Drel vs. spreadsheets, Confluence pages, and email approvals
Most AI Committees run on Excel, Confluence and email. Here is honestly when that is fine, where it breaks under audit, and what Drel changes about each section of the workflow.
The real incumbent is not another tool. It is a stack: a risk register in Excel, a review template in Confluence, a slide deck for the committee meeting, a chain of email approvals, and a SharePoint folder for evidence. Roughly every AI Committee we talk to is running some version of this.
We are going to start by saying the unpopular thing.
For a small number of low-stakes AI features reviewed by a stable team that meets often, the spreadsheet-plus-Confluence stack works. The problem is that AI features are not small, the stakes are not low, and the teams are not stable for long.
Where the spreadsheet stack breaks
The break points are predictable. They show up at the same five places every time:
- The artifact is not a single document.The decision is in Confluence, the controls are in a spreadsheet, the evidence is in SharePoint, the sign-offs are in an email thread. When the regulator asks “why was this approved”, the answer requires four logins.
- There is no version of the decision. The Confluence page edits in place. The risk register in Excel is the file that someone renamed
risk_register_v4_FINAL_actual.xlsx. There is no diff between the disposition that was signed and the disposition that was lived with. - Re-assessment triggers are not encoded.The model changed two sprints ago. The tools list grew by three. Nobody re-opened the disposition because nothing in the spreadsheet said “wake up when these things change”.
- Controls live without verification methods.A cell that says “Implemented” is a trust-me. A cell that says “Verified via output-of-named-artifact attached to change-set CS-014” is a control. Spreadsheets drift toward the first.
- The framework mapping is done by hand, late. When procurement asks for ISO 42001 evidence or an AI Act Article 9 risk-management table, someone spends a week pasting cells. The framework view is a deliverable, not a side effect.
The honest comparison
Most of the time, the spreadsheet stack does the thing — it is the audit and long-tail-of-changes parts that fall over. This table tries to be honest about which is which.
| Capability | Drel | Spreadsheets + Confluence + email |
|---|---|---|
Capture a decision once | One Risk Disposition memo per assessed system, with enum decision states (proceed / conditional / restricted pilot / hold / decline). | Possible — usually a Confluence page with a paragraph that reads 'approved with conditions'. |
Encode required controls with owners and deadlines | Controls grouped by lifecycle gate (before-pilot, before-production, ongoing). Each row has role owner, deadline, status, framework tag, verification method. | Possible in a spreadsheet, until the spreadsheet outgrows the template and people stop filling rows in the same way. |
Diff between two versions of a decision | Change sets between case versions. Each change set carries materiality, risk-impact, and 'does the previous disposition still hold?' as a structured field. | Comparing two .xlsx files. Effectively never done. |
Re-assessment triggers | Typed triggers (model change, tool added, autonomy increase, vendor change, scope change) live on the disposition. Firing a trigger is a structured event. | Implicit. Usually surfaces as a Slack message saying 'should we re-review this?' |
Evidence linkage | Each control points to evidence items by id. Evidence has explicit state (verified / explicit / inferred / assumed / missing). | A SharePoint folder. Filenames as the contract. |
Framework mapping (ISO 42001, EU AI Act, OWASP Agentic Top 10, NIST AI RMF) | Controls carry framework tags. Coverage matrix is generated, not pasted. | Hand-built tables when procurement asks. Usually a week of work per framework. |
Sign-off log | Role-based (Sec Arch, AI Gov, DPO, Business Owner, CISO delegate) with status, signer, date, comment. | An email thread. The auditor has to chase it. |
Audit pack as a single bundle | Disposition memo + source artifacts + change sets + evidence, exportable. | Three systems and a folder. |
Cost of running the process We are not going to pretend our cost is lower than free. It is more honest to compare the time cost. | From $500/year (Plus annual). No per-seat for committee reviewers. | $0 in license cost, real in time cost — usually 1–2 days of preparation per committee meeting. |
When you should not switch
Some signals tell us the spreadsheet stack is still the right answer:
- You review one or two AI features a year, total.
- The team that does the review is the team that ships, debugs and operates the system.
- You have no procurement, audit or regulator counterparty asking for evidence.
- You are confident the systems will not change after sign-off.
If three of these are true, please do not buy Drel. The tax of moving a working process into a tool you do not need is real, and we would rather you came back in a year when the volume has grown.
What a switch actually looks like
We do not ask anyone to throw away the spreadsheet. The pattern that works is: pick one assessment in flight, run it on Drel in parallel for two weeks, and compare the artifact that comes out the other end. If the disposition memo is materially better than the Confluence page would have been, you have evidence to migrate the next one. If it is not, you have not lost the existing process.
The Drel Evaluation tier includes 3 full AI Security Reviews — no credit card required. That is enough to run the comparison on real systems.
Run one assessment in Drel
Bring one AI system you are currently reviewing. We will help you set it up, generate the disposition, and you decide whether the output beats your current process.
A note on scope: Drel reviews assessed systems against documented architecture, configuration and intent. It does not ingest live telemetry from production environments. Dispositions reflect the assessed system at the time of review and the re-assessment triggers that govern when the disposition must be revisited.