An AI usage ledger is a per-tenant record of which employee used which AI tool, for which workflow, at what cost, and under what coverage state — so the same data can answer board, audit, and budget questions without contradicting itself.
Why "track AI usage" is the wrong starting question
The first instinct when a CFO or CISO realizes they have an AI problem is to find a tool that lists every AI request employees are making. That instinct is correct but incomplete. A simple list of requests doesn't survive a board question, a SOC 2 review, or a budget defense — those audiences need the same data organized three different ways. The right starting question is: what is the control plane and system of record for AI across our company — humans, apps, and agents — and what does it need to answer?
The answer is a ledger, not a log. A log lists events in time order. A ledger pivots the same events into three views: by user (who used what AI for what), by spend (which budget owns which dollar), and by policy (which requests fell inside or outside the rules you've already written). The same row needs to answer all three or the system fragments back into spreadsheets.
The five channels every AI usage ledger needs
Mid-market companies have AI usage entering through five distinct channels, and each one needs a different ingestion strategy. Skipping a channel is honest if you label the gap; pretending it doesn't exist is the failure mode that kills audit credibility.
First: direct provider telemetry. ChatGPT Enterprise Workspace Analytics, Anthropic Usage API, OpenAI billing API, GitHub Copilot seat reports, Microsoft 365 Copilot Graph reports. These are high-fidelity signals where providers expose them: user-level usage, activity, seats, request volume, or cost. Connect these first.
Second: a managed AI gateway. If you can route some traffic through a gateway you control (Tallin Gateway, LiteLLM, or a similar router), every request through that path becomes attributable and policy-checkable. Metadata-only capture can preserve the operational trail without storing prompt content; deeper audit capture can be enabled only where the customer needs that evidence. This is the signal that proves enforcement, not just inference.
Third: identity discovery. SSO logs from Okta, Azure AD, or Google Workspace tell you which provider accounts exist. Even without telemetry, you can prove a ChatGPT account was created against a corporate email — that's an inferred-coverage signal.
Fourth: network and CASB. Network logs and CASB events surface visits to AI tool domains. This catches the personal ChatGPT account someone signed up for from a corporate device — a gap the other four channels miss.
Fifth: manual evidence. Expense reports, credit card line items, CSV imports from a SaaS finance tool. These are the catch-all for the personal-card AI subscription that hasn't yet hit any of the other four signals.
None of these channels is complete on its own. Together they form a ledger that's honest about what's observed, inferred, enforced, and not covered.
The 90-day rollout: from zero to defensible coverage
Mid-market companies tend to over-scope this work. You don't need a 12-month program. You need three 30-day pushes.
Days 1-30: connect the two highest-signal sources you have. For most companies that's a ChatGPT Workspace Analytics export and the Anthropic usage API. Even with just these two, you get an immediate observed-coverage estimate for the majority of your AI spend.
Days 31-60: add identity discovery (SSO logs from Okta or Azure AD) and the expense/CSV evidence channel. This catches the long tail of personal accounts and shadow subscriptions. By the end of day 60, you should be able to put a number on every category — observed, inferred, enforced, not covered.
Days 61-90: layer in policy enforcement. This is where you stop merely observing and start governing — gateway routing for sensitive workflows, access restrictions on sanctioned providers, budget caps. The ledger now answers the third question: are the rules you wrote actually being followed?
At day 90 you have a defensible board pack. Not a complete one — no AI governance program is complete in 90 days — but a defensible one. The difference matters.
What "banning AI" gets wrong (and why you shouldn't)
A common reaction to AI sprawl is to ban it. Block ChatGPT at the firewall, deny SaaS-AI procurement, refuse to sanction Copilot. This is almost always counterproductive, for three reasons.
First, the ban doesn't hold. Employees who need an AI tool for their workflow will find another way — personal device, mobile hotspot, a non-blocked tool. You've now lost visibility entirely.
Second, the policy you write to defend the ban becomes evidence against you. SOC 2 auditors are starting to ask not whether you have an AI policy, but whether the policy reflects what employees are actually doing. A policy that says "no AI tools" against a workforce that's using ChatGPT daily is a policy that explicitly fails its first audit.
Third, the buyer's actual concern is rarely "AI exists." It's "confidential data is leaving without us knowing." That problem is solved by observability and policy enforcement on sanctioned paths, not by a blanket prohibition.
The right move is sanctioned-and-tracked: pick the AI tools you'll support, route them through a system that lets you see and govern usage, and explicitly label what's not covered. Employees keep their tools, you get the ledger, your policy reflects reality.
What this looks like in Tallin
Tallin is the system of record we just described. Gateway traffic, provider telemetry, billing evidence, identity signals, network/CASB evidence, and uploaded sources are attributed to actors and policy state where the evidence supports it. The honest coverage taxonomy (observed / inferred / enforced / not covered) is the default. The 90-day rollout has a built-in setup checklist.
The board pack export pivots the same ledger three ways — by user, by spend, by policy compliance — so the data you're already collecting answers your auditor's questions, your board's questions, and your CFO's budget questions without re-keying anything. That's the system-of-record promise: write the policy once, prove adherence where evidence supports it, and keep the remaining gaps visible.
Key takeaways
- A ledger, not a log: the same data has to answer board, audit, and budget questions.
- Five ingestion channels — provider telemetry, gateway, identity, network, manual — none complete alone.
- 90-day rollout: connect two providers in month one, add identity + expense in month two, policy enforcement in month three.
- Sanction and track instead of banning. Bans don't hold and become evidence against you in audits.
- Honest coverage (observed / inferred / enforced / not covered) is what makes the ledger defensible.
Keep reading