Enterprise AI Governance Best Practices

Why the AI Use Case Inventory Matters

The AI Use Case Inventory is one of the primary governance anchors for Enterprise AI Governance.

An AI Use Case describes a specific business, technical, operational, analytical, or decision-support purpose for which AI is used or proposed. It explains why AI is being used, what outcome is intended, who owns the use, who benefits from it, who may be affected by it, what category of AI use it represents, what risk it creates, and what governance treatment it requires.

The AI Use Case Inventory matters because governance should begin with purpose. A model, agent, prompt, vendor feature, or technical asset cannot be fully governed without understanding the use case it supports. The same AI capability may be acceptable in one use case and unacceptable in another. A summarization model may be low-risk when used to summarize internal meeting notes, but higher-risk when used to summarize medical records, legal evidence, customer complaints, employee performance information, or regulated financial disclosures.

An enterprise that lacks an AI Use Case Inventory may know that it has AI tools or models, but it may not understand why those tools or models are being used, which business outcomes they support, which stakeholders they affect, or which obligations apply.

What an AI Use Case Is

An AI Use Case is a governed description of an intended or actual use of AI.

It should describe the business or operational purpose of the AI use, the problem being solved, the intended value, the users involved, the stakeholders affected, the data used, the AI capabilities required, the outputs produced, the decisions or actions influenced, and the controls required.

An AI Use Case may be internal or external. It may support employees, customers, partners, vendors, patients, citizens, regulators, developers, analysts, service agents, executives, or automated systems. It may be experimental, pilot, production, retired, prohibited, or under review. It may involve generative AI, predictive AI, classification, summarization, recommendation, retrieval, content generation, code generation, anomaly detection, workflow automation, or agentic action.

The AI Use Case is not the same thing as the AI Model. It is not the same thing as the AI Agent. It is not the same thing as the Application, Platform, Workflow, Automation, Vendor Product, or other technical asset. The use case explains the purpose and context in which those other things are used.

Minimum Information in the AI Use Case Inventory

The AI Use Case Inventory should capture enough information to support governance decisions.

At a minimum, an AI Use Case record should identify the use case name, description, business purpose, owner, sponsoring organization, lifecycle state, AI use category, users, affected stakeholders, business process, related technical assets, AI Agent if applicable, AI Model if applicable, vendor if applicable, data and information used, outputs produced, locations or jurisdictions involved, risk classification, regulatory applicability, required controls, approval status, review date, and evidence package.

The record should also identify whether the use case is internal, customer-facing, employee-impacting, vendor-provided, agentic, embedded in a technical asset, or used for human productivity. These distinctions matter because they affect risk, oversight, control, evidence, and regulatory treatment.

The inventory does not need to capture every possible detail at the beginning. However, it must capture enough information to determine whether the use case is permissible, whether it requires review, whether obligations apply, whether controls are needed, and whether evidence must be preserved.

AI Use Case Categories

The AI Use Case Inventory should classify each use case by category.

This document uses four major categories of AI use: AI that augments human productivity, AI embedded in technical assets, AI consumed from vendor products and third-party services, and agentic AI that acts on systems.

Human productivity use cases include drafting, summarization, analysis, research support, coding assistance, test generation, documentation, meeting support, spreadsheet analysis, presentation support, knowledge retrieval, and other AI-assisted work performed by people.

Embedded AI use cases include AI capabilities that are built into applications, workflows, platforms, data pipelines, customer experiences, operational systems, or internal business solutions.

Vendor and third-party AI use cases include AI capabilities consumed through SaaS platforms, cloud services, commercial products, outsourced services, managed services, APIs, or vendor-provided features.

Agentic AI use cases include AI that can act through tools, APIs, workflows, systems, repositories, records, tickets, messages, or operational environments.

Classifying the use case helps the enterprise determine which governance patterns apply. A coding assistant, customer-facing chatbot, vendor AI summarizer, and production operations agent should not be governed identically.

Risk and Impact Classification

Each AI Use Case should be classified by risk and impact.

Risk classification should consider the stakeholders affected, the decisions influenced, the sensitivity of data used, the autonomy of the AI capability, the criticality of the business process, the severity of potential harm, the regulatory environment, the degree of customer or employee impact, the vendor dependency, the transparency required, and the ability to detect and correct errors.

Impact classification should consider whether the AI use affects employment, credit, healthcare, insurance, education, housing, legal rights, public services, customer eligibility, pricing, safety, security, compliance, regulated advice, sensitive data, vulnerable populations, or other consequential domains.

The purpose of classification is not to make every AI use difficult to approve. The purpose is to apply the right level of governance. Low-risk internal productivity uses may need lightweight controls. High-risk, customer-facing, employee-impacting, regulated, or agentic uses may require formal review, human oversight, testing, monitoring, logging, evidence preservation, and periodic reassessment.

Relationship to AI Agents

The AI Use Case Inventory should connect to the AI Agent Inventory where AI Agents are involved.

An AI Use Case explains the purpose. An AI Agent is the operational actor that performs work, interacts with users, invokes tools, accesses data, produces outputs, or acts on systems. One AI Use Case may be supported by one or more AI Agents. One AI Agent may support one or more AI Use Cases.

This relationship matters because the use case determines the governance context for the agent. An agent used for internal knowledge retrieval may require different controls than an agent used to update customer records, generate regulated responses, route clinical information, execute infrastructure changes, or interact with production systems.

The enterprise should not govern AI Agents in isolation from the use cases they support. Agent authority, access, tools, AI Prompts, models, monitoring, location scope, and evidence should be evaluated in relation to the use case.

Relationship to Technical Assets

The AI Use Case Inventory should also connect to the technical assets that implement, expose, host, invoke, or operationalize the use case.

Those technical assets may include Applications, Platforms, Services, APIs, Integrations, Workflows, Automations, Jobs, Scripts, Data Stores, Vendor Products, Runtime Environments, Tools, or other governed technical Noun Instances.

This relationship helps the enterprise understand where the use case is implemented, what systems are involved, which data flows through those systems, which users access them, which vendors support them, which environments they operate in, and which controls can be enforced technically.

Without this relationship, the enterprise may approve a use case without knowing how it is implemented, where it runs, or how it can be controlled.

Relationship to Data and Information

The AI Use Case Inventory must connect to the data and information used by the AI use.

AI may use data for prompting, retrieval, inference, training, fine-tuning, evaluation, monitoring, reporting, or evidence. The enterprise must know which data categories are involved, who owns the data, how sensitive the data is, whether personal information is used, whether regulated data is involved, where the data is stored, where it is processed, whether data is shared with vendors, and whether retention or deletion obligations apply.

Data exposure is one of the most common governance risks in AI use. A use case that appears low-risk may become higher-risk if it uses confidential, personal, regulated, proprietary, security-sensitive, or legally privileged information.

For this reason, the AI Use Case Inventory should not treat data as a generic note. It should connect to governed Data and Information inventories, Data Sensitivity Types, data owners, data stewards, data sources, data flows, and data controls.

Relationship to Locations and Jurisdictions

Each AI Use Case should identify the locations and jurisdictions in which it operates, serves users, processes data, affects stakeholders, or produces outcomes.

Location and jurisdiction matter because they influence regulatory applicability, privacy obligations, employment rules, consumer protection requirements, disclosure obligations, data residency requirements, incident notification duties, and sector-specific rules.

The required location granularity depends on the obligations that apply. Some use cases may only need country-level classification. Others may require state, province, county, city, town, facility, service territory, cloud region, or data residency zone mapping.

For simple use cases, location may begin as an attribute on the AI Use Case record. For more complex or mature environments, the use case should connect to governed Location / Jurisdiction records and related AI Agent-to-Location or AI-to-technical-asset location mapping records.

Relationship to Regulations, Obligations, Controls, and Evidence

The AI Use Case Inventory should connect to Regulations, Regulatory Obligations, Controls, and Evidence.

Figure: AI Use Case Relationship Hub

The use case is often the point where applicability is assessed. A regulatory obligation may apply because the AI Use Case affects employees, serves customers, operates in a specific jurisdiction, uses sensitive data, supports a high-impact decision, produces external outputs, or relies on a vendor capability.

Once applicable obligations are identified, the enterprise must map them to controls and evidence. A high-risk AI Use Case may require human oversight, disclosure, testing, monitoring, access control, vendor review, output retention, incident procedures, regional restrictions, or periodic reassessment.

The AI Use Case record should connect to the controls required for the use case and to the evidence proving those controls operated.

Lifecycle of an AI Use Case

The AI Use Case Inventory should manage lifecycle state.

Common lifecycle states may include proposed, candidate, under review, approved for experimentation, pilot, approved for production, active, restricted, suspended, remediating, retired, rejected, or prohibited.

Lifecycle state matters because governance requirements vary by state. A proposed use case may need intake information. A pilot may need limited approval, data restrictions, and time-bound review. A production use case may need operational controls, monitoring, evidence, and incident response. A restricted use case may need additional controls or location limitations. A retired use case may need evidence retention, data disposal, decommissioning records, and dependency cleanup.

The enterprise should track material changes. A use case should be reassessed when its purpose changes, stakeholder scope changes, data changes, model changes, AI Prompt changes, vendor changes, location scope changes, autonomy increases, output usage changes, or regulatory obligations change.

Governance Questions the AI Use Case Inventory Should Answer

For aI Use Case Inventory, governance should answer what exists, who owns it, what is affected, which risks, obligations, controls, evidence, incidents, changes, and gaps require action.