Home/BoK/Templates/AI Insider Risk Checklist
Back to Hub
Last Reviewed: 2026-06-25
Reviewer Role: Insider Risk / Legal / Privacy review
Advanced Asset
AI ModuleInteractive Sheet

AI Insider Risk Checklist

An AI insider risk checklist reviews how employees, contractors, developers, and business users may expose sensitive information through AI tools, copilots, model training, plugins, agents, or unmanaged AI workflows.

Primary Audience & Scope

AI governance, Security, Privacy, Legal, data owners, business units

When to Use

  • Building or reviewing the related program activity.
  • Preparing a repeatable workflow.
  • Creating site-downloadable working content.

Interactive Work Area

Fill or track items interactively and copy out to your Clipboard

Template Table Structure

FieldWorking promptTemplate fieldReader input
Resource ownerReview date
ScopeRelevant system/data/process
Business ownerControl or procedure link
Evidence locationAction owner
StatusNot started / in progress / complete / exception

Checklist Audit List

0% Done(0/8)
Check
Checklist item

Approved AI tool and owner recorded.

Evidence: Owner / date / evidence

Use case and business purpose documented.

Evidence: Owner / date / evidence

Data types reviewed for customer, employee, regulated, source code, trade secret, confidential, privileged, and export-controlled data.

Evidence: Owner / date / evidence

Input, upload, connector, and retrieval permissions reviewed.

Evidence: Owner / date / evidence

Retention, training, logging, and vendor terms reviewed.

Evidence: Owner / date / evidence

DLP/classification/browser controls considered.

Evidence: Owner / date / evidence

Legal/privacy/data owner approval recorded.

Evidence: Owner / date / evidence

User training and exception process defined.

Evidence: Owner / date / evidence

What Completion Looks Like

  • 1Required inputs complete.
  • 2Action owners assigned.
  • 3Evidence retained.
  • 4Related risk/control/procedure linked.
  • 5Review cadence established.

Insider Risk Capability Framework™ (IRCF™) Alignment

Programmatic RelevanceProvides concrete, reusable structure for insider risk management work.
Non-legal-advice Compliance NoteThis resource is a planning aid and does not provide legal advice. Organizations should adapt it to their policies, jurisdictions, labor obligations, privacy requirements, contracts, and risk appetite. Sensitive monitoring, investigation, employment, evidence, legal hold, and employee-data activities should be reviewed by appropriate Legal, Privacy, HR, Compliance, and labor stakeholders before use.

Operationalize This Template in RiskTKO®

Use RiskTKO® or request ITMG® support to adapt this template, align it to the Insider Risk Capability Framework™, and connect the output to measurable exposure reduction. Shadow AI Discovery Checklist