Templates

Prepare a workflow for review without oversharing.

These templates help teams gather the minimum useful evidence before a scan. They are intentionally practical: enough structure to find risk, not a request for sensitive raw data.

Intake

AI Workflow Intake Checklist

  • Workflow surface, owner, approver, backup owner, and business purpose
  • Trigger, AI/model step, downstream actions, external sends, and system-of-record writes
  • Data classes touched, including customer data, PII/PHI, billing data, credentials, and confidential notes
  • Human approval points, exception path, rollback option, and recent change history
  • Sanitized screenshots, exports, run history, prompt snippets, and provider-setting notes
Evidence

Evidence Pack Outline

  • Workflow inventory and reviewed artifact list
  • Risk score, severity rationale, and critical-control triggers
  • Provider posture notes for OpenAI, Anthropic, Microsoft, or other model layers
  • Findings with evidence, assumptions, remediation steps, and retest criteria
  • Review boundaries, excluded evidence, retention notes, and follow-up owner
Remediation

Remediation Checklist

  • Add approval gates before customer-facing sends or system-of-record writes
  • Reduce broad credentials, unnecessary data exposure, and high-risk AI autonomy
  • Create replayable test cases, failure handling, rollback notes, and support escalation paths
  • Move deterministic steps to scripts, validation rules, lookup tables, or existing app logic when appropriate
  • Record before/after evidence so fixes can be reviewed, retested, and monitored

Evidence boundaries

Useful review starts with constrained evidence.

The initial goal is to understand workflow shape, data exposure, approval gaps, write paths, and audit evidence. Deeper exports or direct integrations can wait until the engagement scope and trust level justify them.

Do not upload raw customer data

Start with sanitized screenshots, redacted exports, workflow descriptions, and representative examples. Keep secrets, tokens, regulated records, and live customer identifiers out of the initial evidence set.

Do not optimize away controls

A cheaper workflow is not better if it removes approval, audit trail, exception handling, or customer-impact review. Cost findings should preserve reliability and safety.

Do not treat a scan as certification

A scan is a practical workflow-risk review and evidence package. It is not a compliance certification, legal opinion, or guarantee that an automation cannot fail.

Next action

Turn the checklist into a focused scan.

Use the preview scanner for a quick read, then start a workflow scan when there is one workflow worth reviewing with evidence, findings, and a remediation plan.