Skip to content
Robossist
All posts

The 1-page register and policy-pack templates

April 24, 20265 min readDhruv Jain

The 1-page shadow-AI register + policy-pack one-pager from every HK$40,000 audit. Editable. Free for newsletter readers.

A short one this Friday. On Wednesday I walked through why Hong Kong banks, insurers, and mid-cap regulated firms are being asked for an AI register they haven't built yet, and what HKMA's 2019 High-level Principles on AI actually require. Today the templates themselves drop, as promised in the Wednesday issue.

Attached are two files:

  • The 1-page shadow-AI register — the spreadsheet I fill out in the opening 90 minutes of every audit.

  • The policy-pack one-pager — the single sheet that summarises the 7-page policy document I draft in week two of the engagement.

Both are fully editable and free for newsletter readers only, so feel free to copy either one into your own stack and adapt.

What's in the register template

The register is a 4-column spreadsheet laid out as tool name, user count, data classification, and risk tier. It comes pre-filled with the 15 AI tools that most often show up in Hong Kong mid-cap firms:

  • ChatGPT, Claude, Perplexity

  • Microsoft Copilot, Google Gemini

  • Notion AI, Grammarly, Jasper

  • Otter, Fireflies

  • A handful of Chrome extensions that route text to remote models

Delete the rows that don't apply to your firm and add the ones that do, which for most mid-cap firms takes about 20 minutes of the 90-minute session.

The risk-tier column itself is a simple multiplication that keeps the scoring defensible rather than subjective. Data classification (public, internal, confidential, regulated) multiplied by control gap (enterprise tool with SSO and audit logs, through to free-tier personal account with no visibility).

A regulated-data tool in a personal account scores red. A public-data tool in an enterprise account scores green. The register is designed to be defensible, not clever. An inspector reads it in 30 seconds.

What's in the policy-pack one-pager

The one-pager is a single sheet summarising the 7-page policy document I write in week two of the audit. The full version gets tailored to the firm's regulator and sector. The one-pager is the skeleton. It covers five blocks:

  1. Prohibited uses — the red lines. No customer personal data in free-tier chat windows. No AI-generated regulatory submissions without human sign-off. No Chrome extensions routing text to unknown models.

  2. Permitted uses with controls — what staff can do and the controls that have to be in place for each. Claude Pro for drafting so long as customer data doesn't leave the firm's data-residency perimeter. ChatGPT Enterprise for research, logged centrally. Copilot for internal documents only.

  3. Incident response — who is called first, what gets logged, at what point the DPO (Data Protection Officer) is notified, and the thresholds for regulator notification.

  4. Disclosure requirements — what clients and counterparties are told about AI use in their work.

  5. Training attestation — a simple annual sign-off that every staff member has read the policy.

The whole document is designed to be marked up by a legal team in a single morning rather than rewritten from scratch, which is where most in-house policy projects stall.

How to run the 90 minutes

Block a single 90-minute session with the person who owns IT and the person who owns compliance. Before the session, pull four data sources into one folder.

  • Browser DNS or proxy logs for the last 30 days, filtered for known AI vendor domains: openai.com, anthropic.com, perplexity.ai, gemini.google.com, copilot.microsoft.com, plus the top 10 Chrome extension domains that route text to remote models. IT can usually pull this in an hour.

  • SSO login events across the last 90 days. Catches tools already wired into corporate authentication, even if compliance hasn't inventoried them.

  • Anonymous staff survey sent 48 hours before the session. Five short questions: which AI tool this week, personal or firm account, what data, any approval first, what they would use with free choice. Anonymity matters — named surveys produce sanitised answers.

  • Expense-report keyword searches for the last quarter: "ChatGPT", "Claude", "Perplexity", "Copilot", "Jasper", "Midjourney", "Otter", "Fireflies".

In the session itself, populate the register row by row in a fixed order: tools first, then user counts, then data classification, then risk tier. Don't debate risk scores to three decimal places.

A register that is 80% right today and actually ships beats a register that sits at 100% right in three months and never leaves a draft folder.

At the end, sign and date the page, put the owner's name at the top, and schedule the next review for 45 days out. The discipline of a recurring date on the calendar is what separates a one-off artifact from an actual governance control.

Why I'm giving the templates away

The audit itself is a HK$40,000 fixed-price engagement, which is a deliberate entry point rather than a negotiation. The templates cost nothing and don't require a call.

Most firms reading this newsletter won't become audit clients anyway. You will have internal capacity, a consulting firm already on retainer, or a compliance function that doesn't need an outside architect. That is genuinely fine.

If these two pages help a firm produce a cleaner answer the next time HKMA or SFC asks about AI, that's a good outcome on its own. The readers who look at the templates and realise they need the full audit — with the tailored policy pack, the risk and remediation map, and the governance roadmap — will reach out.

A small number of Q2 audit slots are open. First intake begins 5 May.

How to get the files

Reply to this email with the word MAP and both files arrive within 24 hours, directly from me rather than an automated system. If you want to talk about the full audit engagement, mention that in your reply and I'll include the scoping document.

Stay in touch

  • LinkedIn: weekly posts on HK regulated AI governance — search Dhruv Jain

  • X / Twitter: shorter observations from the audit work — @dhruvjainhk

  • Robossist company page: frameworks and case studies from the wider team

Until the next issue lands in your inbox,

Dhruv.

Request an AI Readiness Review

For CTOs, operators, department heads, and compliance leaders who need a practical path from scattered AI usage to governed adoption.

20-min review — exposure, use cases, next step
Your data stays yours — NDA on day one

Opens Cal.com to select your slot

Need context first? Read the proof, case studies or subscribe to the weekly essay.

Q2 AI readiness window

Find the shadow-AI risk before it becomes policy debt.

In 20 minutes, we'll identify the department to review first, the AI usage surface you can't see yet, and whether a readiness audit, workshop, or private AI pilot is the right next step.

NDA-ready20-minute executive reviewNo tool pitchFor regulated or data-sensitive teams

Best fit: CTOs, operators, and compliance leads who need a governed first AI use case.

Review output

Your first governed AI use case

Actionable
01

First department to review

Where AI usage is already creating leverage, risk, or hidden process drift.

02

Shadow-AI exposure surface

The workflows, data paths, and approval gaps leadership cannot currently see.

03

Approval-worthy next step

A readiness audit, workshop, or private pilot scoped for governance first.

The urgency is not hype. Once teams normalize ungoverned AI habits, cleanup becomes policy debt, retraining, and slower approvals.