There is no shortage of AI governance frameworks. OWASP has the LLM Top 10. NIST has the AI RMF. ISACA has its AI Audit Toolkit. The EU AI Act carves its own taxonomy. ISO 42001 adds another layer. Each one is legitimate, well-considered, and useful in context.
The problem practitioners face is not that these frameworks exist. It is that they exist separately — in different documents, with different taxonomies, mapped to different audiences, producing different audit artefacts. When you sit down to assess an AI application or build a governance programme, you are expected to mentally synthesise them yourself.
This post introduces a free, practitioner-built reference workbook designed to solve exactly that problem — and explains why we think it belongs in your standard toolkit alongside your policy templates and risk registers.
Ready to download? The workbook is available free — no registration required — from the GRCAIHub Tools section.
What the Workbook Contains
The AI Security Controls Reference is a structured Excel workbook with five tabs:
- OWASP LLM Top 10 (2025) — all ten controls from the industry’s most widely adopted AI application vulnerability taxonomy, expanded with audit questions, remediation guidance, and automation method classification
- ISACA AI Controls — twenty controls drawn from ISACA’s AI audit and governance guidance, spanning AI policy, data governance, model risk management, lifecycle controls, monitoring, vendor risk, and human oversight
- Internal Guardrails — twenty practitioner-derived controls covering the gaps that formal frameworks often underspecify: input sanitisation, API key management, shadow AI detection, agentic risk, and rate limiting
- Common Controls — ten cross-framework controls that appear across all three, representing the highest-priority, most-validated set of requirements for any AI governance programme
Every control entry includes a control ID, name, category, severity rating, description, specific audit questions, remediation guidance, and an automation method classification — indicating whether the control can be assessed via code scanning, live API probing, document analysis, infrastructure review, or whether it genuinely requires human judgment.
Why a Spreadsheet, and Why This One
There is a reasonable question here. We live in a world of GRC platforms, policy management tools, and compliance dashboards. Why does a spreadsheet matter?
A few reasons — and they are reasons practitioners have articulated to us repeatedly.
Accessibility. Not every organisation has a GRC platform, and not every practitioner has access to the one their organisation does have. A spreadsheet opens in Excel, Google Sheets, or LibreOffice. It requires no licence, no login, no integration. It is the most universally accessible format in the enterprise world.
Adaptability. A GRC platform enforces its own data model. A spreadsheet is yours to adapt. You can add a column for control owner, map controls to your internal systems, filter by severity, add your own evidence links, or extend the framework coverage to include NIST AI RMF or ISO 42001 controls. It is a starting point, not a constraint.
Auditability. When an internal or external auditor asks to see your control framework, you can hand them a file they can open. When a CISO asks for a status update, you can filter to Critical and High failures and share a clean view in thirty seconds. This kind of low-friction evidence sharing matters in real-world governance work.
Portability across contexts. The same workbook works for a startup building its first AI governance programme, a mid-size enterprise preparing for an AI audit, a consultancy assessing a client’s AI posture, and a security engineer trying to explain their test findings to a governance audience. The format does not presuppose any particular role or maturity level.
The Cross-Framework View Is the Most Valuable Part
If there is one thing that distinguishes this workbook from simply downloading the OWASP LLM Top 10 PDF and the ISACA AI Audit Toolkit separately, it is the Common Controls tab.
The ten controls it contains are those where all three frameworks converge — which means they are simultaneously the most cross-validated requirements and, practically speaking, the highest-priority ones to implement first. If you are building an AI governance programme under time or resource pressure, the Common Controls tab is your starting roadmap.
Practical Use Cases
-
Building a governance programme from scratch. Use the workbook to define your initial control set. Start with the Common Controls as your baseline. Layer in framework-specific controls based on your regulatory context — ISACA-heavy for organisations in regulated industries, OWASP-heavy for product and engineering teams building AI applications. Use the severity ratings to prioritise implementation.
-
Preparing for an AI audit. Map each control to your existing evidence — policies, code review outputs, vendor agreements, training records. The workbook’s structure mirrors what an auditor will want to see: for each control, what is the requirement, what is the evidence, and what is the status.
-
Running a security assessment of an AI application. The workbook pairs directly with code-level and live API testing. The OWASP tab maps to specific attack surfaces you can test — prompt injection, output handling, excessive agency, system prompt leakage. The automation method column tells you which controls can be tested programmatically and which require manual review or document analysis.
-
Communicating with non-technical stakeholders. The workbook is structured to support translation across audiences. The governance-oriented ISACA controls speak directly to board and executive concerns. The technical OWASP and Internal Guardrails controls speak to engineering and security teams. A single workbook can anchor conversations across all of them.
-
Vendor and third-party AI risk assessment. Filter to the vendor risk controls across all three frameworks. Use the audit questions as your vendor questionnaire template. Use the remediation guidance as your contract requirements checklist.
What This Is Not
To be clear about scope: this workbook is a reference and governance tool, not a substitute for legal or compliance advice, and not a complete implementation of any of the frameworks it draws from.
Use this workbook as a starting point and a synthesising lens, not as a final word. The goal is to give you a structured, cross-referenced foundation to build on — not to replace the deeper work that sound AI governance requires.
Download and Use
The workbook is available as a free download from the GRCAIHub Tools section. No registration required.
It is designed to be used directly: open it, review the Common Controls tab first, then work through the framework-specific tabs.
We will update the workbook as frameworks evolve — the OWASP LLM Top 10, ISACA guidance, and the regulatory landscape are all moving, and static documents go stale. If you identify gaps, mapping errors, or new controls worth incorporating, reach us at [email protected].
A Note on Why We Built This
GRCAIHub exists because AI governance is genuinely hard, and the resources practitioners need to do it well are scattered across framework documents, academic papers, vendor white papers, and conference presentations — often behind paywalls, often written for audiences other than the people who have to actually implement the controls.
A cross-framework controls reference that is free, format-agnostic, and built by practitioners for practitioners is one of the more direct things we can contribute to making that work easier. This workbook is part of that effort.
If it is useful, share it. If something important is missing, tell us.
The AI Security Controls Reference workbook is available free of charge from GRCAIHub Tools. Control coverage includes OWASP LLM Top 10 (2025), ISACA AI Audit Controls, and practitioner-derived Internal Guardrails across 50 controls and a synthesised Common Controls set.