AI Risk Register Template for UK SMEs
Free template for documenting AI tools, risk classifications, and governance decisions.
·4 min read
An AI risk register documents every AI tool your organisation uses, its risk classification, what data it accesses, your governance decision, and the review schedule. It's the evidence trail that regulators, insurers, and auditors want to see — and the foundation of practical AI governance.
Template
| Tool | Business Use | Data Accessed | Risk | Status | Mitigation | Owner |
|---|---|---|---|---|---|---|
| ChatGPT Team | Content drafting | Internal docs | Medium | Approved | No client data; Team account (no training) | IT Manager |
| Microsoft Copilot | Email + document assistance | Email, SharePoint | Medium | Approved with conditions | DPA in place; sensitivity labels enforced | IT Manager |
| Grammarly | Writing assistance | Text input | Low | Approved | Business plan; enterprise settings | Ops Lead |
| Otter.ai | Meeting transcription | Audio, meeting content | High | Flagged | Under review — client meetings may contain PII | Compliance |
| Personal ChatGPT | Various (unapproved) | Unknown | High | Prohibited | Use Team account instead; policy briefing issued | All staff |
How to use this template
- Run an AI tools audit to discover all tools in use
- Add each tool to the register with its business use and data access
- Classify risk (low/medium/high) based on data sensitivity and scope
- Record your governance decision (approved/flagged/prohibited)
- Assign an owner and set a review date
- Review quarterly — or when a new tool is discovered
What is an AI risk register?
A document listing every AI tool, its risk level, data access, and governance decision.
Is it legally required?
Not explicitly in UK law, but expected by the EU AI Act and increasingly by cyber insurers.
How often should I update it?
Quarterly minimum. Update whenever a new tool is discovered or a governance decision changes.