AI Governance Checklist (2026)
Use this as a quarterly pass (monthly if you are in a regulated space). Each item is a yes/no with an owner.
Inventory and visibility
- We maintain a list of AI tools in active use (approved and shadow).
- Each tool has a named business owner (not only IT).
- We know where data is processed for each vendor (region, subprocessors at high level).
Policy and people
- A written policy covers approved tools, data do-not-paste rules, and human review for high-risk work.
- New hires see the policy in onboarding (link + acknowledgment).
- Managers know how to escalate incidents (wrong paste, leaked prompt, bad output shipped).
Technical basics
- SSO or central billing exists for primary assistants where possible.
- Secrets are blocked from being pasted into unapproved tools (process + optional tooling).
- We reviewed default sharing settings (link sharing, training opt-out if vendor offers it).
Vendors and procurement
- New AI vendors go through the same procurement / security path as other SaaS.
- Contracts mention data use for model training where relevant.
Review cadence
- Monthly: scan for new shadow tools; review top incidents.
- Quarterly: update policy and approved list; rerun checklist.
- After any incident: root cause and one concrete control change.
Small teams win by keeping the checklist short and finishing it, not by adding rows you will never maintain.