12 free templates for AI security review.
Practical spreadsheets for security architects, AI governance leads, AppSec teams, and GRC owners. Each template includes lifecycle gates, evidence requirements, and a worked example.
End-to-end review workflow — from system intake to disposition and sign-off.
AI Go-Live Security Checklist
Pre-production checklist with 20 checks across four lifecycle stages (pre-pilot, restricted pilot, production readiness, production) and seven categories. Pass / Fail / Conditional outcomes with named owners.
AI Risk Disposition Memo Template
Seven-section memo template for the AI Committee disposition: decision, rationale, controls per gate, residual risk acceptance (named acceptor), evidence gaps, re-assessment triggers (named owner), sign-off log. With Copilot Studio worked example.
Vendor AI Security Questionnaire
20-question adversarial questionnaire across architecture, data, model, access, incident, sub-processor, and re-assessment. Each question paired with required evidence and a follow-up if the vendor declines.
Controls and checklists mapped to specific AI architecture patterns.
RAG Security Checklist
24 controls across the four RAG attack surfaces: ingestion, vector store, retriever, prompt assembly, and output. Lifecycle gates and evidence requirements. Includes how-to guide and working tracker columns.
MCP Security Review Checklist
28 controls for Model Context Protocol deployments: transport, tool surface, descriptor trust, scoped authorisation, audit, and lifecycle triggers. Includes how-to guide and working tracker columns.
Agentic AI Risk Register Template
Risk register pre-populated with OWASP Agentic Top 10 rows, attack paths, controls applied, residual risk, and a named acceptor for each accepted risk. Includes two system-specific example risks (vendor model change, regulatory exposure).
OWASP Agentic Top 10 — Control Map
44 controls mapped to the OWASP Agentic Top 10. Each row includes the required control, lifecycle gate, evidence required, and cross-framework tags. Includes a how-to guide tab and working columns for status, owner, and gap tracking.
OWASP LLM Top 10 — Control Map
40 controls mapped to the OWASP Top 10 for LLM Applications (2025). Each row includes the required control, lifecycle gate, evidence required, and cross-framework tags. Includes a how-to guide and working tracker columns.
Framework alignment, inventory, and committee operating models.
ISO 42001 AI System Readiness Tracker
Map ISO 42001 clauses to controls, lifecycle gates, and evidence requirements for a single AI system. Includes a how-to guide, working columns for status and gap tracking, and a worked example for an internal RAG assistant.
EU AI Act AI System Inventory Template
EU AI Act-aligned AI system inventory with classification, lifecycle stage, conformity route, and an Article 9 risk cycle log. Includes five worked-example systems covering high-risk Annex III categories and not-high-risk deployments.
AI Committee Charter Template
Eight-section charter for an AI Governance Committee: purpose, scope, named voting roles, quorum, cadence, decision authority, veto rights, escalation paths, records retention. Real role definitions, not generic ToR.
Blog
Deeper context on the frameworks behind these templates.
The blog covers the reasoning behind ISO 42001 evidence, OWASP Agentic controls, EU AI Act classification, and AI security review methodology.