AI Risk Disposition Memo Template
The artefact an AI Committee signs. Seven sections covering the decision, the rationale, the required controls, the residual risks accepted (with named acceptors), the evidence gaps, the re-assessment triggers (with named owners), and the sign-off log. One to three pages, structured to be defensible in an audit.
Get the spreadsheet
Enter your email to download
Excel format (.xlsx). Opens in Excel, Google Sheets, or any spreadsheet tool. Includes a full worked example for a Copilot Studio procurement agent. You'll also receive new blog posts when they publish.
Also available as PDF template — pre-filled with the worked example, ready to print or sign.
Who it's for
AI Committee members, AI governance leads, CISOs, and DPOs producing the structured disposition record for an AI system going to pilot or production.
Use it per system — one memo per AI system per review cycle. This is the artifact the AI Committee signs. The AI Security Review Template provides the underlying evidence trail.
How to use it
- 1Fill in §1 Decision first — the decision is one of five states: proceed / conditional / restricted_pilot_only / hold / decline.
- 2Complete §2 Rationale — what the system does, why this decision, what changes before production.
- 3List required controls per lifecycle gate in §3.
- 4Name the acceptor for each residual risk in §4 — not 'the team'.
- 5List evidence gaps with owner and target date in §5.
- 6Name the owner for each re-assessment trigger in §6.
- 7Obtain named sign-offs from each decision authority in §7.
What's in the file
One memo per AI system. The structure forces explicit answers in every section — incomplete sections weaken the disposition's defensibility.
| Section | Contents |
|---|---|
| §1 Decision | System name, ID, disposition (proceed / conditional / restricted pilot / hold / decline), decision date, next review date |
| §2 Rationale | What the system does, why this decision, what changes between pilot and production |
| §3 Required Controls | Controls per lifecycle gate: before pilot (completed), before production (planned), ongoing (operating) |
| §4 Residual Risk Acceptance | Each accepted residual risk with named acceptor and rationale |
| §5 Evidence Gaps | Each gap with control ID, owner, target date, status |
| §6 Re-assessment Triggers | Each trigger with named owner — not 'engineering' |
| §7 Sign-off Log | Named individuals from each decision authority with signature and date fields |
From memo to automated dossier
This memo is what Drel produces
This template structures the disposition manually. Drel generates the same artifact automatically — building the system model, running the threat analysis, mapping controls to evidence gaps, and producing a clearance decision your AI Committee can sign off on.
Frequently asked questions
- Why a memo instead of a slide deck?
- A slide deck summarising 'key risks' has no risk register, no control plan, no evidence gap list, no clearance decision with scope. It cannot be defended in an audit. It cannot be referenced in a DPA. The memo is the structured artefact with explicit scope, dated decision, and named accountability.
- What are the five clearance states?
- Proceed (unconditional approval), Conditional (approval with named conditions that must be met before production), Restricted Pilot Only (approved for limited deployment with re-review), Hold (more work required before any deployment), Decline (do not deploy). Most production-grade systems first receive Conditional clearance.
- What does 'named acceptor' mean for residual risk?
- Each accepted residual risk has an individual or role named as accountable. Not 'the team', not 'IT', not 'we accept'. A named acceptor means: if the risk is realised, this is the person who will be asked why it was accepted, and who has the authority to have made that acceptance.
- What does 'named owner' mean for re-assessment triggers?
- Each trigger has an individual or role who monitors for that trigger and initiates re-assessment when it fires. 'Engineering' is too broad; 'Engineering Director' or 'AI Governance Officer' is specific enough to be operational.
- How does this support ISO 42001 and EU AI Act evidence?
- The disposition memo is the per-system operational record at ISO 42001 clause 8.5 and supports the Article 9 risk record evidence chain under the EU AI Act for high-risk systems. The sign-off log is the audit trail.
- How is this different from a risk register?
- A risk register lists risks. A disposition memo records the decision the AI Committee took about the system in light of those risks. Use the AI Security Review Template's risk register sheet for the underlying risk work, and this memo as the signable output.