These are faithful structural previews of what each live tool produces — real section headings, real table shapes, real drafting style. The specific content in your generated document will reflect the jurisdiction, industry, staff size, and risk appetite you provide.
A 10-section AI usage policy with regulation citations tailored to your jurisdiction and industry.
AI Usage Policy
Draft — for review by in-house practitioners
Table of Contents
Plus front-matter and supplementary sections
Staff may use approved generative AI tools (listed in Schedule A — Approved AI Tools) to assist with drafting, summarisation, code generation, and research, subject to the data-handling rules in Section 7. AI-assisted code review under EU AI Act Art. 14 (human oversight) requires a named reviewer to evaluate any output that materially influences a customer-facing decision. AI used in clinical decision support is additionally subject to EU MDR Art. 15 (PRRC) and the additional clauses set out in Supplementary D.
(Sample extract — the live document runs ~30 pages, each section drafted with jurisdiction-specific article references and anti-hallucination guards drawn from the regulatory data layer.)
A pre-scored register of AI risks mapped to your sector, with likelihood, impact, mitigations, and owners.
Sheet 1 — Risk Register
| ID | Risk | Likelihood | Impact | Score | Rating |
|---|---|---|---|---|---|
| R-001 | Prompt injection in GitHub Copilot-generated code | High (4) | Critical (5) | 20 | Critical |
| R-002 | Cross-border data transfer to OpenAI without valid mechanism | High (4) | Critical (5) | 20 | Critical |
| R-003 | Microsoft Copilot grounding oversharing via SharePoint / Teams | High (4) | High (4) | 16 | High |
| R-004 | ChatGPT training-data opt-out and retention uncertainty | High (4) | High (4) | 16 | High |
| R-005 | Microsoft Copilot Data Processing Agreement gaps | Medium (3) | High (4) | 12 | High |
(Sample extract — the live 14-column register also includes Category, NIST AI RMF function, Regulatory Reference (with specific articles + anti-hallucination guards), Risk Owner, Control Gaps, Recommended Mitigations, and Review Frequency. Above rows are drawn from a real lawyer-validated UAE / technology generation.)
Plain-language staff guidelines with golden rules, data-handling rules, and an escalation process — plus two Excel companions auto-downloaded alongside.
Employee AI Guidelines
Golden rules
01
Never paste patient names, dates of birth, medical record numbers, diagnoses, treatments, or any identifier listed under HIPAA Safe Harbor into ChatGPT, Microsoft Copilot, GitHub Copilot, or any AI tool the organisation has not formally approved with a Business Associate Agreement (BAA).
02
AI tools — including the ones we approve — generate plausible-looking content that can contain factual errors, fabricated citations, hallucinated medication dosages, or outdated clinical guidance. Treat AI output as a draft for your review, never as a source of truth for clinical or compliance decisions.
03
If an AI tool produces output that you believe is discriminatory, contains a privacy breach, gives unsafe clinical guidance, or materially misleads a patient or colleague, stop using the tool for that task and report to the named AI Incident Owner via the channels listed in Section 8 within 24 hours.
(Sample extract — the full document contains 8–10 golden rules, a multi-row data-handling guide, a printable wallet card, and an incident-reporting flow.)
A 30-question scored assessment across six weighted categories, aligned to ISO/IEC 42001 or NIST AI RMF, with auto-summed totals and Pass / Conditional / Reject thresholds — plus a procurement-readiness checklist companion.
Sheet 1 — Scored Assessment
30 questions across 6 weighted categories — aligned to ISO/IEC 42001 or NIST AI RMF (your choice).
Categories & weights
Sample question rows
| ID | Question | Regulatory call-out |
|---|---|---|
| A-01 | Does the vendor have a current Data Processing Agreement (DPA) covering all categories of personal data the AI service processes? | GDPR Art. 28 |
| A-04 | Does the vendor disclose all sub-processors and notify the customer of changes at least 30 days before processing begins? | GDPR Art. 28(2) |
| B-02 | Does the vendor publish model card(s) or system documentation covering training data sources, evaluation methods, and known limitations? | EU AI Act Art. 13 (provider→deployer) |
| D-03 | Does the vendor maintain a system for incident reporting that meets the 72-hour personal-data-breach notification window? | GDPR Art. 33 |
| E-05 | Does the vendor hold a current SOC 2 Type II or ISO/IEC 27001 attestation, with the report or certificate available on request? | ISO/IEC 27001:2022 |
(Sample extract — the live workbook scores each question 0 / 1 / 2, auto-sums the weighted category totals, and renders a Pass / Conditional / Reject threshold for the overall percentage. The Evidence Request List sits as a dedicated tab inside the same workbook; a one-page Executive Summary .docx and a Procurement Checklist .xlsx download alongside.)
Per-framework gap analysis (EU AI Act / NIST AI RMF / ISO 42001) driven by your self-assessment intake, with an action plan, heat map, 3-phase timeline, and a live Dashboard with native radar + doughnut charts.
Sheet 1 — EU AI Act Gap Analysis
Per-framework gap tables driven by your customer self-assessment intake. EU AI Act / NIST AI RMF / ISO 42001 — your choice.
| ID | Obligation | Customer answer | Gap |
|---|---|---|---|
| EU.1 | AI literacy programme for all staff (Art. 4) | Partial | Medium |
| EU.4 | Risk management system for high-risk AI systems (Art. 9) | No | High |
| EU.5 | Data governance + dataset quality controls (Art. 10) | Partial | Medium |
| EU.7 | Human oversight measures (Art. 14) | Yes | None |
| EU.10 | Incident reporting to national supervisory authority (Art. 73) | No | High |
(Sample extract — the live workbook contains per-framework gap sheets (EU AI Act / NIST AI RMF / ISO 42001), an Action Plan with phase-banded priorities, a 10-domain Heat Map, a 3-phase implementation Timeline with jurisdiction-specific deadlines, and a live Dashboard with native radar + doughnut charts that auto-refresh as you mark gaps Done. A one-page Executive Summary .docx pairs with the workbook for board sign-off.)
A 9-sheet bias-audit framework: risk classification, 34-item audit checklist, fairness testing protocol, RACI, monitoring + remediation, and a live Dashboard.
Sheet 2 — 34-Item Audit Checklist
| ID | Phase | Item | Status |
|---|---|---|---|
| A.02 | Scoping | Documented bias-risk profile for the AI system, signed off by accountable owner | Compliant |
| B.04 | Testing | Disparate-impact ratio computed across protected attributes (race, gender, age, disability) | Action needed |
| C.03 | Governance | Bias-incident escalation path documented and exercised at least annually | Critical gap |
| D.02 | Sector-specific | Healthcare: clinical-equity test data covers all major demographic subgroups | Verify |
(Sample extract — the live 9-sheet workbook covers Risk Classification + 34-Item Audit Checklist + Fairness Testing Protocol + Roles & Responsibilities (RACI) + Permitted & Prohibited + Monitoring & Remediation + Action Plan + Readme + Dashboard. The Executive Summary .docx provides a one-page board sign-off cover with the maturity scorecard and top 5 bias risks.)
A 9-sheet incident-response playbook: severity matrix, 6-step response, regulator directory, comms templates, evidence checklist, post-incident review, and a live incident log.
Sheet 1 — Severity Matrix
| Tier | Severity | Example trigger | Response window |
|---|---|---|---|
| P1 | Critical | Personal data breach (>1,000 individuals); ICO 72h clock starts | Immediate |
| P2 | High | Regulator complaint; sustained AI hallucination affecting customer decisions | < 4h |
| P3 | Medium | Internal AI misuse; non-public data quality incident | < 24h |
| P4 | Low | Single-user AI output anomaly; documented and tracked | < 5 days |
| P5 | Informational | AI tool deprecation notice; vendor advisory | Logged |
(Sample extract — the live 9-sheet workbook covers Severity Matrix + 6-Step Response Process + Regulator Directory + 12 jurisdiction-aware Comms Templates + Evidence Checklist + Post-Incident Review + Live Incident Log + Readme + Dashboard. The Executive Summary .docx pairs with the workbook for board sign-off; the workbook is the operational instrument the AI Champion runs the response from.)
A board-ready governance programme with org structure, RACI, 90-day roadmap, 12-KPI dashboard, board report, audit calendar, and a live-formula Dashboard with native radar + doughnut charts.
Sheet 4 — KPI Dashboard
| ID | KPI | Baseline | Target | Status |
|---|---|---|---|---|
| K-01 | AI policy adoption rate | 64% | 95% | Amber |
| K-04 | AI-related incident reports / qtr | 0 | <3 | Green |
| K-06 | AI training completion rate | 32% | >90% | Red |
| K-09 | Vendor DPA coverage (%) | 78% | 100% | Amber |
| K-12 | Audit-readiness score (1–5) | 2.1 | 4.0 | Red |
(Sample extract — the live 10-sheet workbook covers Org Structure + RACI Matrix + 90-Day Roadmap + 12-KPI Dashboard + Board Report + Audit Calendar + AI Tool Register + Intake Answers + Readme + a live-formula Dashboard with native Excel radar + doughnut. A 7-slide PowerPoint board pack (.pptx) and a one-page Executive Summary .docx ship alongside — three artefacts, three jobs, same source of truth.)
A draft Data Processing Agreement covering 12 main clauses + 4 schedules (Particulars / TOMs / Sub-Processors / International Transfer Mechanism) with AI-specific contract terms and a 10-item negotiation checklist.
Data Processing Agreement
Draft — for review by qualified legal counsel before execution
Main Clauses
Schedules
(Sample extract — the live document includes AI-specific contract terms (model card disclosures, training-data warranties, sub-processor change-notice windows, prompt + output-data handling), a 10-item negotiation checklist for procurement, regulator-specific notes (ICO / EDPB / OAIC / PDPC), and qualified-legal-review reminders. Single-format DOCX — no companion XLSX.)
Pick the tool that fits your next compliance milestone. Each generation is a one-time payment — no subscription, no account.