Buyer question
Who approved ChatGPT, Copilot, or Claude access - and can you prove it?
You can prove who approved ChatGPT, Copilot, or Claude access only if the approval record stays connected to the AI tool, requester, purpose, policy, grant, expiry, and later review evidence.
A JSM ticket alone often proves the initial decision, but not whether the access is still justified or still matches Okta or Entra group membership.
Last updated: 2026-06-10
Practical answer
You can prove who approved ChatGPT, Copilot, or Claude access only if the approval record stays connected to the AI tool, requester, purpose, policy, grant, expiry, and later review evidence. A JSM ticket alone often proves the initial decision, but not whether the access is still justified or still matches Okta or Entra group membership.
| Record | Question it answers | Where it should live |
|---|---|---|
| Requester and tool | Who asked for which AI tool? | JSM request and AI access record. |
| Approver and policy | Who approved it and under what rules? | Approval decision and policy version. |
| Grant and expiry | How long was access allowed? | AI access grant record. |
| Recertification | Was continued need reviewed? | Review-before-expiry issue or recertification state. |
| Configured-group drift check | Does Okta/Entra membership still match? | Connector job outcome and audit event. |
Honest limitations
This evidence does not show what the person typed into ChatGPT, Copilot, Claude, or any other AI tool. It only shows access governance.
Related next step
Review AI Clearance for AI access lifecycle evidence, or start with AI Clearance vs native JSM if you are deciding whether to build this yourself.
FAQ
Can native JSM answer who approved access?
Yes, for the initial approval. The lifecycle proof requires more structure.
What if access was granted outside JSM?
Log it as an exception or baseline record before relying on JSM as the source of truth.
Does AI Clearance know every AI user automatically?
No. It relies on the configured request workflow and optional configured-group checks.