The incident log
Start here, ideally two to three weeks before you raise anything. Specific documented incidents are the foundation everything else stands on, and they feed the calculator directly. Log every AI error you catch, however small, the moment you catch it; memory flattens details and details are the persuasive part.
| Date | Task | Tool used | What the tool produced | What was wrong | Time to correct (min) | If it had shipped | Caught by | Notes |
|---|---|---|---|---|---|---|---|---|
| 2026-05-12 | Draft client letter | ExampleAI | Letter citing a policy provision | Provision and quote don't exist | 25 | False statement sent to client | Self-review | Second occurrence this month |
The full memo
The expanded version of the guide's short template, structured in the four moves: shared goals, specific risk with evidence, quantification, constructive alternative. Keep it to one page when filled in; attach the incident log rather than narrating it.
TO: [Manager] FROM: [Name] RE: [Tool] in [workflow] — findings and a proposal before wider rollout I support finding efficiencies in [workflow], and I've been using [tool] for [task] for the past [period]. I'm writing because what I've documented suggests we should answer a few questions before expanding its use. WHAT I'VE FOUND Over [period], I logged [N] incidents where the tool's output contained errors that would have [consequence] had they shipped (log attached). Correcting them took [total time]. Comparable documented failures at other organizations include [incident from the library, with cost]. WHAT IT COSTS Counting review and correction time at our rates, plus the expected cost of errors that slip through, the tool currently nets [$X per week / $Y per year] in this workflow. [If negative: the headline time savings are more than consumed.] My inputs are attached; I'd welcome adjustments to the assumptions. THE OPEN QUESTIONS 1. [Confidentiality/compliance question — e.g., does our vendor agreement prohibit training on inputs? Has counsel/compliance reviewed it?] 2. [Liability question — who verifies and signs off, and what is the procedure when an error reaches a client/court/regulator?] 3. [Client question — do any engagement terms or client expectations restrict or require disclosure of AI use?] WHAT I PROPOSE Rather than pausing everything, I suggest we [scoped alternative: restrict the tool to internal, low-stakes tasks / add a named-reviewer checkpoint / run a 30-day measured pilot / hold client-facing use until the questions above are answered in writing]. I'd be glad to run the pilot and report the numbers. Could we revisit the broader rollout on [date] with that data in hand? Attachments: incident log; cost worksheet
The manager's one-pager
A handout your manager can forward upward without editing. It deliberately frames the issue as risk management rather than opposition, because the person above your manager will read it cold.
ONE PAGE: [TOOL] IN [WORKFLOW] — STATUS AND RECOMMENDATION THE SITUATION [Team] has been using [tool] for [task] since [date]. Frontline use has surfaced issues that affect cost, quality, and compliance exposure. THE NUMBERS (observed, [period]) • Documented errors caught in review: [N] • Average correction time per task: [X] minutes • Net weekly impact at loaded rates: [$X] ([positive/negative]) • Errors that reached output despite review: [N] THE EXPOSURE • [Confidentiality: what data the tool touches and the vendor's terms] • [Liability: who owns an AI error that reaches a client/court/regulator] • [Precedent: one comparable documented incident elsewhere, with cost] RECOMMENDATION Continue [low-risk uses]. Hold [high-stakes uses] pending: (1) written answer from [counsel/compliance/IT] on [question]; (2) a defined review- and-sign-off step; (3) a 30-day measured pilot. Review on [date]. PREPARED BY: [Name], [date]. Incident log and cost worksheet available.
The vendor due-diligence checklist
Fifteen questions whose answers should exist in writing before any tool touches confidential, client, or regulated data. "Unknown" answers are findings, not gaps in your argument; put them in the memo as open questions.
VENDOR DUE-DILIGENCE CHECKLIST — [TOOL], [TIER/PLAN]
DATA HANDLING
[ ] 1. Does the vendor train models on our inputs at this tier? Where is
that stated in the agreement?
[ ] 2. How long are prompts/outputs retained, and can retention be set
to zero or near-zero?
[ ] 3. Where is data processed and stored (region/jurisdiction)?
[ ] 4. Can we delete our data on demand, verifiably?
[ ] 5. Are employees of the vendor or its subprocessors able to view
our content (e.g., for abuse review)? Under what conditions?
SECURITY & COMPLIANCE
[ ] 6. Current SOC 2 Type II (or equivalent) report available?
[ ] 7. Encryption in transit and at rest; SSO/access controls supported?
[ ] 8. Will the vendor sign our required agreements (DPA; BAA if PHI;
confidentiality terms matching our client obligations)?
[ ] 9. Breach notification terms: timeline, scope, our obligations.
[ ] 10. Subprocessor list available, with change notification?
CONTRACT & OPERATIONS
[ ] 11. Liability and indemnification for vendor-side failures: what is
actually covered, and what is capped?
[ ] 12. Does our use here comply with the vendor's own acceptable-use
terms (some prohibit legal/medical/high-stakes uses)?
[ ] 13. Export of our data and prompts if we leave (lock-in check).
[ ] 14. Admin controls: can we restrict features, log usage, and audit?
[ ] 15. Who at our organization owns this vendor relationship and
reviews it on renewal?
Completed by: [name] Date: [date] Reviewed by: [counsel/IT/compliance]
The scoped-use policy (propose this instead of a ban)
The strongest constructive alternative in the guide is proposing a policy, because almost nobody arrives with one drafted. This is deliberately moderate: it permits low-risk use, gates high-risk use behind named conditions, and schedules its own review. Adjust the tiers to your workplace and hand it to your manager as a starting point.
DRAFT: INTERIM AI USE POLICY — [TEAM/ORGANIZATION] Version 0.1 — proposed [date] — review scheduled [date + 90 days] 1. PURPOSE Enable productive use of AI tools while protecting confidential information, work quality, and compliance obligations. This policy is interim and will be revised based on the pilot data it generates. 2. APPROVED TOOLS Only tools on the approved list ([list]) may be used for work tasks, on the approved tier/plan. Personal accounts may not be used for work. 3. PERMITTED WITHOUT FURTHER APPROVAL (TIER 1) • Brainstorming, outlining, and learning on non-confidential topics • Drafting internal documents containing no client, personal, or confidential information • Editing text the user wrote, where the text contains no restricted information 4. PERMITTED WITH NAMED-REVIEWER SIGN-OFF (TIER 2) • Client-facing drafts: a designated reviewer verifies all facts, figures, citations, and names before anything leaves the team, and signs the verification • Summaries of documents we are permitted to process: reviewer spot- checks against the source 5. NOT PERMITTED PENDING WRITTEN CLEARANCE (TIER 3) • Any input of [client confidential information / PHI / regulated customer data / privileged material] into any AI tool, pending a signed vendor agreement reviewed by [counsel/compliance] • AI-generated content filed with courts or regulators, pending a defined verification procedure • Customer-facing automated AI (chatbots), pending security review 6. INCIDENT HANDLING AI output errors that reach a client, filing, or system are reported to [role] within [24 hours], logged, and reviewed without blame; the log feeds the 90-day policy review. 7. MEASUREMENT During the interim period, [team] tracks time saved, review time, and error counts for Tier 1–2 uses. The 90-day review expands, narrows, or extends the tiers based on that data. Proposed by: [name] Sponsor: [manager] Review owner: [role]
The order that works
Log for two or three weeks. Run the numbers through the calculator. Pull one or two matching incidents from the library and, if you're in a regulated field, the relevant playbook questions. Then write the memo, bring the one-pager for forwarding, and lead the proposal with the draft policy. The person who shows up with evidence, math, and a ready-made constructive alternative isn't resisting change; they're doing the diligence the rollout skipped.