Skip to main content
Lab Notes
Frameworks

Controls Quick Reference (One‑Pager)

AI Safety Pack Component

PeopleSafetyLab|February 24, 2026|4 min read|intermediate

Controls Quick Reference (One‑Pager)

Version: v1.0 A single‑page lookup for control IDs, owners, and minimum evidence.

| ID | Control | Owner | What to implement | Minimum evidence | |---|---|---|---|---| | C‑D1 | Approved tools only for Confidential/Restricted | IT/Sec | Block unapproved; provide alternatives | Approved tools register; exception log | | C‑D2 | Data classification + AI handling rules | Data Gov | Publish "what can be pasted" guidance | Classification policy; AI addendum | | C‑D3 | Secrets protection (no keys in prompts) | Engineering | Secret scanning; pre‑commit hooks; rotation | Scan reports; incident tickets | | C‑A1 | Role‑based access for AI tools | IT | Least privilege; quarterly access review | IAM groups; access review report | | C‑A2 | Strong auth + device posture | IT/Sec | SSO/MFA; conditional access | IdP config; audit logs | | C‑V1 | Vendor due diligence checklist | Procurement | Data residency; retention; breach terms | Completed checklist; approvals | | C‑V2 | IP / licensing review | Legal | Permitted sources; output constraints | Legal memo; guidance | | C‑L1 | Usage logging for approved tools | IT/Sec | Log access/actions; tag use‑cases | SIEM dashboard; retention config | | C‑L2 | Audit trail for high‑impact decisions | Business Owner | Store inputs, reviewer, rationale, timestamp | Ticket records; decision logs | | C‑H1 | Mandatory human review for external outputs | Business Owner | Approval step; no auto‑send | Workflow config; sampled approvals | | C‑H2 | Prohibit automated HR decisions | HR / Risk | Policy + enforcement; exceptions via EDR | Policy; use‑case register; EDR records | | C‑H3 | Contestability / appeal path | HR / Legal | Document appeal route; require rationale | Appeals process doc; case reviews | | C‑H4 | Bias review cadence | HR / Risk | Quarterly bias review + sampling | Bias review report; action tickets | | C‑Q1 | QA sampling and hallucination monitoring | Support / Risk | Weekly sample; measure + fix | QA reports; corrective action log | | C‑Q2 | Bias testing for people decisions | HR / Risk | Define fairness metrics; test proxies | Bias test report; remediation log | | C‑Q3 | Content accuracy + claims review | Comms / Legal | Require source links; fact‑check | Approvals; checklists | | C‑I1 | AI incident definition + reporting | Risk / Security | Define incident/near‑miss; 24h reporting | Playbook; training slide | | C‑I2 | Triage, containment, post‑incident review | Security / Comms | Triage steps; vendor notification; postmortem | Incident tickets; postmortems | | C‑I3 | Kill switch + rollback runbook | Business Owner + Sec | Define triggers; who/how to disable; revert | Kill‑switch runbook; test record | | C‑G1 | Use‑case approval workflow | Risk Committee | Use‑Case Card; classify via matrix | Use‑case register; exception log | | C‑G2 | Privacy / DPIA‑style review | Privacy / Legal | Minimization, retention, access review | DPIA (or equivalent); approvals | | C‑G3 | Exception Decision Record (EDR) | Risk / Legal | Time‑box exceptions; compensating controls | Completed EDR; review reminders | | C‑T1 | Mandatory AI safety training | HR / Risk | 60–90 min baseline; role add‑ons; refresh | LMS completion; quiz results |

Quick bundles (copy/paste)

External drafted outputs (support/comms):

C‑H1 + C‑L1 + C‑Q1/C‑Q3 + C‑I1

Confidential internal data:

C‑D1 + C‑D2 + C‑A1 + C‑L1

High‑impact decisions:

C‑G1 + C‑L2 (+ often prohibit by default)

Exception with D3 data:

C‑G2 + C‑G3 + C‑D1 + C‑L1 + C‑L2 + C‑I3
P

PeopleSafetyLab

Independent AI safety research for organisations and families in Saudi Arabia and the GCC. All research is editorially independent. PeopleSafetyLab has no consulting clients and does not conduct paid audits.

Share this article: