AI Use Review & Risk Log
A simple cadence and running log for keeping a comms team's AI use governed over time: a quarterly review of policy, tools and standards, plus a standing record of issues, near-misses and decisions.
What it is
The AI Use Review and Risk Log is the mechanism that keeps the rest of your AI governance alive. Principles, a policy and a tool register all decay if nobody revisits them. This template gives you two things: a light, repeatable review you run on a cadence, and a standing log of issues, near-misses and decisions between reviews.
It is deliberately simple. Governance that is heavy does not get done. A thirty-minute quarterly review that actually happens beats a thorough annual audit that keeps slipping. The review checks that your policy still matches the tools in use, that the register is current, that any incidents have been learned from, and that the team is finding the rules workable rather than quietly routing around them.
This is also the spine of an ongoing governance retainer. It turns “keep our AI use in good order” from a vague intention into a scheduled, recorded practice with a clear owner and an audit trail.
When to use it
Use this template when:
- You have an AI policy and tool register and need to keep them current
- You want a standing place to log AI-related issues and decisions
- Leadership wants assurance that AI use is actively managed
- You are running, or buying, an ongoing AI governance retainer and want it structured
Don’t use this template when:
- You have not yet set up the things being reviewed (build your principles, policy and register first)
Inputs needed
- Your current AI Use Policy and AI Tool Register to review against
- Any issues, complaints or near-misses since the last review
- Honest input from the team on what is and is not working
- A named owner and a fixed cadence (quarterly works for most teams)
The template
Part A: The quarterly review
Review date: [Date] Reviewed by: [Names] Period covered: [Dates] Next review: [Date]
1. Policy still fit?
| Check | Yes / No | Action needed |
|---|---|---|
| Does the AI Use Policy still match the tools actually in use? | ||
| Have any new tasks or use cases emerged that the policy does not cover? | ||
| Are the permitted / review / prohibited lists still right? | ||
| Have any external changes (legal, client, regulatory) affected the policy? |
2. Tool register current?
| Check | Yes / No | Action needed |
|---|---|---|
| Are all tools in use on the register? | ||
| Any new tools adopted without going through the request route? | ||
| Any tools no longer used that should be removed? | ||
| Any provider changes (terms, data handling, tiers) to reflect? |
3. Standards holding?
| Check | Yes / No | Action needed |
|---|---|---|
| Is AI output being verified and reviewed as the policy requires? | ||
| Is disclosure happening where it should? | ||
| Is the team finding the rules workable, or routing around them? | ||
| Any training or refresher needs surfacing? |
4. Summary and actions
Overall state of AI governance this quarter: [Healthy / Minor gaps / Needs attention]
| Action | Owner | Due |
|---|---|---|
One-paragraph note for leadership: [A short, plain summary of where AI governance stands and anything they need to know.]
Part B: The running risk and issues log
Logged as things happen, not just at review time. No blame: the point is to learn and adjust.
| Date | Issue / near-miss / decision | Type | What happened | Action taken | Policy or register change? | Owner |
|---|---|---|---|---|---|---|
| Issue / Near-miss / Decision | Yes / No | |||||
How to use this log
[A short note: that the running log is filled in as things happen; that the quarterly review reads across it for patterns; and that any change agreed here is reflected back into the policy or register, with their version and date updated.]
AI prompt
Base prompt
I'm running a quarterly AI governance review for a communications team. Help me review and summarise.
Here is the input:
- Current AI Use Policy: [PASTE OR SUMMARISE]
- Current tool register: [PASTE OR SUMMARISE]
- Issues / near-misses this quarter: [LIST, or "none recorded"]
- Team feedback on the rules: [SUMMARISE]
- Any external changes (legal, client, tools): [DESCRIBE]
Please:
1. Identify where the policy or register no longer matches reality
2. Flag any pattern in the issues that suggests a rule, tool or training change
3. Recommend a short, prioritised action list with owners
4. Draft a one-paragraph plain-English summary for leadership on the state of AI governance this quarter
Be direct about gaps. A review that finds nothing wrong every time is not being honest.
Prompt variations
Variation 1: Turn an incident into a learning
An AI-related issue occurred: [DESCRIBE what happened]. Help me log it well. Draft: a neutral, no-blame description; the likely root cause; the immediate action; and whether this points to a change in our policy, our tool register, or training. Keep it short and constructive.
Tips for better AI output:
- Give it the real policy and register, not a description, so it can spot genuine mismatches
- Keep the log no-blame; a log people fear is a log that stays empty
- Always feed agreed changes back into the source documents, or the review achieves nothing
Human review checklist
- It actually happened: the review was run on cadence, not skipped or backdated
- Checked against reality: the policy and register were compared to what the team actually does
- Issues read for patterns: the running log was reviewed for trends, not just filed
- Changes fed back: any agreed change was reflected in the policy or register, with versions updated
- Actions have owners and dates: nothing is left as a vague intention
- Leadership note written: there is a short, honest summary for those who need assurance
- No-blame maintained: incidents are recorded to learn from, not to attribute fault
- Next review booked: the date is set before this one closes
Example output
Quarterly AI Governance Review, Q2 2026, Riverside Comms (illustrative summary)
State: Minor gaps.
Two tools (a transcription app and an image generator) had been adopted without going through the request route; both added to the register, one restricted pending a data check. The policy’s “needs review” list did not cover AI-assisted client reporting, now a common task; rule added. One near-miss logged: an unverified AI statistic reached a draft release but was caught at review; prompted a refresher note on the verification rule. Team reports the rules are workable.
Leadership note: AI governance is in good order with two small fixes made this quarter. The main lesson is that tool adoption is outpacing our request route; we have tightened the reminder and will watch it next quarter.
Note: illustrative. Your review will reflect your own period and findings.
Related templates
- AI Use Policy (Living) - The policy this review keeps current
- AI Tool Register - The register this review keeps current
- AI Use Principles - The stance changes should still ladder up to
- AI Readiness Assessment - Re-run periodically to benchmark progress over time
Want this run for you on a set cadence? Manage Comms With AI provides an ongoing AI governance retainer built around exactly this review.
Related templates
Need this implemented in your organisation?
Faur helps communications teams build frameworks, train teams, and embed consistent practices across channels.
Get in touch ↗