AI Governance & Acceptable Use Kit
Six editable policy templates for the moment an enterprise prospect, insurer, or auditor asks.
See all
22 items
Stand up AI governance mapped to the NIST AI RMF (Govern/Map/Measure/Manage): a readiness assessment, AI use-case register, maturity scorecard, model cards, and a vendor-questionnaire answer bank, crosswalked to ISO 42001 and the EU AI Act. A tool that won’t bless a high-impact, no-oversight use case. Governance guidance, not legal advice.
Score your AI Management System across the six ISO 42001 clause-groups and find the one blocking certification — the weakest mandatory control decides, never the average. Returns CERTIFIABLE / GAPS TO CLOSE / NOT READY with a mandatory-clause gate and the exact fixer to buy next. A readiness diagnostic, not an ISO 42001 certification or audit; not legal advice.
A living AI risk register that grades its own defensibility. Mark six governance fields per risk (likelihood, impact, treatment, owner, residual, review) and get GOVERNED / GAP / UNGOVERNED per entry and DEFENSIBLE / GAPS TO CLOSE / NOT DEFENSIBLE for the register, with a dispositive accepted-high-residual gate that catches the severe risk nobody owns. A working aid, not a risk assessment or legal advice.
Build and grade one AI system's impact assessment — rated on its worst unmitigated impact, never an average. Score each impact on severity, likelihood, reversibility, and affected-population scale; mitigation reduces it to a residual; MITIGATED / RESIDUAL / UNACCEPTABLE per impact, DEFENDED / GAPS REMAIN / NOT DEFENSIBLE overall, with an irreversible-harm-to-vulnerable-group gate. EU AI Act Art. 27 / ISO 42001 Annex A. A working aid, not legal advice.
Build and grade a model or system card so it informs the reader instead of over-claiming. Mark seven disclosure sections 0-2 for a completeness score, plus a dispositive claim-vs-evidence gate — a card that makes a performance or fairness claim it can't back is forced NOT PUBLISHABLE no matter how complete it looks. DISCLOSED / THIN / MISSING per section, PUBLISHABLE / DRAFT / NOT PUBLISHABLE overall. Model-card norms + EU AI Act Art. 13.
A machine decided about a person — a credit denial, an insurance tier, a tenant score, a benefits cut. Could you show you told them, explained it, and gave them a way to be heard? Grade each automated decision system on six weighted controls (disclosure, meaningful-logic explanation, human appeal, opt-out/correction, scope mapping, recordkeeping) for a 0-100 score and DISCLOSED / GAPS / UNDISCLOSED, with a told-and-recourse gate that forces UNDISCLOSED when the person was never told it was automated, or has no recourse at all — even at 66/100. Date-agnostic (the duties converged; the dates churn) and people-blind — it grades a decision system, never a person. Runnable engine + workbook + Disclosure Mapping & Transparency-Remediation playbooks + a 6-system sample. The everywhere-else sibling to the AEDT Deployer Dossier. Not legal advice.
Find out whether you could defend an automated employment decision tool before a regulator or candidate asks. Mark six weighted compliance controls 0/1/2 (an independent bias audit and pre-use candidate notice are gates) for a 0-100 score — DOSSIER READY / OPEN GAPS / NOT DEFENSIBLE — with a worsen-only two-trigger gate that forces NOT DEFENSIBLE when there's no independent audit (vendor self-attestation doesn't count) or candidates were never notified, even at 76/100. Names the control to close first; rolls a portfolio up to ALL DEPLOYABLE / CONDITIONS OUTSTANDING / PULL FROM USE. Calibrated to the highest-bar US jurisdiction — NYC Local Law 144, Illinois HB 3773, California FEHA. Runnable Python engine + workbook + dossier-assembly & gap-closure playbooks + a 6-tool sample. Full-regulated: a readiness aid that grades the deployer's evidence file, not a bias audit, certification, or safe harbor, and scores no candidate. Not legal advice — confirm your obligations with an employment attorney.
An AI incident starts a regulatory clock you can't see. Rehearse it before it's real: drill each incident scenario on six weighted controls (detection-to-awareness, severity & regime triage, a named clock-starter, regulator contact map, drafting path & register, cross-track coordination) for a 0-100 score and NOTIFIABLE-READY / TIGHTEN / WOULD MISS THE CLOCK, with a dispositive clock-start gate that forces WOULD MISS THE CLOCK when you couldn't establish the clock has started or no one can start it — even at 82/100. Date-agnostic: it grades the process, never a deadline, so it survives every regime change. Runnable engine + workbook + Drill Facilitator & Notification-Readiness playbooks + a 6-scenario sample. The notification-side companion to the AI Incident Postmortem & Readiness Gate. Grades a process, never people. Not legal advice.
If an auditor asked for your AI governance evidence in 90 days, would you pass? Triage seven control domains to an AUDIT-READY / PATCHABLE / WOULD NOT PASS verdict — with a no-owner gate that fails any in-scope control nobody owns, no matter how high the score. Names the one domain to fix first. A readiness self-assessment, not legal advice.
Audit what your AI agents, MCP servers, and OAuth connectors can actually touch. Scores each connector's access risk — least-privilege, over-scoped, or ungoverned — and rolls the fleet up to GOVERNED / DRIFTING / EXPOSED, with a dispositive gate for an unowned connector that can write regulated data. Deterministic, offline, scores connectors not people.
Audit your record of AI usage — not the output itself — for whether each entry is defensible: who generated it, with what tool, when, for what decision, who reviewed it, and where the source is. Returns LOGGED / PARTIAL / NO TRAIL per entry and a TRACEABLE / GAPS / UNRECORDED org rollup, with a structural gate where one untraceable high-impact decision makes the whole org UNRECORDED. Runnable Python auditor + workbook. Record-keeping discipline, not legal advice.
Grade a finished AI-assisted deliverable — memo, report, proposal, case study — claim by claim before it ships. Mark five 0/1/2 signals per claim (citation present, reachable, source actually supports the claim, fabrication-free, internally consistent) weighted to 100, flag which claims are material, and get per-claim SUPPORTED / CHECK / UNSUPPORTED plus a deliverable verdict: DEFENSIBLE / VERIFY FIRST / DO NOT SHIP, with a batch rollup. A keystone gate forces DO NOT SHIP whenever one material claim rests on an unreachable or fabricated citation — so a deliverable can score 89/100 and still be held, because the failure is local and a high average hides it. Names the one claim to fix first. Runnable Python engine + workbook + claim-review & fix-the-citation playbooks + a 9-claim sample. The substance layer beside the Audit-Trail Kit (provenance) and Anti-Slop System (voice). A review aid that grades claims, never people; not an automatic fact-checker; not legal advice.
Triage every customer-facing AI surface — support bot, chat widget, AI product-page copy, FAQ generator — on liability exposure before the next answer goes out. Mark six 0/1/2 control signals per surface (regulated-claim control, policy-invention control, human exit ramp, performance-claim control, source grounding, scope & disclosure) weighted to 100 and get per-surface LOW / REVIEW / HIGH RISK, a set posture, and the highest-risk surface to fix first. A keystone gate forces HIGH RISK whenever a surface can state policy with no grounding AND offers no human escalation — the pattern behind the support-bot liability cases — so a surface with four of six controls green can still gate (the sample scores 58/100 and does). Close either gap and the gate releases. Runnable Python engine + workbook + surface-inventory & control-hardening playbooks + a 4-surface sample. Every HIGH RISK routes to human review, never a clearance. A risk-triage aid that grades the surface's controls, never people; not a live test of your systems; not legal advice.
Before you pass an AI-assisted memo, analysis, or summary to a colleague, gate it. Mark six 0/1/2 signals (sources reachable, figures traced, task advanced, owner edits, claims scoped, next action clear); the verdict is the weakest signal — HAND OFF / REWORK / DO NOT HAND OFF — with a dispositive worsen-only gate that forces DO NOT HAND OFF when a source is unreachable or a figure is untraced, even where the weakest signal alone would only read REWORK. The internal, peer-to-peer lane where 'workslop' spreads. Runnable Python engine + workbook that reproduces it + reviewer & fix-it playbooks + a 6-deliverable sample. Scores the deliverable, never the person; not for hiring or performance decisions; not legal advice.
Register every vendor, AI tool, and sub-processor that touches your data and grade whether each flow is governed — DOCUMENTED / GAP / UNVETTED per flow, REGISTER COMPLETE / GAPS TO CLOSE / NOT DEFENSIBLE per register. The required controls adapt to what the flow carries (a regulated cross-border flow needs a DPA, retention, sub-processors, and a transfer mechanism), and one ungoverned regulated flow (a shadow LLM API seeing PII with no DPA) holds the whole register NOT DEFENSIBLE — 67% documented notwithstanding. The records GDPR Art. 28/30 contemplate. Runnable Python engine + workbook. A working aid, not legal advice.
Keep your AI governance from drifting: a light quarterly rhythm — re-assessment, new-hire training, change-watch updates, and a leadership report — plus refreshed templates while you're subscribed. Runs after the Governance Starter Bundle. A maintenance aid, not legal advice.
Seventy percent of RIAs run an AI meeting notetaker and regulators treat an ungoverned one like an unauthorized texting app. This tripwire grades each tool/deployment on six weighted controls — client consent before capture and human review before notes enter the record are FATAL — for a 0-100 score and DEFENSIBLE / GAPS / NOT DEFENSIBLE per tool, with a worsen-only gate: either fatal control at zero forces NOT DEFENSIBLE no matter the score. The firm rolls up to its worst tool (ALL DEFENSIBLE / GAPS TO CLOSE / STOP AND FIX). Runnable Python engine + workbook + audit & remediation playbooks + a 5-tool sample. Grades the process, never a person; renders no legal ruling and takes no position on whether AI summaries are books-and-records. Not legal advice.
Grade every testimonial, endorsement, and paid promoter under SEC Marketing Rule 206(4)-1. Mark each arrangement on six weighted controls — required disclosures clear & prominent (FATAL) and a written promoter agreement (FATAL only for a compensated, over-de-minimis, non-affiliate promoter) plus compensation/conflicts disclosed, bad-actor screen, claims substantiated/net shown, and ad-copy recordkeeping — for a 0-100 score and COMPLIANT / GAPS / NON-COMPLIANT per arrangement. A conditional worsen-only gate fires exactly where the rule requires it, so an identically-marked de-minimis twin stays COMPLIANT while the compensated one fails. Campaign rolls up to its worst arrangement (ALL COMPLIANT / GAPS TO FIX / PULL OR FIX). Runnable Python engine + workbook + audit & remediation playbooks + a 6-arrangement sample. Grades the arrangement, never a person; renders no legal ruling and confirms no compliance status. Not legal advice.
Would your RIA’s AI use survive an SEC or state exam? A deterministic self-assessment across the six exam-surface domains an examiner probes when a firm uses AI — AI in marketing (20, fatal), books & records for AI outputs (20, fatal), supervision & written policies (18, fatal), vendor AI oversight (16), client disclosure & Form ADV (14), AI communications capture (12) — marked 0/1/2 on your own evidence for a 0-100 score banded EXAM-READY / OPEN FINDINGS / NOT DEFENSIBLE. A dispositive fatal-domain gate forces NOT DEFENSIBLE when any of the three fatal domains is zero, because each draws a deficiency letter on its own — so a firm can score 73 and still be NOT DEFENSIBLE with books-and-records at zero. Portfolio rolls up to the worst branch (ALL EXAM-READY / FINDINGS TO CLOSE / DEFICIENCY LIKELY) with the domain to fix first. Date-agnostic and people-blind. Runnable Python engine + workbook + assessment & remediation playbooks + a 5-firm sample. Grades a firm’s evidence file, renders no legal ruling, scores no person. Not legal advice.
Scrutinize whether a vendor's claimed ISO/IEC 42001 evidence is real, accredited, and actually covers the AI system you're buying. Six 0/1/2 controls, a weakest-link verdict (ACCEPTED / VERIFY FIRST / REJECTED), and a dispositive gate that rejects evidence unconfirmable on both accreditation and scope. One .xlsx, deterministic. ISO does not certify — accredited bodies do; grades the evidence, never people.