AI Governance Checklist (2026)
Use this as a quarterly pass (monthly if you are in a regulated space). Each item is a yes/no with an owner.
A quarterly AI governance checklist covering inventory completeness, policy currency, vendor DPA status, incident log review, and training refreshes, designed for small teams without a compliance department.
TL;DR: A quarterly AI governance checklist covering inventory completeness, policy currency, vendor DPA status, incident log review, and training refreshes, designed for small teams without a compliance department.
Who should run this checklist
For most small teams, one person owns the quarterly pass. That person does not need to be a compliance specialist, they need enough organizational context to know which tools are in active use, who owns vendor relationships, and where sensitive data lives. Typical owners include the CTO or VP Engineering (for technical and vendor sections), legal counsel (for policy and regulatory deadline sections), or a designated operations lead who coordinates across functions.
If your team has a formal RACI for AI governance, the checklist owner should be the "Accountable" party. The AI governance RACI template maps ownership for each of the five checklist areas if you are setting this up for the first time.
For teams with no prior governance structure: start with inventory. A 30-minute walk through your SaaS billing invoices will surface most of the AI tools in active use. Cross-reference with team Slack or chat logs, mentions of "Claude," "Copilot," or "ChatGPT" in work channels identify users who may be on personal accounts.
What each area costs you if skipped
| Checklist area | What goes wrong | Who owns it | Regulation trigger |
|---|---|---|---|
| Inventory and visibility | Shadow AI tools process data without a DPA, GDPR Art. 28 violation | IT / Legal | GDPR, CCPA |
| Policy and people | Employees can't tell what's allowed; incidents go unreported or handled inconsistently | HR / Legal | Varies by sector |
| Technical basics | Secrets leak into external models; vendor trains on confidential content | IT Security | Contract / NDA |
| Vendors and procurement | Vendor uses your data for training without consent; no audit right | Legal / Procurement | GDPR Art. 28, CCPA |
| Review cadence | Policy drifts stale; new tools enter unchecked; bias in AI hiring tools goes undetected annually | Designated owner | Illinois AEDT, CT SB 5 |
Run down the left column first. If any row is unchecked, fix it before moving to the next section, partial compliance in a regulated category does not count.
Start here (5 minutes)
- If you are building from zero, use the AI Policy Starter Kit first, then run this checklist quarterly.
- If you need a one-page baseline policy, copy AI Policy Template for Small Teams.
- If you are choosing new tools, run AI Vendor Due Diligence in 30 Minutes.
- If you need to document your AI tools for EU AI Act Article 70 or Colorado SB 26-189, use the free AI register template.
- If you want to score your overall compliance maturity before starting, use the AI regulatory readiness scorecard.
Inventory and visibility
- We maintain a list of AI tools in active use (approved and shadow).
- Each tool has a named business owner (not only IT).
- We know where data is processed for each vendor (region, subprocessors at high level).
Policy and people
- A written policy covers approved tools, data do-not-paste rules, and human review for high-risk work.
- New hires see the policy in onboarding (link + acknowledgment).
- Managers know how to escalate incidents (wrong paste, leaked prompt, bad output shipped).
Technical basics
- SSO or central billing exists for primary assistants where possible.
- Secrets are blocked from being pasted into unapproved tools (process + optional tooling).
- We reviewed default sharing settings (link sharing, training opt-out if vendor offers it).
Vendors and procurement
- New AI vendors go through the same procurement / security path as other SaaS.
- Contracts mention data use for model training where relevant.
Review cadence
- Monthly: scan for new shadow tools; review top incidents.
- Quarterly: update policy and approved list; rerun checklist.
- After any incident: root cause and one concrete control change.
Small teams win by keeping the checklist short and finishing it, not by adding rows you will never maintain.
A governance programme that completes five items consistently is more defensible than one that lists forty items and completes ten. If regulators or enterprise customers ask for evidence of AI governance, a completed checklist with dated entries and named owners is far more useful than a comprehensive policy document that no one has acted on.
Extended checklist: regulatory deadlines (2026-2027)
The five-area checklist above is your operational baseline. The following items are added for teams operating in regulated sectors or jurisdictions with specific AI obligations. Check which rows apply to your situation and add them to your quarterly pass only if relevant.
Employment and hiring AI
- If you use AI tools to screen, rank, or score job applicants: adverse impact study obtained from the vendor (see EEOC AI hiring guidance 2026)
- Four-fifths rule (80% rule) calculated quarterly on selection data for each AI hiring tool in scope
- If operating in New York City: bias audit completed and published; candidate notification language in job postings (NYC Local Law 144)
- If operating in Illinois: written notice provided before AI video interview analysis (Illinois AI Video Interview Act)
- If operating in Connecticut: disclosure language ready for October 1, 2026 (Connecticut SB 5)
EU AI Act, GPAI providers (August 2, 2026)
- Assessed whether your organization is a GPAI provider under the EU AI Act (self-test)
- If GPAI provider: technical documentation completed (Article 53(1)(a))
- If GPAI provider: training data summary published (Article 53(1)(d))
- If GPAI provider: copyright compliance policy in place (Article 53(1)(c))
Financial services AI (SEC)
- AI tool inventory covers all tools used in investment recommendations, AML/KYC, fraud detection, and order routing
- Written supervisory procedure (WSP) exists for each AI tool in scope
- ADV Part 2A and marketing materials reviewed for AI capability claims, no overstatement
Data protection and vendor DPA status
- Each AI vendor in the tool register has been verified for current DPA status (not just at initial onboarding)
- Sub-processor lists reviewed for each vendor, any new sub-processors flagged for legal review
- For vendors processing EU personal data without a DPA: stop use or escalate to legal immediately
- If deploying generative AI tools for California consumers: reviewed California SB 942 disclosure and detection requirements (August 2026)
- If platform hosts user content including AI-generated images or video: reviewed TAKE IT DOWN Act 48-hour removal obligations (FTC enforcement active May 2026)
- For AI tools used in financial decision-making: reviewed AI risk decisioning governance requirements under FCRA, ECOA, and CFPB guidance
Incident log review
- Incidents from the prior quarter reviewed: prompt leaks, unauthorized tool use, AI-generated errors shipped to users
- Each incident has a root cause note and at least one concrete control change
- If any incident triggered a notification obligation (GDPR Article 33, CCPA): confirm notification was sent within 72 hours
How to adapt this checklist for your sector
Healthcare: Add a HIPAA BAA check for every AI vendor that could access PHI, a review of FDA SaMD obligations if using AI-assisted clinical tools, and a check on whether AI-generated clinical content underwent human review before use.
Legal services: Add a client confidentiality review, confirm no client confidential information was pasted into consumer-tier AI tools without a DPA. Review bar ethics guidance in your jurisdiction on AI use in client matters.
Financial services: Add the SEC section above; also check CFPB adverse action notice requirements for any AI tool that influences credit decisions, and FINRA obligations if applicable.
Startups pre-Series A: Focus on the five core areas. The regulatory deadline rows become relevant as soon as you have EU customers, employees in covered jurisdictions, or investors who will ask for a data room.
Frequently asked questions
How often should a small team run an AI governance checklist?
Quarterly for most teams, that matches the pace at which AI tools, vendor terms, and regulations change. If you are in a regulated sector (healthcare, financial services, legal), run it monthly and after any incident. If you are subject to Illinois AEDT or Connecticut SB 5, the annual bias audit clock is separate, add that as a calendar item rather than embedding it in the quarterly pass.
What happens if an employee uses an AI tool that is not on the approved list?
The incident should be logged, not necessarily disciplined on first occurrence, but documented. The manager should review what data was pasted, whether a DPA is needed, and whether the tool should be added to the approved list or blocked. Repeated use after explicit policy acknowledgment is a different matter. The most important thing is that the policy specifies a clear escalation path so employees know reporting is expected, not punished.
Do small teams with fewer than 10 employees need an AI governance checklist?
Yes. GDPR and CCPA do not have headcount thresholds for data processor obligations, a 5-person team using a vendor that processes EU personal data needs a DPA regardless of size. The difference is that small teams can run a much shorter checklist and still be meaningfully compliant. This checklist is designed for that context: 5 areas, quarterly cadence, one owner per item.
Which item on this checklist takes the longest to complete?
The vendor and procurement section, by a wide margin. Reviewing DPAs, training data clauses, and subprocessor lists for 3 to 5 AI vendors takes 2 to 4 hours the first time. After the first pass, a 30-minute delta review each quarter is usually sufficient if you use the AI vendor DPA tracker to log current status.
How long does a quarterly pass actually take?
First time through: plan for two to three hours. The inventory section takes longest if you have not previously documented all AI tools in use, pulling billing invoices, checking browser extensions installed on team machines, and asking managers what tools their teams use will surface tools that IT did not formally approve.
After the first pass: the quarterly review takes 30 to 60 minutes for most small teams. The vendor section is the only one that requires active research (checking DPA status, reviewing any vendor policy change announcements from the prior quarter). All other sections are a yes/no scan of controls that either remain in place or have slipped since the last review.
After any incident: run the inventory and technical sections immediately. A prompt leak or unauthorized tool incident usually reveals a gap in at least one of those two areas. The review cadence section should then capture the root cause and the specific control change made in response.
References
- National Institute of Standards and Technology, AI Risk Management Framework (AI RMF 1.0)
- European Parliament and Council, EU AI Act
- OECD, OECD AI Principles
Related Reading
- AI governance guide for small teams
- AI risk assessment for small teams
- AI acceptable use policy template
- AI governance RACI template
- AI regulation deadline calendar 2026, every jurisdiction
- Am I a GPAI provider? 8-question self-test
- AI Governance for Healthcare Startups: HIPAA, HITECH, and the EU AI Ac
- AI model cards documentation regulators 2026
- AI incident reporting regulatory obligations 2026
- SOC 2 AI controls audit 2026
- AI governance Q3 review template 2026
- AI compliance program maturity model 2026
