this by requiring structured registration and analysis.

The process also connects AI systems to their data sources, owners, and purposes. It helps organizations classify systems by risk, track lifecycle stages, and align them with policy and legal requirements. KYA acts as the foundation of AI governance.

How a KYA process is structured

A good KYA process includes several clear steps. Each one ensures that an AI system is not only known but also evaluated.

• Identification: List all AI systems, including machine learning models, generative AI tools, and embedded third-party services.

• Ownership: Assign technical and business owners for each system.

• Purpose and scope: Describe the function, users, and decisions the AI affects.

• Risk classification: Evaluate the system’s impact using criteria from the [EU AI Act](https://artificialintelligenceact.eu/) or internal standards.

• Data assessment: Record what personal or sensitive data is used, how it’s collected, and how it’s processed.

• Lifecycle tracking: Log the development, deployment, and updates of the system.

• Review schedule: Define when the system will be reassessed.

This information feeds into an AI inventory that becomes part of the organization’s compliance and governance toolkit.

Best practices for implementing KYA

Launching a KYA program takes cross-functional planning and practical tools. Assume you will need support from legal, technical, data, and compliance teams.

Best practices include:

• Start with a pilot: Choose one department to run the KYA process end to end.

• Use standardized forms: Collect data in structured formats that can be reused and updated easily.

• Automate where possible: Use internal monitoring tools to detect AI usage or API activity that indicates hidden systems.

• Include vendor systems: Require external AI vendors to complete KYA documentation for the tools they provide.

• Train staff: Teach business users what counts as AI and how to report it.

• Incorporate reviews: Align KYA reviews with product launches or system updates.

Pairing this with frameworks like ISO/IEC 42001 supports audit readiness and repeatable governance practices.

FAQ

How is KYA different from an AI inventory?

An inventory is a list. KYA is a structured process that builds that list while evaluating risk, data use, and ownership. KYA adds context and compliance layers to a basic registry.

Who should manage the KYA process?

Typically, AI governance, risk, or compliance teams lead the process. They coordinate with IT, data science, and legal teams to collect and review submissions.

What types of AI systems should be included?

Include both internal and third-party systems, even if the AI is hidden behind an API. If a tool makes decisions or automates tasks using data, it should be reviewed.

Does KYA apply to non-technical business units?

Yes. Business units often use generative tools, chatbots, or automated decision systems without technical support. These systems need to be recorded and assessed through the KYA process.

How often should KYA reviews happen?

Review frequency depends on risk level. High-impact systems may be reviewed quarterly or annually. Low-risk systems can be reviewed every 18 to 24 months or when major changes occur.

Summary

Know Your AI is a core part of responsible AI governance. It gives organizations visibility into how AI systems operate, who manages them, and what risks they carry. A well-structured KYA process helps prevent legal problems, build user trust, and align with global AI regulations. Starting small and expanding over time makes the process manageable and valuable.