AI Governance Kit
For organisations deploying, procuring, or evaluating AI
INCLUDES IMPLEMENTATION GUIDANCE
AI GOVERNANCE TOOLS
Every organisation using AI needs governance — from the five-person firm using ChatGPT to the enterprise rolling out automated decision-making. Without written policies, you're exposed to data leakage through consumer AI tools, unvetted vendors training on your data, and liability for AI-generated errors that reach clients.
This kit gives you the 5 core governance documents you need: rules for staff, a framework for evaluating vendors, tools for assessing impact and documenting models, and an overarching governance structure that ties it all together.
More than editable templates. This kit includes practical implementation guidance to help you understand what each document is for, what to customise, who should own it, and how to use it inside your business.
Tiered Guidance — One Kit, Two Depths
Every document contains two tiers of guidance notes so the kit works regardless of your organisation's size and maturity:
BLUE — ALL ORGANISATIONS
Practical implementation guidance. What each section means, why it matters, and how to get it done. If you're an SMB, follow the blue guidance and you'll have a solid governance foundation.
PURPLE — ENTERPRISE / MID-MARKET
Additional depth for organisations seeking alignment with ISO/IEC 42001 (AI Management Systems), the EU AI Act, and the NIST AI Risk Management Framework. Includes specific clause references and mapping guidance. Optional for SMBs, recommended for regulated industries and organisations with international operations.
What's Included
Each listing explains the practical job the document helps you do, from setting staff rules to reviewing vendors and documenting AI systems.
1. AI Acceptable Use Policy
Rules for staff using AI tools in the workplace. Includes an approved tools register table (tool, permitted use, data classification, conditions), mandatory rules for data protection and human oversight, prohibited uses, and incident reporting. The single most important AI governance document — it prevents data leakage and shadow AI use from day one.
2. AI Vendor Risk Assessment
Structured due diligence tool for evaluating AI vendors before onboarding. Six sections covering vendor details, data handling (with explicit questions on model training vs. inference, opt-out rights, and data deletion), model transparency, security and compliance, contractual protections checklist (10 clauses to verify), and risk rating. Addresses the ingestion-vs-training distinction that most vendor assessments miss.
3. AI Impact Assessment Template
Goes beyond a standard PIA to assess fairness, bias, transparency, explainability, safety, and reliability risks specific to AI. Eight sections from system overview through privacy impact, fairness and bias assessment, transparency, safety, risk summary, and approval. Mapped to Australia's AI Ethics Principles with enterprise guidance for EU AI Act Annex III conformity assessment.
4. Model Card Template
Document AI model provenance, training data, performance metrics, known limitations, deployment context, and ethical considerations. Use for models you develop or fine-tune, or supplement a vendor's model card with your deployment-specific information. Based on the Mitchell et al. (2019) framework, referenced by ISO 42001, NIST, and the EU AI Act.
5. AI Governance Framework
The overarching document that ties everything together. Establishes principles (mapped to Australia's AI Ethics Principles), defines roles and responsibilities (from board to individual staff), sets out the AI lifecycle governance process (identification, procurement, deployment, monitoring, decommissioning), introduces the AI Risk Register concept, and maps the current regulatory landscape. Designed to grow with your organisation.
How to use this kit
Start by customising the core documents for your business and AI use. Then use the guidance notes to turn them into a simple approval, review and monitoring process. The goal is not just to create a folder of policies. The goal is to make AI use visible enough to manage.
- Customise the documents for your AI tools, data types, approval points and risk appetite.
- Assign internal owners for acceptable use, vendor review, impact assessment and incident response.
- Set up your AI register so approved tools, use cases and risk ratings are visible.
- Use the guidance notes to choose the right level of depth for your business.
- Review the kit when your AI tools, vendors, data use or legal obligations change.
Who This Is For
- Any organisation using generative AI tools (ChatGPT, Claude, Copilot, Gemini)
- Organisations procuring AI-powered software or services
- Technology teams building or fine-tuning AI models
- Risk, compliance, and privacy teams establishing AI governance
- Boards and executives seeking oversight frameworks
- Organisations preparing for ISO/IEC 42001 certification
Designed for organisations of any size. The tiered guidance means this kit works for a 5-person firm rolling out ChatGPT (follow the blue guidance) and a 500-person enterprise pursuing ISO 42001 (follow the purple guidance). Start where you are and grow into it.
Why governance matters now. Australia's Voluntary AI Safety Standard (2024) sets the direction. ASIC is already asking financial services firms about AI governance. Insurers are beginning to ask about AI risk management in cyber and PI policy renewals. Having a documented governance program is shifting from "nice to have" to "expected."
What this is not
This kit is not a substitute for tailored legal advice, technical AI assurance or model testing. It is a practical implementation resource designed to help you put core AI governance documents in place faster. If your organisation uses high-risk AI, automated decision-making affecting individuals, sensitive data or regulated-sector systems, you may need tailored advice.