Templates Library

AI Governance Templates

Free, expert-built templates and checklists to help CISOs and security leaders build board-ready AI governance programmes in hours, not months.

Free Templates

644

Actionable Controls

Compliance Frameworks

Quarterly

Update Cadence

Free Downloads

Templates for Security Leaders

Each template is built by AI governance practitioners and mapped to major compliance frameworks including HIPAA, SOC 2, GDPR, and the EU AI Act.

ChecklistPDF Checklist

The CISO's AI Security Policy Checklist

A comprehensive 47-point checklist across 9 security domains to help CISOs build a board-ready AI governance policy. Covers acceptable use, data classification, shadow AI, vendor assessment, compliance mapping, incident response, and more.

HIPAAHITECHSOC 2PCI-DSS

A complete AI security policy requires coverage across 9 critical domains: acceptable use, data classification, shadow AI control, vendor assessment, compliance mapping, incident response, board reporting, employee training, and ongoing monitoring - most organisations cover fewer than 3.

78% of enterprises are using AI without formal governance policies, yet organisations without AI security controls pay $1.76 million more per breach according to IBM's 2024 Cost of a Data Breach report - making AI policy development one of the highest-ROI security investments available.

78% - of enterprises use AI without formal governance policies in place

12 pagesDavid ChenApr 13, 2026

Download Free

Policy TemplatePDF Policy Template

Enterprise AI Acceptable Use Policy Template

A ready-to-customise 52-provision AI acceptable use policy template covering 8 policy domains. Built for CISOs and compliance teams who need a professional, board-ready policy document that employees actually understand and follow. Maps to HIPAA, SOC 2, GDPR, EU AI Act, ISO 42001, and NIST AI RMF.

HIPAAHITECHFDA AI/ML GuidelinesSOC 2

Only 5% of organisations have a formal AI acceptable use policy despite 75% of knowledge workers now using generative AI at work (McKinsey 2024 Global AI Survey) - making an AI AUP the single most impactful governance document most companies are missing.

Organisations without AI-specific security controls pay $1.76 million more per data breach (IBM 2024 Cost of a Data Breach) - a well-enforced acceptable use policy is the foundational control that reduces exposure across every AI interaction, from prompt-level data leakage to unsanctioned tool adoption.

95% - of organisations lack a formal AI acceptable use policy despite active employee AI adoption

14 pagesDavid ChenApr 14, 2026

Download Free

QuestionnairePDF Questionnaire

AI Vendor Risk Assessment Questionnaire

A structured 62-question vendor assessment questionnaire across 8 security domains that CISOs and procurement teams use to evaluate AI vendors before onboarding. Covers data privacy, security architecture, model transparency, compliance certifications, incident response, contractual protections, business continuity, and audit rights.

HIPAAHITECHFDA AI/ML GuidanceSOC 2

73% of organisations experienced a security incident originating from a third-party vendor in 2025, yet only 28% have AI-specific questions in their vendor assessment process - leaving the fastest-growing attack surface almost entirely unexamined during procurement.

This 62-question questionnaire covers 8 critical assessment domains - data privacy, security architecture, model transparency, compliance, incident response, legal protections, business continuity, and audit rights - giving procurement teams a single, standardised instrument for every AI vendor evaluation.

73% - of organisations experienced a security incident originating from a third-party vendor in 2025

16 pagesDavid ChenApr 14, 2026

Download Free

PlaybookPDF Playbook

Shadow AI Discovery & Remediation Playbook

An 18-page operational playbook with 56 action items across 8 discovery phases for finding, assessing, and remediating unsanctioned AI usage across your organisation. Covers network-level detection, browser extension monitoring, SaaS auditing, department surveys, risk scoring, migration pathways, and ongoing safe harbour programmes.

HIPAAHITECHSOC 2PCI-DSS

Between 49% and 60% of employees are already using unsanctioned AI tools at work according to Salesforce and Microsoft workforce surveys - meaning your organisation almost certainly has a shadow AI problem, whether you have detected it or not.

Organisations without AI-specific security controls pay an additional $1.76 million per data breach (IBM 2024 Cost of a Data Breach) - yet the average shadow AI discovery programme costs under $50,000 to implement and delivers measurable risk reduction within 30 days.

60% - of employees use unsanctioned AI tools at work, with most organisations unaware of the full scope of shadow AI across their workforce

18 pagesDavid ChenApr 14, 2026

Download Free

Risk RegisterPDF Risk Register

AI Risk Register Template

A structured 48-item risk register across 8 risk domains with a 5x5 scoring matrix to help CISOs identify, assess, treat, and track AI-specific risks. Covers data privacy, model reliability, bias, security, compliance, operational, and reputational risk categories with board-ready reporting dashboards.

HIPAAHITECHFDA AI/ML GuidanceSOC 2

Organisations using AI extensively but without security safeguards pay an average of $4.88M per data breach - and an additional $1.76M compared to those with AI-specific governance controls in place, making a structured AI risk register one of the highest-ROI risk management investments available (IBM 2024 Cost of a Data Breach).

Only 1 in 4 generative AI projects include any form of risk assessment before deployment, yet 82% of enterprise boards now expect quarterly AI risk reporting - this template bridges the gap with a ready-to-use register structure that maps directly to NIST AI RMF, EU AI Act, and ISO/IEC 42001 requirements.

$4.88M - average cost of a data breach in 2024 - organisations without AI-specific security controls pay $1.76M more per incident (IBM)

16 pagesDavid ChenApr 14, 2026

Download Free

ChecklistPDF Checklist

EU AI Act Compliance Checklist

A comprehensive 58-control checklist across 9 compliance domains to help organisations achieve full conformity with the EU AI Act (Regulation (EU) 2024/1689). Covers AI system classification, prohibited practice screening, high-risk requirements, transparency obligations, data governance, human oversight, GPAI model compliance, risk management, and documentation requirements - mapped to specific Articles and Annexes of the regulation.

EU AI Act Annex III s5MDRIVDREU AI Act Annex III s5(b)

The EU AI Act imposes fines of up to 35 million EUR or 7% of global annual turnover (whichever is higher) for deploying prohibited AI practices under Article 5 - making compliance a board-level financial priority, not just a legal formality.

Enforcement is phased: prohibited practices have been enforceable since 2 February 2025, GPAI model obligations apply from 2 August 2025, and the full high-risk AI system requirements under Annex III take effect on 2 August 2026 - organisations need to be working toward compliance now, not waiting for deadlines.

35M EUR - maximum fine under the EU AI Act for deploying prohibited AI practices - or 7% of global annual turnover, whichever is higher

20 pagesDavid ChenApr 14, 2026

Download Free

ChecklistPDF Checklist

Australian Privacy Act ADM Compliance Checklist

A comprehensive 45-control checklist across 10 compliance domains to help organisations comply with Australia's Privacy Act automated decision-making transparency obligations under APP 1.7, 1.8, and 1.9. Covers system inventory, materiality assessment, privacy policy updates, DLP deployment, sensitive data controls, audit logging, alerting, kill switch implementation, and documentation - mapped to specific APP provisions and the Explanatory Memorandum.

APP 1.7-1.9My Health Records ActHealth Records ActAPRA CPS 234

The December 10, 2026 enforcement deadline covers all 'computer programs' that use personal information to make or substantially assist decisions - a scope deliberately broader than just AI or machine learning, capturing rule-based systems, scoring engines, and automated workflows alike.

The three-tier penalty structure reaches AUD $50 million, 30% of adjusted annual turnover, or three times the benefit obtained from the contravention (whichever is greatest) - making non-compliance an existential financial risk for mid-market and enterprise organisations.

$50M - maximum penalty under the Australian Privacy Act for serious privacy interference - or 30% of adjusted annual turnover, whichever is greater

16 pagesDavid ChenApr 18, 2026

Download Free

ChecklistPDF Checklist

NIST AI RMF Implementation Checklist

A 54-control implementation checklist for the NIST AI Risk Management Framework (AI RMF 1.0) across 9 structured sections covering all four core functions - Govern, Map, Measure, and Manage. Maps each control to specific NIST AI RMF subcategories with actionable enterprise implementation guidance for federal contractors, regulated industries, and organisations building mature AI risk management programmes.

NIST AI RMFHIPAAFDASOC 2

Executive Order 14110 on Safe, Secure, and Trustworthy AI (October 2023) and OMB Memorandum M-24-10 direct all federal agencies to implement NIST AI RMF - making it the de facto mandatory standard for every federal contractor and any organisation selling AI systems to the US government.

NIST AI RMF adoption grew 340% between 2023 and 2025 among enterprises with more than 1,000 employees, driven by federal procurement requirements, insurance underwriting standards, and board-level demand for structured AI risk management that goes beyond ad hoc policies.

4 Functions - Govern, Map, Measure, and Manage - the complete NIST AI RMF core covered in 54 actionable controls

22 pagesDavid ChenApr 18, 2026

Download Free

Framework TemplatePDF Framework

AI Data Classification Framework Template

A comprehensive data classification framework with 50 controls across 8 domains for governing data flows through AI systems. Defines 5 classification tiers (Public, Internal, Confidential, Restricted, Prohibited), DLP rule templates, workspace isolation patterns, and lifecycle management procedures to prevent data leakage, ensure regulatory compliance, and maintain auditability across every stage of the AI data pipeline.

HIPAAHITECHGLBASOC 2

Organisations using AI extensively but without security safeguards pay an average of $4.88M per data breach - and an additional $1.76M compared to those with AI-specific governance controls, making a structured data classification framework one of the highest-ROI investments for securing AI deployments (IBM 2024 Cost of a Data Breach).

Enterprises with mature data classification programmes detect and contain breaches 28% faster than those without, reducing average breach cost by $1.49M - yet only 34% of organisations have extended their classification schemas to cover AI training data, prompt inputs, and model outputs (Ponemon Institute 2024).

$4.88M - average cost of a data breach in 2024 - organisations without AI-specific data classification controls face significantly higher exposure from uncontrolled data flows through AI systems (IBM)

18 pagesDavid ChenApr 18, 2026

Download Free

Plan TemplatePDF Plan Template

AI Incident Response Plan Template

A 20-page AI incident response plan template with 56 controls across 9 response phases - from detection through post-incident review. Covers severity classification for prompt injection, data leakage, model poisoning, hallucination harm, and bias incidents. Includes regulatory notification timelines for GDPR (72h), EU AI Act Art. 73 (72h), and HIPAA (60 days), plus a complete RACI matrix and communication protocols for AI-specific security incidents.

HIPAA Breach NotificationFDA MDRSEC Reg S-POCC/FFIEC

Organisations with a tested incident response plan save an average of $2.66 million per breach compared to those without one (IBM 2024 Cost of a Data Breach) - yet fewer than 30% of enterprises have an IR plan that covers AI-specific incident types like prompt injection, model poisoning, or hallucination harm.

The EU AI Act Article 73 and GDPR Article 33 both mandate a 72-hour notification window for serious AI incidents and personal data breaches respectively - meaning your response team must be able to classify, contain, and begin regulatory notification within three days, not three weeks.

72 hours - Maximum notification window under both EU AI Act Article 73 and GDPR Article 33 for serious AI incidents and personal data breaches

20 pagesDavid ChenApr 18, 2026

Download Free

Reporting TemplatePDF Report Template

Board AI Risk Reporting Template

A structured board reporting template with 48 items across 8 sections for presenting AI risk posture to directors and executives. Includes executive dashboard structure, risk scoring visualisation, compliance status tracking, incident reporting cadence, ROI metrics, peer benchmarking, and quarterly workflow guidance aligned to NIST AI RMF, EU AI Act, ISO/IEC 42001, and SOX requirements.

HIPAAFDAOIGOCC/SR 11-7

82% of enterprise boards now expect quarterly AI risk reporting, yet only 34% of CISOs currently provide structured AI-specific board reports - this template closes the gap with a ready-to-use framework covering dashboard design, risk scoring visualisation, and compliance status tracking that directors can actually interpret.

Board members spend an average of 4.3 hours per meeting reviewing materials, with risk and compliance topics competing against strategy and financial performance. This template condenses AI risk posture into a scannable executive dashboard with traffic-light scoring, trend arrows, and exception-based narrative - designed to communicate risk in under 8 minutes of board time.

82% - of enterprise boards now expect quarterly AI risk reports, yet only 34% of CISOs currently deliver structured AI-specific board reporting (Gartner 2025 Board of Directors Survey)

16 pagesDavid ChenApr 18, 2026

Download Free

ChecklistPDF Checklist

ISO 42001 Gap Analysis Checklist

A 56-control gap analysis checklist for ISO/IEC 42001:2023 AI Management Systems covering all normative clauses (4-10) plus Annex A controls. Designed for organisations preparing for AIMS certification, this checklist provides clause-by-clause conformity assessment, certification readiness scoring, remediation priority planning, and Stage 1/Stage 2 audit preparation guidance - mapped to specific sub-clauses and Annex A control objectives throughout.

ISO 42001ISO 27001HIPAASOC 2

ISO/IEC 42001:2023 is the world's first international standard for AI Management Systems (AIMS), and certification demand has grown 312% year-over-year as enterprises seek a recognised framework to demonstrate responsible AI governance to regulators, customers, and partners.

Organisations that conduct a structured gap analysis before engaging a certification body reduce their average time-to-certification by 40% - from 14 months down to 8-9 months - by identifying and remediating non-conformities before the Stage 1 audit.

312% - year-over-year increase in ISO 42001 certification enquiries reported by major certification bodies, as enterprises seek independently audited assurance of AI governance maturity

22 pagesDavid ChenApr 18, 2026

Download Free

Build a Complete AI Governance Programme

These templates are the foundation. See how Areebi automates policy enforcement, real-time DLP, and compliance reporting across your entire organisation.

Book a Demo Take the Free AI Risk Assessment