AI Insider Risk Checklist
An AI insider risk checklist reviews how employees, contractors, developers, and business users may expose sensitive information through AI tools, copilots, model training, plugins, agents, or unmanaged AI workflows.
Primary Audience & Scope
AI governance, Security, Privacy, Legal, data owners, business units
When to Use
- •Building or reviewing the related program activity.
- •Preparing a repeatable workflow.
- •Creating site-downloadable working content.
Interactive Work Area
Fill or track items interactively and copy out to your Clipboard
Template Table Structure
| Field | Working prompt | Template field | Reader input |
|---|---|---|---|
| Resource owner | — | Review date | — |
| Scope | — | Relevant system/data/process | — |
| Business owner | — | Control or procedure link | — |
| Evidence location | — | Action owner | — |
| Status | Not started / in progress / complete / exception | — | — |
Checklist Audit List
Approved AI tool and owner recorded.
Use case and business purpose documented.
Data types reviewed for customer, employee, regulated, source code, trade secret, confidential, privileged, and export-controlled data.
Input, upload, connector, and retrieval permissions reviewed.
Retention, training, logging, and vendor terms reviewed.
DLP/classification/browser controls considered.
Legal/privacy/data owner approval recorded.
User training and exception process defined.
What Completion Looks Like
- 1Required inputs complete.
- 2Action owners assigned.
- 3Evidence retained.
- 4Related risk/control/procedure linked.
- 5Review cadence established.
Insider Risk Capability Framework™ (IRCF™) Alignment
Operationalize This Template in RiskTKO®
Use RiskTKO® or request ITMG® support to adapt this template, align it to the Insider Risk Capability Framework™, and connect the output to measurable exposure reduction. Shadow AI Discovery Checklist