The problem no one is measuring
In most mid-size companies, the finance function is already using artificial intelligence. Not because the CFO authorized it. But because an analyst discovered that ChatGPT saves two hours when preparing the monthly report, or because someone started using Copilot to consolidate data from different sources.
That usage exists. It is happening right now. And in most cases, there is no record of which tools are being used, what data is being shared with them, or which outputs are being incorporated into real financial decisions.
The risk is not that AI makes mistakes. The risk is that those mistakes won't be visible until they have already caused a problem: an incorrect figure in a board report, a projection based on an output no one validated, or sensitive information sent to an external model without knowing what the vendor does with it.
Why finance carries the highest exposure
Finance works with three types of assets that, in combination, generate significant exposure:
Sensitive data. Margins by business line, projected cash flows, vendor contract terms. If an analyst pastes that into an external language model, the data leaves the company's perimeter.
Outputs used to make decisions. An error in production can be corrected. An error in a financial report that has already been presented to the board carries different consequences.
Processes with little redundancy. In companies of 50 to 200 people, the finance function typically has two or three people who know the full process. If those people incorporate AI in an undocumented way, process knowledge ends up partially outside the organization's control.
How to map actual usage in four steps
The goal is not to prohibit AI use. It is to know what is being used, for what purpose, and with what data. From there, you can decide what to formalize, what to replace, and what to prohibit.
Step 1 — Tool inventory. A structured conversation with each person on the team, without an audit tone. The central question is straightforward: what tools do you use in your daily work that are not corporate-approved? In most cases, the team responds honestly when the context is one of improvement, not control.
Step 2 — Classification by process. Once the tools are identified, map which processes they are used in: monthly financial close, reconciliations, management reports, variance analysis, forecasts. Each process carries a different level of criticality and a different level of data exposure.
Step 3 — Risk assessment by combination. The actual risk arises from the combination of process criticality and data sensitivity. An analyst who uses AI to format results presentations has a very different risk profile from one who uses AI to build cash flow projections with real company data.
Step 4 — Governance decision. With that map, the CFO can make informed decisions: which uses are formalized with approved tools, which processes require mandatory human validation before the output is used, and which data must never leave the corporate perimeter.
A concrete example
A distribution company with 80 employees and a three-person finance team. The lead analyst was using ChatGPT to draft the executive commentary for the monthly report. He did so by pasting that month's data directly into the chat: sales by channel, margins, budget comparison.
No one had authorized it. No one had prohibited it. The CFO didn't know.
The risk in that case was not the commentary itself — it was that the margin-by-channel data was leaving the company every month, with no visibility into what the vendor did with it or whether it was being stored.
The solution was not to prohibit the use. It was to replace that tool with an internal agent that generates the same executive commentary using data from the ERP, with nothing leaving the perimeter. The analyst keeps his productivity. The CFO has control.
Implementation time in a case like that falls in the range of four to six weeks. Estimated time savings for the analyst: between eight and twelve hours per month. Risk eliminated: difficult to quantify until an incident occurs, but straightforward to justify before one does.
What governance does not mean
Governance does not mean slowing down the team. It means the CFO knows what is happening and can respond if someone asks.
In an audit, in a due diligence process, or simply in a board meeting where someone asks how a particular number was built, the answer cannot be "the analyst did it with a tool we don't know."
AI governance for finance has three minimum components: a registry of approved tools, a classification of data by sensitivity level, and mandatory human validation on outputs that feed business decisions. It does not require complex technology. It requires a clear process and someone accountable for maintaining it.
Where to start
The first step is not to implement anything. It is to know where you stand.
A finance function diagnostic takes between one and two weeks. At the end, the CFO has a map of actual usage, a risk classification by process, and a concrete recommendation on what to formalize first.
This is not a transformation project. It is information that enables decisions made with sound judgment.
If you would like to conduct that diagnostic, you can request it through the form on this page. No need to schedule a call immediately.
