FREE TEMPLATES

Veladon Resources — Free Templates for CISOs and Compliance Officers

Six practical templates for 500-2,500 employee regulated mid-market CISOs and Compliance Officers running EU AI Act / ISO 42001 / NIST AI RMF programs in 2026. Lawyer-reviewed, field-tested, and updated for the August 2026 deadline. Join the early-access waitlist to receive the full set.

Policy

Employee ChatGPT Usage Policy Template

A defensible 2026 employee AI usage policy for 500-2,500 employee regulated mid-market companies. Eight required components: approved AI systems, prohibited data categories, redaction requirement, logging disclosure, disciplinary scaffolding, training mandate, policy review cadence, and regulator framework mapping.

What's inside

  • 18-page Word document with editable clauses, ready for Legal review
  • Approved-AI-systems list covering ChatGPT Enterprise/Plus, Claude Team/Pro, Gemini Workspace, Copilot, GitHub Copilot
  • Two-tier prohibited-data-categories matrix (absolute prohibitions + redaction-required)
  • Logging and employee monitoring disclosure language for EU, NY, CT, DE, IL jurisdictions
  • Graduated disciplinary framework (first violation / second violation / high-severity)
  • Annex mapping every clause to EU AI Act Article 26, ISO 42001 Annex A, NIST AI RMF sub-categories
Format
Word (.docx) + PDF reference copy
For
Head of GRC or CISO writing the first policy or updating a 2024-vintage template to 2026 audit readiness.
Framework
EU AI Act Article 26 · ISO 42001 Annex A.9 · NIST AI RMF GOVERN-1
Request access

Checklist

EU AI Act Article 26/50 Readiness Checklist

A 42-item operational readiness checklist for the August 2, 2026 EU AI Act general-application deadline, scoped to deployer obligations under Articles 26 and 50 at 500-2,500 employee scale.

What's inside

  • Article 26(1) usage log infrastructure checklist (12 items)
  • Article 26(2) human oversight documentation checklist (9 items)
  • Article 26(4) GDPR alignment checklist (6 items)
  • Article 26(5) affected-person notification checklist (5 items)
  • Article 50 transparency and generative AI disclosure checklist (7 items)
  • Evidence pack structure matching what Big 4 audit firms have requested in 2026 fieldwork
  • 107-day countdown Gantt template with week-by-week milestones
Format
Excel (.xlsx) with formulas + PDF summary
For
Head of GRC managing the Q2-Q3 2026 EU AI Act readiness sprint with a defined stage-2 audit window.
Framework
EU AI Act Articles 26 & 50
Request access

Worksheet

ISO 42001 Annex A Control Mapping Worksheet

An Annex A control mapping worksheet that captures evidence pointers for all nine Annex A categories (A.2 through A.10) across your existing ISO 27001 program, with gap identification for the net-new AI-specific controls.

What's inside

  • Tab for each Annex A control category (A.2 through A.10)
  • Column structure: control ID · control description · evidence pointer · owner · current state · gap · remediation plan
  • Pre-populated crosswalk showing which Annex A controls share evidence with ISO 27001 Annex A (Statement of Applicability bridging)
  • Nine-artifact evidence pack structure aligned to stage 2 audit sampling patterns
  • Gap dashboard summarizing stage 2 audit readiness percentage
Format
Excel (.xlsx) with conditional formatting + PDF reference
For
Organizations pursuing ISO 42001 certification in 2026 alongside existing ISO 27001 certification, looking to reuse 30-40% of existing management system documentation.
Framework
ISO/IEC 42001:2023 Annex A · ISO 27001:2022 Annex A crosswalk
Request access

Runbook

Shadow AI Incident Response Runbook

A step-by-step incident response runbook for shadow-AI incidents: suspected sensitive-data outflow to public LLM, unauthorized AI system access, AI output manipulation, AI-facilitated data exfiltration.

What's inside

  • Four scenario-specific runbooks (Tier-1 data exposure; unauthorized AI system access; AI output manipulation; AI-facilitated exfiltration)
  • First-60-minutes triage playbook with named decision gates
  • NY DFS Part 500.17 72-hour notification timing checklist
  • EU AI Act Article 26(6) authority cooperation preparation steps
  • HIPAA, PCI-DSS, state breach notification law parallel-obligation triggers
  • Post-incident review template feeding the AIMS continuous-improvement loop
Format
Word (.docx) + flowchart PDF + one-page laminate reference card
For
CISO or Head of InfoSec who needs to extend the existing incident response program to cover AI-specific scenarios before the next tabletop exercise.
Framework
Part 500.17 · EU AI Act Article 26(6) · NIST AI RMF MANAGE-3
Request access

Matrix

PII Classification Matrix for AI Contexts

A practical data classification matrix for AI context: what sensitive data categories to redact, what to allow, and how to tune the policy engine for regulated-vertical edge cases (healthcare PHI, financial PCI, legal privilege, public-sector FOUO).

What's inside

  • Seven default data categories with classification examples: PII, government IDs, payment data, PHI, customer identifiers, source code and secrets, internal codenames
  • Regulated-vertical extensions: healthcare (HIPAA), financial services (GLBA/PCI), legal (privilege), insurance (NAIC Model Law), public sector (FOUO/CUI)
  • Tuning parameters for false-positive versus false-negative trade-offs by vertical
  • Integration notes for browser-extension DLP, SaaS-connector DLP, and proxy-based DLP architectures
  • Sample custom dictionary entries for customer-facing regulated verticals
Format
Excel (.xlsx) + PDF reference
For
CISO or Head of Data tuning the DLP policy engine for regulated-vertical production rollout at 500-2,500 employee scale.
Framework
NIST AI RMF MEASURE-2 · ISO 42001 Annex A.7
Request access

Board deck

CISO Quarterly AI Risk Board-Deck Template

A 14-slide board-deck template for the CISO's quarterly AI risk update to the board of directors or audit committee. Structured for audiences without AI fluency but with fiduciary attention to risk.

What's inside

  • Executive summary slide with three standing metrics (usage volume, redaction events, incident count)
  • Regulatory posture slide (EU AI Act, ISO 42001, NIST RMF, state-level regulation status)
  • Quarter-over-quarter trend slides with narrative annotation
  • Incident register summary with severity breakdown
  • Vendor risk management updates
  • Budget and roadmap slides for forward-looking investment decisions
  • Speaker notes covering board-level Q&A preparation
Format
PowerPoint (.pptx) + Keynote (.key) + editable PDF
For
CISO reporting to the board or audit committee quarterly, or Head of GRC supporting the CISO's board communication.
Framework
NIST AI RMF GOVERN-4 · ISO 42001 Annex A.8
Request access

How to request

These resources are free for CISOs, Compliance Officers, Heads of GRC, and Heads of InfoSec at 500-2,500 employee regulated mid-market companies preparing for EU AI Act, ISO 42001, NIST AI RMF, or NY DFS programs. Join the Veladon early-access waitlist and we'll deliver the full set to your work email within 24 hours.

Get all six resources

Related reading