Use case
Name the AI-assisted work in plain language. The title should tell a reviewer what staff are trying to accomplish without needing a demo.
- Business purpose: the operational, member, risk, or compliance reason this use case exists.
- Owning department and named owner.
- Current status: proposed, sandbox, approved, restricted, retired.
Tool and vendor
Record the exact tool being used, including whether it is a public AI service, a vendor feature, or a private deployment.
- Tool name, vendor, and version if known.
- Approved-list status and approval date.
- Vendor agreement, retention setting, and review owner.
Data class
Document the highest-risk data that may enter the workflow. If the workflow can operate without confidential or regulated data, say so explicitly.
- Public, internal, confidential, NPI, regulated, or examination-sensitive.
- Whether customer-identifying data is prohibited, restricted, or allowed only in an approved private tool.
- Sanitization rule before any prompt is used.
Human review
Every reusable AI workflow needs a named review point before output is relied on, sent, filed, or shared.
- Reviewer role and backup reviewer.
- Review criteria: accuracy, data handling, regulatory references, tone, and final-use approval.
- Evidence retained: prompt, output, reviewer notation, or ticket reference.
Risk tier and cadence
Assign a risk tier and a review cadence so the inventory remains useful after the first approval conversation.
- Low, medium, high, or blocked with reason.
- Re-review trigger: tool change, policy change, incident, vendor update, or annual cycle.
- Next review date and accountable owner.