Use caseDX promotionAI usage guidelinesGovernance

Using AI to check whether internal AI usage requests follow AI usage guidelines

Generative AI usage requests from the field were checked against internal AI usage guidelines, personal data handling rules, and confidentiality classes. Risk categories and prohibited-use conflicts were sorted automatically with evidence.

ININDX Editorial TeamProduct Team|May 18, 2026|7 min read

"Every AI usage request from the business requires us to reread the guidelines from scratch to find the issue." We tested how INDX Compliance addresses this common DX Office review pain using real product screens.

Background

Why AI usage request reviews become so person-dependent

At one company, the DX Office began receiving dozens of generative AI usage requests from business teams each month. Each form states the purpose, tool, and input data, but reviewers still manually judge each request against internal AI guidelines, APPI, and confidentiality classification policy.

The guideline set spans multiple documents, with prohibited uses, risk classifications, and confidential information handling spread across different pages. Interpretation varies by reviewer, and approval criteria become person-dependent in practice. Reviews concentrated on a few people and became a bottleneck.

Challenges encountered

AI usage requests from business teams increased sharply, concentrating review work on a few people.
Guideline interpretation varied by person, so the same request could receive a different decision depending on the reviewer.
Missed prohibited uses, such as entering confidential information, directly increased leakage risk.
The basis for rejection or conditional approval was not retained, making later explanations difficult.

01Trial

Describe the check in plain business language

First, there is no complex setup."Check whether the request conflicts with guidelines or prohibited uses, with supporting evidence."We entered that in the same language a team member would use with a manager. The AI then built the required review steps automatically.

app.indx-compliance.com/start/draft

Your instruction (plain language is fine)

"Check whether the generative AI usage requests from business teams comply with internal AI usage guidelines, personal data handling rules, and confidentiality classification policy. Flag risk classifications and prohibited-use conflicts with evidence."

AI generated the checklist workflowdraft · 4 steps

01Import guidelines and related policies
Import the AI usage guidelines, APPI requirements, and confidentiality classification policy.
02Assess risk for each application
Check purpose, input data, and use case against the guidelines item by item.
03Verify evidence and confidence
Confirm that the cited guideline clause actually exists.
04Final human review
Route only high-risk and needs-review applications to the DX Office.

Screen 1From a plain-language instruction, AI generates a 4-step workflow: import guidelines -> assess risk for each request -> verify evidence -> final human review. Review the contents and save.

No programming knowledge or complex rule configuration is required. The generated workflow can be reviewed and edited, then reused across future requests with the same checks.

02Trial

Run it to see pass/fail results with evidence for each check

After saving and running the workflow, AI checks each aspect of the request against the guidelines. The results are consolidated on one screen. The key point isevery decision includes the exact guideline and clause used as evidence so reviewers do not have to take the AI conclusion on trust. Tapping a row opens the source text.

app.indx-compliance.com/runs/run_ai-2026-0078

AI usage request checkRequest No. AI-2026-0078v1

Compared against internal AI usage guidelines / APPI / confidentiality classification policy / AI ethics principles

AI Usage Guideline Compliance Check

Run on 2026-05-18 | 7 checks

Evidence included

Pass

Needs review

Non-compliant

Compliant 57%

Decision evidenceInternal AI Usage Guidelines 4.2 p.5
Article 4: When handling information, top-secret information and personal data must not be entered into external AI services. Violations are handled under measures equivalent to information leakage incidents.
Checked standard
Internal AI Usage Guidelines 4.2
Source match
Possible conflict with governing policy
AI confidence
87%
The usage scenario includes customer personal data input, which conflicts with a prohibited use. High risk.

Screen 2A list of 4 pass / 2 needs review / 1 non-compliant item. Click any row to open the highlighted guideline text used as evidence and the reason for the conflict.

In this test, AI found that the usage scenario of entering customer personal data into an external AI service conflicts with prohibited uses in the guidelinesas one high-risk issue. Approving it unnoticed could lead directly to an information leak.

03Trial

Humans review only the needs-review and non-compliant items

The 4 items AI marked as passing have evidence attached and can be checked quickly. Human judgment is reserved forthe 2 needs-review items and 1 non-compliant item, 3 items in total. The reviewer returned the prohibited-use request to the drafting team, confirmed the revised scenario that removed personal data input, and finally approved and locked the result.

app.indx-compliance.com/runs/run_ai-2026-0078/review

Final review (human confirmed)

Non-compliantDo not input top-secret information into external AI services

The usage scenario includes customer personal data and conflicts with prohibited uses in the guidelines. It was returned to the requesting department for revision.

Humans review only the 3 needs-review and non-compliant items.The 4 passing items can move through with evidence attached, so reviewers can focus on judgment.

Audit log (tamper-proof)

10:14AI
Assessed 7 checks (4 pass / 2 needs review / 1 non-compliant)
hash c3f7…2a
10:31AI usage reviewer Suzuki
Returned the external AI input of top-secret information and requested a use-case revision
hash e9b1…4d
11:55Requesting department Nakamura
Revised the scenario to exclude personal data input and resubmitted -> non-compliance resolved
hash a7d5…08
11:57AI usage reviewer Suzuki
Approved and finalized all checks. DX Office formally accepted the request
hash b2e6…f1

Screen 3Left: humans review only items that need action. Right: every action, from AI decision to human approval or return, is automatically preserved in a tamper-proof log.

Every action and decision is recorded in a tamper-proof audit log. Teams can later trace who decided what, when, and based on which evidence, and reuse that record for internal audits and governance reporting.

Outcome

Result: review criteria became consistent and risk misses dropped to zero

Request reviews that had depended on reviewer experience and memory can now be judged against the same criteria regardless of reviewer. Most importantly, prohibited-use conflicts were reliably detected before approval.

Standardized review
AI usage request review: 100%
Decisions with evidence: 3 / 7
Requests requiring human review

Key points from this case

Configure the check with a plain-language instruction. No specialist knowledge or programming is required.
Every pass/fail decision includes the original guideline text as evidence, so people can verify the AI work.
Humans review only needs-review and non-compliant items, allowing them to focus on judgment and prevent missed prohibited uses.
Actions and decisions remain in a tamper-proof log that can be used directly for internal audits and governance reporting.

Summary

Policies, contracts, applications: rule checks follow the same pattern

This example focused on AI usage requests, but INDX Compliance works the same way across use cases.Provide the standard documents, such as guidelines, laws, or internal rules, along with the documents to check, such as applications, contracts, or policies, and compare them with evidence attached. The same workflow applies to internal policy consistency checks, contract reviews, ISO audit preparation, and any operation that requires checking documents against rules.

Try it in your workflow,starting with one document.

Bring a policy, contract, or application document, and we will demo the actual judgment screen. Closed-network and on-premise deployments are supported.

Download materials for free Book a free demo

More use cases

View all

Use case

Internal policiesCompliance teamISO / PrivacyMark

Using AI to check whether a new internal policy conflicts with higher-level policies or laws

We compared a newly revised information security management policy against higher-level basic policies, work rules, and APPI requirements, then had AI identify conflicting clauses with evidence.

Policy review: 2 weeks to half a day, with zero missed issues

May 20, 2026|8 minRead

Use case

IP departmentPatent applicationsDescription requirements

Using AI to check whether a pre-filing patent specification meets Patent Act description requirements and internal guidelines

We compared a near-final specification against Patent Act Article 36, JPO formatting, and internal filing guidelines, then had AI identify support and clarity issues in the claims with evidence.

Pre-filing check: 3 days to 1 hour, preventing returns for description defects

May 21, 2026|8 minRead

Use case

ManufacturingQuality assuranceISO 9001

Using AI to pre-check an ISO 9001 internal audit and catch gaps in quality manuals and procedures

Before the internal audit, AI performed a first-pass check on whether the quality manual and department procedures met ISO 9001:2015 clauses 4-10, detecting missing corrective-action and audit provisions with evidence.

Audit preparation: 1 week to 2 hours, making missing requirements visible in advance

May 15, 2026|8 minRead