How to audit your AI dependency
Would your business still function if OpenAI went dark tomorrow? Most founders can't answer that with confidence. Here's the audit that surfaces it.
How to audit your AI dependency
Draw a line down the middle of a page.
Left column: things in your business that would still work if OpenAI went dark tomorrow.
Right column: things that wouldn't.
Most founders have never done this. When they try, they realise they can't populate either column with confidence. The AI dependency isn't mapped anywhere. It's just there, running through everything.
Start with the vendors
Before you can audit the dependency, you have to know who you're depending on.
List every AI model your business calls. Not tools — models. If your team pastes prompts into ChatGPT, that's OpenAI. If your CRM's AI features are on, find out whose model is behind them (often OpenAI, sometimes Anthropic, sometimes Google, occasionally the vendor's own). If you're using Perplexity, that's a wrapper around several providers depending on the query. If you have automations calling APIs directly, name the endpoint.
This exercise usually surprises people. A business with "one or two" AI tools often turns out to have six or seven models in the estate, from four different vendors.
Then walk the workflows
For each business process (sales, ops, customer service, finance), ask a simple question. If the AI in this process stopped working tomorrow, what happens?
Three answers are common.
The process continues manually. Someone was faster with AI; they'll be slower without it. Annoying, not urgent. This is a healthy dependency.
The process stops until a human takes over the automation. The workflow was designed around AI being in the loop. Someone has to step in and do the classification, drafting, or routing by hand until you rewire. This is a real dependency and needs a runbook.
The process breaks and nobody knows how to fix it. The automation was built by someone who's not here anymore, or set up in a low-code tool nobody's opened since. This is a critical dependency and a business risk.
Most estates have at least one process in the third category. Founders don't discover it until the day it breaks.
The vendor risk
For each dependency in categories two and three, ask what happens if the specific vendor changes something. Three scenarios matter.
The API price goes up. Is your business economics still viable? For most companies at current usage levels, yes. But this is the first assumption that stops being true as usage grows.
The model behaviour changes. New version, different tuning, different tone. Your prompt library, tested against last quarter's output, may not perform the same way. This is drift, and it happens without notice.
The vendor deprecates or discontinues the API. Rare so far, but the AI market is consolidating and re-pricing. GPT-3.5 was retired within eighteen months of shipping. Assume any model you're building against today will be retired within two years.
The one-page summary
At the end of the audit you should have a page that lists: which AI vendors you depend on, which processes call them, what breaks if each one is unavailable, and who owns the fix.
If you don't have that page today, you're using AI, not managing it. That's most businesses.
Want help running this audit? Book a conversation and we'll walk it with you.
Robin Carswell
More on
AI tool or AI workflow: the difference that matters
When two founders say they 'use AI in the business', one may be pasting into ChatGPT and the other may have it wired into their pipeline. Same technology, very different dependency.
The AI features you didn't sign up for
Every SaaS tool you pay for is quietly shipping AI features by default. You didn't procure them, you can't cleanly turn them off, and your team is now building workflows around them.
'AI-first' is a paint job, not an architecture
Most tools claiming to be AI-native haven't changed their architecture at all. Here's the test that separates genuine AI-native systems from legacy software with a chatbot bolted on.