Toolkit 0 - AI Governance Starter Pack

Free AI governance intake and triage. Bring every AI system into one controlled pipeline so you can decide to proceed, pause, or reject with a defensible rationale.

Evidence-informed scoring across governance, risk, data foundations, system visibility, and lifecycle management - designed for proportionate AI governance you can explain and defend in audit.

Designed to align with ISO/IEC 42001 intent and integrate cleanly with an ISO/IEC 27001-aligned ISMS approach.

ISO-literate by design - consistent scoring discipline and audit-friendly reporting.

Toolkit 0 - AI Governance Starter Pack output view — Illustrative output view.

Available now

Instant digital download

Free. No subscription. Takes 2 minutes to checkout.

£0.00inc. VAT

Get the pack - Free Go deeper with Toolkit 1

Document-only by design. Decision support only - not certification, audit, or legal advice.

In 10-15 minutes per AI system you will have

A simple intake front door for AI - one place to capture what the system is, why it exists, and what decision is required
Ownership prompts you can reuse - so every AI system has an accountable owner before it progresses
A proportionate decision record - proceed, pause, or reject - with a defensible rationale suitable for internal assurance
Early visibility of governance exposure signals - so you escalate only when needed
Want the next stage? Go deeper with Toolkit 1

Designed for

ISO 27001-literate organisations that need a clean governance front door for AI
GRC, InfoSec, and risk teams dealing with pilots, vendors, and shadow AI use
Teams under customer assurance or internal audit pressure to evidence control
Leaders who need proportionate decisions fast without launching a full programme

What this fixes

Most organisations do not have an AI problem. They have a visibility and control problem.

AI shows up through pilots, vendors, and shadow use, and nobody can clearly answer: what is the AI system, who owns it, what is it for, and what decision are we making.

Without an intake front door, governance becomes reactive. This pack gives you one light but structured intake and triage loop so you can record decisions you can stand behind.

This pack gives you one light but structured intake and triage loop so you can:

standardise intake discipline across teams
record repeatable decisions with clear rationale
spot exposure signals earlier rather than later
escalate to deeper assessment only when justified

It is not a certification, audit, or legal assessment. It supports practical, audit-ready governance in day-to-day use, but does not guarantee certification outcomes.

How it works

Run intake and triage (10-15 minutes per AI system)

Capture the basics - purpose, users, owner, decision required
Review governance exposure signals and indicators
Record an outcome - proceed, pause, or reject - with defensible rationale
Route to the right next step based on exposure and impact

Typical format:

One owner-led intake
Light triage by GRC or InfoSec

Move to Toolkit 1 if:

signals are elevated or high
customer assurance questions are increasing
internal audit or risk committees want a scored baseline and roadmap
adoption is uneven and you need a structured readiness baseline

Everything included - 8 files

This is a decision support pack designed for immediate adoption. File formats follow the go-live delivery manifest.

AI Governance Decision Framework PDF
Core intake and triage framework to assess an AI use case and route it to the right next step.
Governance Signals and Indicators PDF
Governance exposure signals to identify when an AI use case carries material risk or audit impact.
Governance Outcome Narratives PDF
Reusable outcome narratives for internal assurance and documented proceed, pause or reject decisions.
How to Use Guide PDF
Short walkthrough for applying the pack in day-to-day governance and connecting it to the wider operating model.
Ecosystem Guidance Map PDF
Visual map showing how the starter pack connects into the wider Build Once. Comply Twice. governance spine.
AI System Intake Record DOCX
Editable intake record for capturing the system, purpose, owner, decision context and governance route.
Decision Framework Summary PDF
Read-only summary of the decision framework for quick reference and stakeholder sharing.
Licence and Use Notice PDF
Permitted use, restrictions and IP boundaries for this digital download.

Outputs and evidence you can generate

An AI system intake record with purpose, owner, users and decision context captured.
A triage decision using the starter governance framework.
Governance exposure signals and indicators for early escalation.
Reusable outcome narratives for proceed, pause or reject decisions.
A lightweight evidence trail for the Technology & Risk Committee or equivalent governance forum.
A clear route into Toolkit 1 when a scored readiness baseline is required.

When to move to Toolkit 1

Use Toolkit 1 - AI Readiness Assessment when any of the following are true:

the use case is elevated or high exposure
customer assurance questions are increasing
internal audit or risk committees want a scored baseline and roadmap
multiple teams are adopting AI unevenly and you need a structured baseline

Go deeper with Toolkit 1

Licence summary (plain English)

Free download for internal use
Outputs may be shared internally for governance and assurance
Do not resell or redistribute the pack as a commercial method
We recommend retaining a local copy for your records

When this is not for you

You want a certification or audit outcome guarantee
You want technical testing or model validation tooling
You already run a mature intake front door for AI with consistent decision records

Procurement justification

This free download supports early-stage AI governance triage before larger governance or assurance investment decisions are made.

The pack provides a structured intake and decision record for identifying AI use cases, capturing ownership, recording purpose, and flagging whether a system should proceed, pause, be rejected, or move into a deeper readiness assessment.

The materials can be completed, adapted, stored and maintained internally by governance, risk, information security, compliance, AI, data or internal audit teams. The output is intended to create an initial evidence trail rather than a certification, audit or legal opinion.

This is a free one-off digital download. The supplier does not require access to our AI systems, production environments, confidential data, customer data, source code, internal systems, prompts, models, datasets, internal risk registers or completed evidence.

This free pack is proportionate because it gives our organisation a low-risk way to standardise early AI discovery and escalation before deciding whether a paid assessment or wider governance toolkit is required.

Designed for internal approval and governance workflows.

Frequently asked questions

Is this really free?

Yes. Complete the checkout and you will receive access to the download pack and a receipt for your records.

Do we need to be ISO 27001 certified to use this?

No. It works in any organisation. It is designed to feel familiar to ISO 27001-literate teams because it is evidence-first and decision focused.

Is this a certification, audit, or legal assessment?

No. It supports practical audit-ready governance in day-to-day use, but it is not certification, audit, or legal advice.

How long does it take?

Most teams can complete intake and triage in 10-15 minutes per AI system.

What if we use supplier-provided AI?

You can still apply intake and triage. Supplier AI often increases the need for clarity on ownership, transparency, and controls - which this pack helps surface early.

What should we do if the signals are elevated or high?

Use Toolkit 1 - AI Readiness Assessment to baseline capability and generate a prioritised plan, then progress only as far as risk requires.