A comprehensive 47-point checklist across 9 security domains to help CISOs build a board-ready AI governance policy. Covers acceptable use, data classification, shadow AI, vendor assessment, compliance mapping, incident response, and more.
A 47-point checklist covering 9 security domains that helps CISOs build board-ready AI governance policies. Maps controls to HIPAA, SOC 2, GDPR, EU AI Act, and NIST AI RMF.
A complete AI security policy requires coverage across 9 critical domains: acceptable use, data classification, shadow AI control, vendor assessment, compliance mapping, incident response, board reporting, employee training, and ongoing monitoring - most organisations cover fewer than 3.
78% of enterprises are using AI without formal governance policies, yet organisations without AI security controls pay $1.76 million more per breach according to IBM's 2024 Cost of a Data Breach report - making AI policy development one of the highest-ROI security investments available.
This 47-point checklist maps controls directly to HIPAA, SOC 2, GDPR, EU AI Act, and NIST AI RMF - enabling CISOs to demonstrate compliance readiness across multiple frameworks from a single policy document rather than maintaining separate controls for each regulation.
Shadow AI is the single largest unmanaged risk in enterprise AI today, with 49-60% of employees using unsanctioned tools. This checklist includes a complete discovery and remediation playbook covering browser-level monitoring, DNS controls, SaaS auditing, and safe harbour reporting.
The checklist is designed for quarterly review cadence with audit-ready documentation guidance, ensuring your AI governance programme stays current as the regulatory landscape evolves - particularly critical with EU AI Act enforcement and emerging state-level AI laws like the Colorado AI Act.
47 actionable controls across 9 security domains to build a board-ready AI governance policy for your organisation.
Define the boundaries of AI usage across your organisation. Establish what tools are sanctioned, what data can be processed, and what activities are prohibited.
Classify and control data flows to AI systems. Ensure sensitive data is identified, labelled, and protected before it reaches any AI model.
Build a board-ready AI governance policy and demonstrate risk reduction to executive leadership
Map AI controls to HIPAA, SOC 2, GDPR, EU AI Act, and NIST AI RMF in a single document
Operationalise shadow AI controls and AI-specific incident response procedures
Establish audit-ready documentation and quarterly review cadence for AI governance
Define approved AI tools, data classification tiers, and vendor assessment criteria for engineering teams
Sections 2 and 5 map directly to HIPAA requirements for AI systems processing PHI, including BAA coverage, minimum necessary access controls, and automated DPIA requirements.
Sections 4 and 5 address SOC 2 Trust Services Criteria applied to AI systems, plus vendor assessment criteria critical for PCI-DSS and DORA compliance in AI-augmented financial workflows.
Sections 1 and 2 establish data classification and acceptable use boundaries essential for law firms handling confidential client data with AI tools, with GDPR DPIA and EU AI Act risk-tier mapping.
Sections 5 and 7 align to NIST AI RMF Govern, Map, Measure, and Manage functions, with board reporting frameworks suitable for government contractor compliance and FedRAMP-aligned deployments.
Define the boundaries of AI usage across your organisation. Establish what tools are sanctioned, what data can be processed, and what activities are prohibited.
Classify and control data flows to AI systems. Ensure sensitive data is identified, labelled, and protected before it reaches any AI model.
Identify and manage unauthorised AI usage across your organisation. Shadow AI is the single largest unmanaged risk in enterprise AI - 49-60% of employees use unsanctioned tools.
Evaluate AI vendors against security, privacy, and compliance criteria before onboarding. Every AI provider your organisation uses extends your attack surface.
Take our 2-minute assessment and get a personalised AI governance readiness report with specific recommendations for your organisation.
Start Free AssessmentMap your AI governance controls to the regulatory frameworks that apply to your organisation. Proactive compliance mapping reduces audit remediation costs by $50-200K.
Prepare for AI-specific security incidents including data leakage through prompts, model manipulation, and compliance violations. AI incidents require different response playbooks than traditional security events.
Provide board-level visibility into AI governance posture. CISOs are increasingly expected to report on AI risk alongside traditional cybersecurity metrics.
Build a security-aware AI culture across your organisation. Training reduces the risk of accidental data exposure and ensures policy compliance at the point of use.
Establish continuous monitoring and regular review cycles to keep your AI governance programme current. The AI regulatory landscape evolves rapidly - quarterly reviews are the minimum standard.
Build a complete AI governance programme with these complementary templates.
A ready-to-customise 52-provision AI acceptable use policy template covering 8 policy domains. Built for CISOs and compliance teams who need a professional, board-ready policy document that employees actually understand and follow. Maps to HIPAA, SOC 2, GDPR, EU AI Act, ISO 42001, and NIST AI RMF.
Download FreeA structured 48-item risk register across 8 risk domains with a 5x5 scoring matrix to help CISOs identify, assess, treat, and track AI-specific risks. Covers data privacy, model reliability, bias, security, compliance, operational, and reputational risk categories with board-ready reporting dashboards.
Download FreeA 20-page AI incident response plan template with 56 controls across 9 response phases - from detection through post-incident review. Covers severity classification for prompt injection, data leakage, model poisoning, hallucination harm, and bias incidents. Includes regulatory notification timelines for GDPR (72h), EU AI Act Art. 73 (72h), and HIPAA (60 days), plus a complete RACI matrix and communication protocols for AI-specific security incidents.
Download FreeShadow AI is the use of unauthorized AI tools by employees without IT oversight. Learn how to detect, prevent, and govern shadow AI across your enterprise - without blocking productivity.
The EU AI Act creates binding obligations for AI systems in the European market. This guide covers risk tiers, compliance timelines, documentation requirements, and practical steps for mid-market companies.
A step-by-step framework for creating an AI governance program in a mid-market organization. Covers stakeholder alignment, policy development, tool selection, deployment, compliance mapping, and measurement with a 90-day implementation timeline.
Fill in your details below for instant access to the full 12-page checklist.
“This framework saved us 3 months of policy development. We went from zero AI governance to audit-ready in under 2 weeks.”
— Security Leader, Mid-Market Healthcare Organisation
Need more than a checklist?
See how Areebi automates and enforces every control in this checklist across your entire organisation.
Book a DemoThe checklist tells you what to do. Areebi does it for you - automated DLP, audit logging, policy enforcement, and compliance reporting across every AI interaction.