13 free templates for AI security review.
Practical spreadsheets for security architects, AI governance leads, AppSec teams, and GRC owners. Each template includes lifecycle gates, evidence requirements, and a worked example.
End-to-end review workflow — from system intake to disposition and sign-off.
AI Go-Live Security Checklist
Pre-production checklist with 20 checks across four lifecycle stages (pre-pilot, restricted pilot, production readiness, production) and seven categories. Pass / Fail / Conditional outcomes with named owners.
AI Risk Disposition Memo Template
Seven-section memo template for the AI Committee disposition: decision, rationale, controls per gate, residual risk acceptance (named acceptor), evidence gaps, re-assessment triggers (named owner), sign-off log. With Copilot Studio worked example.
Vendor AI Security Questionnaire
20-question adversarial questionnaire across architecture, data, model, access, incident, sub-processor, and re-assessment. Each question paired with required evidence and a follow-up if the vendor declines.
Controls and checklists mapped to specific AI architecture patterns.
RAG Security Checklist
24 controls across the four RAG attack surfaces: ingestion, vector store, retriever, prompt assembly, and output. Lifecycle gates and evidence requirements. Includes how-to guide and working tracker columns.
MCP Security Review Checklist
28 controls for Model Context Protocol deployments: transport, tool surface, descriptor trust, scoped authorisation, audit, and lifecycle triggers. Includes how-to guide and working tracker columns.
Agentic AI Risk Register Template
Risk register pre-populated with OWASP Agentic Top 10 rows, attack paths, controls applied, residual risk, and a named acceptor for each accepted risk. Includes two system-specific example risks (vendor model change, regulatory exposure).
OWASP Agentic Top 10 — Control Map
44 controls mapped to the OWASP Agentic Top 10. Each row includes the required control, lifecycle gate, evidence required, and cross-framework tags. Includes a how-to guide tab and working columns for status, owner, and gap tracking.
OWASP LLM Top 10 — Control Map
40 controls mapped to the OWASP Top 10 for LLM Applications (2025). Each row includes the required control, lifecycle gate, evidence required, and cross-framework tags. Includes a how-to guide and working tracker columns.
Framework alignment, inventory, and committee operating models.
ISO 42001 AI System Readiness Tracker
Map ISO 42001 clauses to controls, lifecycle gates, and evidence requirements for a single AI system. Includes a how-to guide, working columns for status and gap tracking, and a worked example for an internal RAG assistant.
EU AI Act AI System Inventory Template
EU AI Act-aligned AI system inventory with classification, lifecycle stage, conformity route, and an Article 9 risk cycle log. Includes five worked-example systems covering high-risk Annex III categories and not-high-risk deployments.
AI Committee Charter Template
Eight-section charter for an AI Governance Committee: purpose, scope, named voting roles, quorum, cadence, decision authority, veto rights, escalation paths, records retention. Real role definitions, not generic ToR.
Blog
Deeper context on the frameworks behind these templates.
The blog covers the reasoning behind ISO 42001 evidence, OWASP Agentic controls, EU AI Act classification, and AI security review methodology.
Frequently asked
Frequently asked questions
- Are these templates really free?
- Yes. Enter your work email to download. You get the file immediately and will receive new posts from the blog when they publish. No paid plan required.
- What format are the templates?
- All templates are Excel spreadsheets (.xlsx). They open in Microsoft Excel, Google Sheets, Apple Numbers, or any spreadsheet tool. Each file includes a how-to guide tab and working columns for status, owner, and gap tracking.
- Do the templates work on their own, without Drel?
- Yes. They are fully standalone. Drel can automate the underlying security review that generates the same artefacts, but the spreadsheets work independently as manual tracking tools. Teams use them for pre-review work, committee submissions, and audit evidence.
- Which template should I start with?
- Start with the AI Security Review Template — it is the master workflow document and references the other templates. If your immediate need is a specific framework (OWASP LLM, ISO 42001, EU AI Act), go directly to that template.
- Do these satisfy ISO 42001 or EU AI Act requirements?
- They support the evidence requirements — the templates map to specific clauses and articles. Satisfying the requirements is a combination of completing the templates accurately, having legal and compliance review, and (for ISO 42001 certification) engaging an accredited certification body.
- How often should I update the templates?
- Per system and per re-assessment trigger. When the system changes (new model, new tool, scope expansion, vendor change), re-run the relevant template. Most organisations do a quarterly review pass on live AI systems.