Nobody Approved the AI Running Inside Your Software Right Now.

July 14, 2026

Most companies approve software once and assume it stays the same forever. It doesn't.

Zoom added AI to record and summarize calls. Teams did too, separately. Salesforce introduced Agentforce, running inside live sales conversations. Slack picked up AI integrations, and whatever a company's own developers connected to it, sometimes without asking first. None of that meant buying a new product. All of it happened inside software the company had already approved.

What Actually Happened

Thomas Cooper, AI Product Lead at Expedient, described this pattern on a recent episode of Signed. Each of these tools got reviewed once, on its own, at a different time, by a different person. AI arrived inside all of them later, quietly, as an update rather than a decision. For most of these tools, nothing like a new product review ever happened, because nothing about the original approval assumed the product would need reviewing again.

The Real Problem Isn't AI

AI just made this visible faster than anything else has. The actual gap is older than AI, and it's simple: most technology approval processes assume a product stays the same after it gets approved. It doesn't. Software keeps changing, quietly, on the vendor's schedule, not the buyer's. AI is just the first change big enough that everyone's finally noticing it.

Approval needs to follow the product as it keeps evolving, not just the purchase. Most companies have been treating it as a one time event anyway.

Why Nobody Owns This

Ask who owns this inside a typical company, and the honest answer is usually nobody, specifically. IT approved the tool. Security reviewed the original build. The application owner tracks whether people are using it. Procurement closed the deal. None of those groups owns the question of what happens when the vendor changes the product underneath everyone, three updates later.

What Changes Once You See It This Way

Once approval stops being treated as permanent, a few things follow naturally. Vendor reviews can't be a one time gate before signing, they need a recurring checkpoint instead. Procurement needs a way to hear about big changes to a product it already approved, not just new purchases. Legal and security need a simple way to know when a new AI feature shows up inside a tool they already trust, so it gets looked at the same way a brand new tool would.

What to Ask at the Next Review

For any tool a company already approved, these are worth asking on a schedule, not just once:

  • What's changed about this product since it was approved?
  • Who signed off on the new capability, if anyone did?
  • Does this change where the data goes, or who can see it?
  • Does this change what the company is required to tell a regulator or a customer?
  • Does procurement or legal need to look at this again?

If most tools in the company have never been asked these questions since the day they were approved, that's the gap, not any one vendor's AI feature.

Where This Actually Lands

Every tool your company runs today started out looking the same as the one you approved. Most of them don't anymore. The vendor changed it after you signed, quietly, and nobody was ever asked to check again.

That's the actual risk. Not the AI feature itself. The fact that nobody's watching for the next one.

A governance check that only happens before you buy something is checking the product you bought. Not the one you're actually running today.

Fix that, and the next AI feature that shows up inside a tool you already trust stops being a surprise. Leave it, and you'll find out about it the way most companies do, after something's already gone wrong.

If you can't name the last time anyone checked what's actually running inside your approved tools, this is the conversation to have. 

Get Started. No pitch. No prep. Just answers.