AI Committee Charter Template
A real charter for an AI Governance Committee — not a generic Terms of Reference. Eight sections with named voting roles, quorum rules, veto rights, escalation paths, and records obligations. Adapt the role names to your organisation; the structure is binding.
Get the spreadsheet
Enter your email to download
Excel format (.xlsx). Opens in Excel, Google Sheets, or any spreadsheet tool. You'll also receive new blog posts when they publish.
Who it's for
CISOs, CTOs, AI governance leads, DPOs, and legal counsel establishing or formalising an AI Committee for their organisation.
Use it once at the organisation level — not per system. The charter defines how the committee operates; the AI Risk Disposition Memo is what the committee produces for each system it reviews.
How to use it
- 1Fill in the named individuals or roles in §3 Membership — avoid 'TBD' on accountable roles.
- 2Adapt the cadence and escalation thresholds to your organisation's size and risk appetite.
- 3Review §5 Authority carefully — the veto rights and decision threshold are the most consequential clauses.
- 4Confirm the escalation paths in §6 with the executive team before adopting.
- 5Obtain CEO sign-off in §8 before the charter takes effect.
- 6Treat the charter as a living document — review annually and on major organisational change.
What's in the file
Eight sections covering the operational reality of running an AI Committee. Filled-in defaults are starting points — adapt to your organisation.
| Section | Contents |
|---|---|
| §1 Purpose | What the committee governs and where its decisions are binding |
| §2 Scope | Which AI systems are in scope — five concrete criteria |
| §3 Membership | Chair, voting members (CISO, CTO, AI Governance, DPO, Audit), advisors, quorum |
| §4 Cadence | Regular monthly meetings, out-of-cycle reviews, annual charter review |
| §5 Authority | Binding decisions, decision threshold, chair tiebreaker, DPO and CISO veto rights |
| §6 Escalation | From AI Governance, from system owners, from incidents, to executive team |
| §7 Records | Disposition memos, meeting minutes, retention period, audit trail |
| §8 Sign-off | CEO approval, effective date, next review date |
From charter to clearance workflow
Spreadsheets are the starting point
This charter defines how your AI Committee operates. Drel gives that committee something to actually review — a guided AI security review that maps controls to evidence gaps, generates a risk disposition, and produces a dossier ready for sign-off.
Frequently asked questions
- Why is this not just a Terms of Reference template?
- A generic ToR template tells you to fill in 'purpose' and 'membership'. This charter goes further: named role definitions (CISO, CTO, AI Governance Officer, DPO, Internal Audit), explicit quorum rules, named veto rights (DPO on personal data; CISO on critical security), explicit decision authority, concrete escalation triggers (incidents trigger emergency review within 5 business days), and records retention (7 years minimum for dispositions).
- Who should chair the AI Committee?
- The default in the template is the CISO. Some organisations make the Chief Risk Officer or Chief Compliance Officer the chair instead. The criterion: someone with authority across security, technology, data, and risk — not a single technical or business function. Avoid putting the Head of AI as the chair (conflict between building AI and governing it).
- What if my organisation doesn't have a CISO?
- Map the role to its functional equivalent in your organisation (Head of Security, IT Security Lead, etc.). The charter's intent is that the AI Committee includes security accountability, not that the title 'CISO' specifically attends.
- Why do DPO and CISO have veto rights?
- Because they hold accountabilities that are not negotiable by majority vote. A DPO has independent statutory accountability for personal data; if the DPO has unresolved data protection concerns, the system should not proceed. A CISO has accountability for the security posture; if a system has unresolved critical security risks, it should not proceed. Veto rights are bounded — they apply only within each role's accountability domain.
- How often should the charter itself be reviewed?
- Annually as a fixed cadence, and on any major organisational change (acquisition, regulatory change, significant change in AI use). The template names annual review at the last meeting of the calendar year.
- Is this legal advice?
- No. The charter is operational governance tooling. Adopting it should involve your legal team to confirm it fits your organisation's governance structure and statutory obligations.