AI Risk & Privacy Checklist

1. Data sensitivity

Evaluate how critical the information processed by the AI system is.

No personal data

Public or synthetic data with no reference to identifiable individuals.

Personal data (non-sensitive)

Common information like names, business emails, or browsing preferences.

Sensitive data (health, finance, minors, etc.)

Protected information requiring maximum safeguards and strict compliance.

2. User input

The volume and type of data that users upload or write into prompts.

Short prompts only

Simple text interactions limited to a few lines.

Prompts + documents/text snippets

Sending extended texts or portions of documents for analysis or synthesis.

File uploads

Uploading whole files (PDFs, images) that may contain unfiltered data.

3. Output impact

How much weight and what consequences the AI-generated results have in the real world.

Informational only

Output is used only for non-critical consultation or creative support.

Assists decisions

Output guides human choices in professional contexts or operational processes.

Automated actions (writes/executes changes)

AI independently modifies databases, writes code, or sends communications.

4. Human oversight

The level of human control and validation before the AI output is utilized.

Always reviewed by humans

Every single output is verified by a person before any use.

Sometimes reviewed

Partial review, spot checks, or limited to specific use cases only.

No review / fully automated

AI operates independently without direct human filters or approvals.

5. Access control

Who the recipients or users interacting with the AI features are.

Single team

Internal use limited to a small, trusted, and trained group.

Multiple roles/tenants

Extended use across different departments or segregated user groups.

External users/customers

AI is exposed to end users or customers outside the organization's direct control.

6. Logging needs

The level of traceability required to monitor interactions and ensure compliance.

Minimal logs

Monitoring system status and general technical errors is sufficient.

Standard logs

Basic tracking of who uses the system, when, and with what volumes.

Requires audit trail

Immutable recording of every single interaction for legal or regulatory purposes.

7. Model usage

How the AI interacts with other systems or performs technical tasks.

API calls only

The model receives input and returns text, without interacting with other resources.

API + tools/agents

AI can invoke external tools (e.g., calculators, search) to enrich the output.

Agents executing workflows

AI orchestrates complex processes by calling multiple functions in autonomous sequence.

8. Retention

How long input and output data remain stored in the systems.

No retention

Data is deleted immediately after the response is processed.

Short retention (<= 30 days)

Storage limited to the time needed for the session or immediate debugging.

Long retention (> 30 days)

Data archived for historical analysis, model improvement, or contractual obligations.

Recommended safeguards